It’s hard to keep track of the many ways malware can infect your devices, but “typosquatting” is one of the sneakiest. As the name implies, hackers create websites, download links, and other legit-looking but malicious URLs including slight misspellings that can be easy to overlook.
It’s a simple idea, but typosquatting is surprisingly effective. According to recently-published research by Cyble and BleepingComputer, there are hundreds of typosquatting URLs leveraging common typos like “Tlk Tok,” “Google Payce,” or “PaltPal,” and infecting Android and Windows devices with malware. And that’s only these specific typosquatting campaigns — there could be many more malicious typosquatting links masquerading as legit sites out there, so it’s important to know how these attacks work, and how to avoid them.
How does typosquatting work?
There are several ways a typosquatting attack can play out. For example, hackers may make convincing login screens for popular apps and websites like TikTok or Twitter. Users will “login” to the fake site thinking they’re signing into the real thing (in some cases, the fake pages are sophisticated enough that they’ll redirect to the real website after login) when really they’re handing over their login credentials, and opening the door for a malware attack.
Similarly, hackers may also upload malicious versions of popular apps, Github repositories, or other commonly-downloaded files via URLs that are nearly identical to legitimate download links. Sometimes, they may even use cloned versions of the files so they’ll seem safe, but secretly contain malware.
The typosquatting campaigns Cyble and BleepingComputer discovered use dangerous malware like Vidar Stealer, which can lift bank information, login credentials, and other critical personal data; Agent Tesla, which can take information from web browsers, VPNs, and other apps; and even crypto-stealing programs. Other typosquatting attacks may employ other forms of malware.
Whatever is lurking in those misspelled URLs, the trick is actually getting people to open the fake links instead of the real thing. A common method is to use typosquatting links in phishing and smishing campaigns. Threat actors send emails or text messages that claim to be from official sources, and unsuspecting users click on the link. In other instances, users simply mistype a URL or search term and end up on a malware-infected webpage, or downloading a dangerous file.
How you can avoid typosquatting attacks
The best way to combat typosquatting is for the legit companies being targeted to buy misspelled URLs so threat agents can’t use them against their users. However, there are ways the average person can avoid these attacks if they know what to look out for.
As we often say about phishing attacks, the simplest solution is to never click on links or download files from unknown email addresses, phone numbers, or websites. Turning on text and email spam filters can also prevent phishing attempts from ever reaching your inbox. It’s possible some bad links will still slip through, so familiarise yourself with the telltale signs of phishing emails.
However, you can also stumble upon typosquatting links by mistyping a URL or search term yourself, so make sure you double-check websites and download links to ensure they’re correct. Bookmark the websites you visit the most often, especially login pages. That way you’ll always know you’ve landed on the real one.
Similarly, make sure you’re looking up the right download links on websites like Github. Once again, double-check your spelling and make sure you’re accessing the real download source.
Another easy check is to ensure the URL includes HTTPS, which is more secure than HTTP. Some browsers include a “force HTTPS” option, and often won’t even connect to websites that don’t use HTTPS without warning you first.
Lastly, effective anti-malware software can also act as a last line of defence against infected files you accidentally download. Just don’t rely on it as your sole means of malware prevention — you need to proactively avoid threats, too.