Typosquatting: Everything You Need to Know
Typosquatting is the act of buying URLs similar to famous or well-known ones in hopes that people type the wrong letter when entering the web address.9 min read
Typosquatting: What Is it?
Typosquatting is the act of buying URLs similar to famous or well-known ones in hopes that people type the wrong letter when entering the web address. Typosquatters get easy traffic thanks to typos.
How Does Typosquatting Work?
Typosquatting, also called URL hijacking or domain mimicry, occurs thanks to typing mistakes. A person makes a simple error when trying to enter a URL. This mistake causes the user to end up at the wrong website. The URL's owner gets free traffic and often adds malware to the internet user's system without that person even clicking a link.
For example, a typosquatter wants to buy URLs such as Foogle.com, Hoogle.com, and Voogle.com. The typosquatter gets site visits from internet users who were trying to visit Google.com.
This happens when a person accidentally types the letter on the keyboard one away from the intended letter. Once the user hits enter, their browser takes them to the wrong site.
The danger of typosquatting is that misspelled domain owners are often hackers. That person might use phishing techniques to steal personal data from a web user.
One of the earliest examples of typosquatting was in 2006 with the site Goggle.com. It sent malware downloads to visitors that thought they were going to Google.com.
Typosquatting is profitable to hackers and dangerous to internet users with poor typing skills. Many typosquatters have criminal intent.
What Are the Types of Typosquatting?
Many forms of typosquatting exist, and some are difficult to categorize. The most popular types are:
- Bait-and-switch: The site tries to sell you something you might have bought at the correct URL. Often, these are digital purchases that are difficult to dispute on a credit card statement. The buyer won't wind up with the item they want, but they will still pay for it.
- Domain Parking: The URL shows a price for a person to buy it. Alternately, it links to another site that handles URL sales.
- Imitators: The URL passes itself off as real, acting like it's the correct location. For example, someone owning Loogle.com would have a search engine bar and color scheme that resembles Google's appearance.
- Joke Sites: These sites make fun of the existing site that the user intended to visit.
- Related Search Results Listings: The URL identifies the type of website the user meant to visit. Then, it tries to link to a different site that will pay the URL owner for the traffic. The second site is often malicious.
- Surveys and Giveaways: These sites pretend like they're interested in feedback from the customer. They ask for additional information in hopes of getting enough data to carry out identity theft.
What Are the Causes of Typosquatting?
You're in danger of typosquatting for several reasons. You will reach the wrong URL if you:
- Have a typo in the domain name
- Misspell the domain name
- Use the wrong domain extension (such as dot-com instead of dot-shop)
- Forget to use a hyphen for a domain name that includes a hyphen
- Spell something different from the registrar (such as favour instead of favor)
What Is Cybersquatting?
Similar to typosquatting is cybersquatting, also known as domain squatting. In this case, a person buys URLs are spelled similarly to other sites and brands.
The owner of these knockoff URLs does not want to build a website at the address. The goal is to sell the URLs to the owners of real sites and brands.
Many companies are willing to pay thousands of dollars for these "fake" URLs. A URL hijacking only pays a few dollars to register the domain. So, the strategy is often extremely profitable.
How Has Cybersquatting Changed Over the Years?
The World Wide Web debuted in 1989. The internet didn't reach critical mass until the 21st century. During the early years, many companies didn't know about the internet. They did not register their brand names.
Cybersquatters registered the URLs first. Then, they sold the URLs to the businesses. The other popular practice was to register the name of a famous person. Popular celebrities such as Madonna, Paris Hilton, and Jennifer Lopez were all victims of cybersquatting.
Over time, businesses and celebrities grew wise to the practice. The modern version of cybersquatting involves new URL extensions.
From 2014 to 2016, hundreds of new URL options became available. These extensions end with specific terms such as dot-band, dot-credit, and dot-store. Cybersquatters grabbed as many of them as they could in hopes of making a quick profit.
Examples of Cybersquatting and Typosquatting
Many of the most famous examples of cybersquatting and typosquatting have involved celebrities and well-known companies.
The most famous one involves a man named Mike Rowe. He thought registering the name MikeRoweSoft.com would entertain potential employers. After he registered the name, Microsoft sued him for infringement because the name sounded too similar to the company's website.
Microsoft eventually settled with him, and MikeRoweSoft.com now redirects to Microsoft's main page. The negotiation started with an offer of $10. Rowe countered with $10,000. After he later received a cease and desist letter, the two parties settled. Rowe wound up with a free Xbox.
The company faced a second issue of typosquatting when a man named Alf Temme registered several sites with variants of hotmail.com. Then, he put up a site redirect on each of them to his exercise equipment sales site. Microsoft sued him for $2.4 million but offered to settle for $500,000.
Another example involved Jerry Falwell, an evangelist known for his anti-gay stances. A man named Christopher Lamparello bought the domain of Fallwell.com, an intentional misspelling of Falwell's last name. On this site, he posted scripture that showed Falwell's stances were inaccurate.
The evangelist sued for cybersquatting and initially won. A higher court agreed with Lamparello, and he eventually won the case when the Supreme Court declined to hear Falwell's appeal.
Lands' End faced one of the stranger typosquatting attempts. The company ran an online affiliate program that rewarded sites that directed traffic back to Lands' End.
Typosquatters registered countless variants of the Lands' End domain name. Then, they redirected all of that traffic to the actual site and requested affiliate compensation. Lands' End successfully argued in court that the activities were fraudulent.
PETA, a charitable organization for the healthy treatment of animals, had to sue to stop an unusual form of typosquatting. A man named Michael Doney saw that PETA.org was available in 1995. He registered the domain and built a website called "People Eating Tasty Animals."
The site included links to stores that sold leather goods and meats. PETA successfully sued to gain the domain name, but they didn't win damages to the brand. They also suffered public embarrassment over the situation.
A potential customer of the Career Agents Network (CAN) could have discovered something unexpected if they'd visited in 2009. Anyone who typed in the domain extension of .biz instead of .com arrived at an anti-CAN website.
An angry customer who wanted to get back at the company registered and created an entire domain to warn people not to shop there. CAN sued but lost. The insulting website wasn't built to make money, so it didn't fit the criteria of cybersquatting or typosquatting.
How Is Typosquatting Different From Cybersquatting?
Cybersquatters want to make money quickly. Their goal is to buy and register domains similar to well-known brands and trademarks. Then, they offer ownership of these domains to businesses.
Companies want to protect their customers and brands. That's why they feel compelled to buy URLs from cybersquatters.
Typosquatters usually have different goals. They want to hack into a person's computer. Many typosquatter websites install malware on site visitors' systems. The user is then vulnerable to breaches and identity theft.
Simply stated, cybersquatters want to make easy money. Typosquatters are often hackers who have bad intentions.
How Many Squatter Sites Exist?
An exact number is impossible to calculate. A researcher recently showed how many variations of Facebook exist. He tested all reasonable combinations of the name. URL hijackers had registered 81 percent of these addresses.
Facebook didn't even have the highest percentage. That honor went to Apple, with 86 percent of potential cybersquatting names taken. Out of 2,249 potential URLs, cybersquatters had registered 66.7 percent of them.
A security firm named Endgame tracked a specific typosquatting scam. Their results show that the typosquatter targeted 300 major brands. The typosquatter owned 58 domains, 42 of which targeted top 100 websites, according to Alexa rankings. The cybersquatting campaign also targeted 85 Fortune 500 brands and sites.
The typosquatters targeted some of the largest and most powerful countries, such as China, England, France, and the United States. These stats show the potential reach of a successful typosquatting campaign.
The issue of cybersquatting has become litigious. Facebook and Apple have both won court battles over the practice. Facebook won $2.8 million in damages from a cybersquatter. Apple won the rights to iTunes.co.uk after a 12-year ownership battle for the URL.
Which Countries Squat the Most?
Studies show that the United States hosts more cybersquatters on its servers than the rest of the world combined. America hosts 63.8 percent of all cybersquatters. The other countries with a lot of cybersquatters are Germany, China, England, and Japan.
What Are the Dangers of Typosquatting?
Basically, anything bad you've ever heard about internet theft is possible through typosquatting. When you enter the URL of the misleading domain, a hacker can:
- Redirect you to a different site used for phishing
- Add malware or ransomware to your computer
- Try to steal your credit card information through fake purchases
- Try to steal your identity through fake information requests
Do Any Laws Apply to Typosquatting and Cybersquatting?
In 1999, the United States government enacted the Anticybersquatting Consumer Protection Act (ACPA). This law protects both trademark owners and consumers. It offers people protection against cybersquatters. Most cybersquatting is illegal in the United States.
URL owners must prove that they make a good faith effort to use the URL correctly. The law also expects proof that a domain name isn't too similar to an existing trademark, brand, or website.
You can seek damages of up to $100,000 per domain. The severity of the damages depends on your site's popularity and the degree to which the offending site infringed on your work.
Internationally, the World Intellectual Property Organization (WIPO) oversees squatter issues. You can petition this court to give you ownership of the domain. You must prove:
- The domain is "identical or confusingly similar" to yours
- The URL holder has no rights to any of your works
- The domain registrar uses the site in bad faith
The Internet Corporation for Assigned Names and Numbers (ICANN) also might help. You can file a claim to get control of the typosquatter's domain. You will receive no compensation, just ownership rights to the URL.
The Coalition Against Domain Name Abuse (CADNA) believes that maximum damages don't accurately measure the damage done by typosquatting. Experienced hackers can make a lot of money with a popular typosquatting site. That's why CADNA wants to increase penalties for all typosquatting practices.
How Can You Avoid Typosquatting?
A few tips will help you avoid falling victim to typosquatting. You should:
- Bookmark your favorite sites so you can visit them via clicks rather than typing
- Use voice recognition software to go to popular URLs
- Perform web searches then navigate to the proper site from the results page
- Leave your favorite websites open all day in browser tabs
- Never click links in emails, texts, chat messages, or social networking sites
- Never open an email attachment
- Use a safe search tool rather than typing URLs directly
- Use antivirus software to monitor and protect against malware
- If you own a domain name, try to register typo versions of it before squatters do
How Can a Website Owner Prevent Phishing Attacks and Other Typosquatting Concerns?
- Use anti-spoofing technology
- Update existing DNS information to include sender policy framework
- Use secure email gateways
- Add detection software that can identify impostor emails
- Add software that can automatically detect mismatched From headers and envelope sender addresses
- Add DomainKey authentication
- Offer phishing training to users
- Automatically add external tags to any subject line from an external sender
- Identify and highlight trusted domains
- Add reputation-based content filtering so users can easily recognize less reputable links
- Use SSL certificates to build trust
SSL certificates are great bridges between internet users and website owners. These certificates tell users that they're on the correct site. They also protect users during data transfers. They even inform visitors of details about the site's operation and the company that issues the certificate.
You're in danger of falling victim to typosquatters and cybersquatters. The former group will try to steal your identity. The latter will try to make money from your ideas.
If you're having trouble with typosquatting, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Stripe, and Twilio. You'll get great advice on the best way to protect yourself against typosquatters and cybersquatters.