VRT New Vulnerability Addition Request - Typosquatting

[miguelsantareno]

Description:

• An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.

• The VRT Category would be Server Security Misconfiguration - Misconfigured DNS - Typosquatting - P4

• CVSS Score would depend on the impact of the Typosquatting

• Capec https://capec.mitre.org/data/definitions/630.html

References:
https://capec.mitre.org/data/definitions/630.html
https://www.zenarmor.com/docs/network-security-tutorials/what-is-typosquatting

[amalmurali47]

Hi @miguelsantareno,

We already have a VRT entry for this: Server Security Misconfiguration > Bitsquatting (you can find the discussion related to this here: #82).

Could you clarify why you believe a new entry is needed?

[miguelsantareno]

Hi @amalmurali47,

Hope you are fine.

Description:

• An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.

Typosquatting frequently results from misunderstanding or unintentional mistakes made by people, like:

• Typos: Possibly the most frequent mistake made while inputting search information, typos frequently result from the hurried pace of our daily lives. Certain domain types, such as inputting gogle.com instead of google.com, are particularly dangerous for people who frequently type rapidly and erratically or extensively rely on autocorrect.

• Spelling mistakes: Squatters are fully aware of the fact that occasionally a user has not committed a typo but is just unsure of the proper spelling of a brand name. In order to avoid competition, many companies register misspelled variations of their site's name. These misspelled variants are then directed to the correct homepage.

• Alternate spellings: The alternative spellings of well-known service or product names run the risk of confusing online users. For instance, the term "favorite", which is written "favourite" in British English, differs between American and British English. A user may unintentionally type the incorrect URL into their browser if your website address contains a term that is spelled differently in various regions.

• Domain names with hyphens: Adding (or omitting) a hyphen in a domain name can lead to misunderstanding. To trick consumers, typosquatters may add an additional hyphen to a URL that is typically example-onlineshop.com, resulting in example-onlineshop.com. Users could first believe this to be the official website, but in fact, typosquatters are exploiting it to spread malware or advertise.

• Incorrect domain ends: The variety of domain endings for various nations, such as .com, .co.uk, .cn, etc., as well as for various sorts of organizations, such as .com, .org, .web, and .shop, gives additional opportunity for typosquatting. To avoid distinct permutations ending up in the wrong hands, it is crucial for website owners to register a variety of top-level domains. Due to its resemblance to the most popular TLD, .com, typosquatters particularly like the top-level domain for Columbia, .co.

Risks and Consequences of Typosquatting:

• Phishing and social engineering assaults' successes: Phishing and social engineering attempts have been successful because misspelled URLs frequently resemble the actual web address, whether hackers are utilizing a typosquat of your company's website in phishing emails or sending another typosquat website to your employees. This raises the possibility that users, your clients or staff, will click the malicious link. A successful attack may ultimately result in data theft, endpoint malware installation, or user fraud.

• Brand or reputation at risk: Customers who click on a fraudulent typosquat that gathers data could log in using their credentials for the legitimate website. In the end, that typosquat gathers client information that might erode their trust in your business and damage your reputation.

• Reduced revenue: Potential clients might not be able to detect the difference and end up making a purchase from the false website if the person who created the typosquat provides a service or commodity that is similar to yours

[miguelsantareno]

Hello @amalmurali47,

Any update :)

Regards
MS

[TimmyBugcrowd]

Hi @miguelsantareno

We've seen this many times and in almost every case the client does not want to accept this. What is the recommended fix? buy all the domains that look similar?

I can think of this being added as a P5 but even that, I would need to discuss this with the internal team.

[miguelsantareno]

Hello @TimmyBugcrowd,

I think it would fall under Priority (Varies) depending on the impact in the client.

There are some typos more impactful than others this what I would put it in varies in terms of priority.

The mitigation could be:

Register common misspellings and variations. The first step is stopping bad actors from acquiring the domains in the first place. Proactively register domain names that are common misspellings, variations, or phonetic approximations of your primary domain.

Acquire alternative TLDs. Register your domain name with various TLDs, like .net, .org, and .co, to reduce the likelihood of typosquatters exploiting these alternatives.

Monitor domain registrations. ICANN (Internet Corporation for Assigned Names and Numbers) has a Trademark Clearing House that allows website owners to monitor how their names are used with different domains. Regularly check in to see how names similar to your brand or domain are used.

Implement domain name system security extensions (DNSSEC). DNSSEC will protect your domain from multiple cyber threats, including typosquatting.

Report fraudulent domains. Report typosquatted domains to relevant authorities like ICANN or the domain registrar. They may be able to suspend or remove the fraudulent site.

Pursue legal action. If you discover a typosquatted domain that infringes on your copyright or trademarks, legal action may be necessary to control the domain and prevent further harm. If relevant authorities cannot remove the site, consider getting a lawyer to help.

Regards
MS

[TimmyBugcrowd]

Hi @miguelsantareno

Thank you for the input. I've added this to the agenda of the next discussion with the team. I will update you about this.

[miguelsantareno]

Hello @TimmyBugcrowd

Any update regarding this?

Thanks
MS