Typosquatting - if you can raed tihs, you are vuanrelable

What just happen to your brain while reading the title of this post is called typoglycemia. A cognitive process that allows us to read text, even when presented with jumbled words.

At first glance, this seems like a helpful feature. And for the most part, it is. However, as with everything in life, it can be used for good or for evil.

Attack Vectors - Netflix.om Example

Attackers have been exploiting this reading capability since the internet’s inception. One of the most notorious examples is the Netflix.om website - note that instead of the .com domain, the Oman .om was used. Currently, the domain redirects to the official Netflix website, but many others remain active. Often these domains simply redirect to strange websites filled with advertisements or malware when you make a mistake typing your favorite website name. Try visiting LinkedIn without the e and last i (linkdn.com) 🥲.

Some attacks are more sophisticated, utilizing non-Latin characters to deceive users into downloading and installing malicious packages from seemingly official domains, such as https://www.gіthub.com. If you attempt to visit this address, you will notice that your browser will translate it to "https://www.xn--gthub-n2e.com/", because the character i is actually і - from Cyrillic (Ukranian) alphabet and not the Latin one. While they appear identical to the naked eye, for a computer, these are completely different characters.

Unfortunately, these typosquatted domain names aren't limited to the examples above. They also may be used for social engineering, sending phishing emails from seemingly trusted sources, or cloning legitimate business websites to steal user data.

mullvad.net vs nnulvad.net

A couple of weeks ago, I was searching for a DNS server from Mullvad (mullvad.net), a commercial VPN service based in Sweden, and discovered a fake typosquatted domain: nnullvad.net. This fake domain has two n's instead of an m.

This finding was reported to the Mullvad team, but unfortunately, there’s little that can be done. The domain remains active and appears on the first page of results when searching for mullvad dns server, for some search engines:

• bing.com
• duckduckgo.com
• yahoo.com

When searching for “mullvad vpn”, both Bing and Yahoo consistently display nnullvad on the third page of search results.

DuckDuckGo managed to get it onto page #1 using the same query. While results may vary across different users, especially when accessing services through VPNs, nnullvad appears frequently in the results.

What about Google?

I couldn’t find any results for nnullvad while searching for mullvad dns server but a result appeared for mullvad vpn on the seventh page.

Cyber$quatting

Some attackers have become even more creative, purchasing domain names that resemble original ones in the hope of receiving payment from the original company.

How to stay protected

In case of the companies, purchasing typosquatted domains before the malicous actors do, can be a good strategy. If you are just a regular person, be extra carefull when opening emails and clicking links. Additionally, you can help improve internet security by reporting typosquatted domains if you spot one on popular search engines!

References

• https://icannwiki.org/Typosquatting
• https://en.wikipedia.org/wiki/Typosquatting
• https://www.dcode.fr/typoglycemia-generator
• https://dl.acm.org/doi/abs/10.1145/3132465.3132467
• https://wire.insiderfinance.io/the-brains-power-to-read-jumbled-text-adfbd0ae3c28

NOTE: I am not affiliated nor was sponsored by Mullvad or any other company mentioned on this article.