Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.
An adversary sends an email, impersonating paypal.com, to a user stating that they have just received a money transfer and to click the given link to obtain their money.
However, the link the in email is paypa1.com instead of paypal.com, which the user clicks without fully reading the link.
The user is directed to the adversary's website, which appears as if it is the legitimate paypal.com login page.
The user thinks they are logging into their account, but have actually just given their paypal credentials to the adversary. The adversary can now use the user's legitimate paypal credentials to log into the user's account and steal any money which may be in the account.
TypoSquatting vulnerability allows an adversary to impersonate a trusted domain and trick a user into visiting the malicious website to steal user credentials.
Skill or Knowledge Level: Low
Adversaries must be able to register DNS hostnames/URL’s.
Authenticate all servers and perform redundant checks when using DNS hostnames.
Purchase potential TypoSquatted domains and forward to legitimate domain.
[R.611.1] Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens and Wouter Joosen. "Soundsquatting: Uncovering the Use of Homophones in Domain Squatting". Trend Micro. <https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf>.
More information is available — Please select a different filter.