Spot the difference: A typosquatting primer

Readers of British newspaper the Guardian will be aware that its long history of typos and errors is responsible for its nickname, “the Graun.” Winningly, the news outlet has embraced this – if you mistype “guardian.com” as “grauniad.com” you will still arrive at the Guardian’s legitimate website.

By registering “grauniad.com”, the Guardian has also managed to save its readers from falling victim to threat actors who rely on typosquatting. 

Also known as URL hijacking or domain mimicry, typosquatting is a technique that’s almost as old as the internet. Cybercriminals use domain names that are similar to legitimate websites or popular brands (think “gogle.com” or “facebok.com”) to set simple but effective traps for clumsy typists. 

These sites will often look like the real thing, but are designed to: 

• trick visitors into supplying login details, personal information or financial details (phishing); 
• distribute malware; 
• display fraudulent ads, which generate revenue for threat actors through things like pay-per-click fraud; and 
• damage the reputations of legitimate brands. This form of typosquatting, known as ‘brandjacking’, is often used by activists to target politicians and large corporations. Greenpeace, for example, has used brandjacking to shame brands for using Indonesian palm oil, the production of which is environmentally disastrous. 

The problem with .ml 

Back in 2019, Dutch companies noticed a spike in cyber attacks that took advantage of the similarities between the Netherlands’ domain (.nl) and that of Mali (.ml).

Registering a .ml address was free for the first 12 months, making it very simple for threat actors to spoof addresses associated with (among others), the Dutch cargo airline Martinair, KLM Royal Dutch Airlines, and the multinational life insurance company Aegon. 

These sites were mainly used for credential harvesting and launching whaling attacks. 

But it wasn’t always threat actors who made Mali’s domain a source of stress for security teams. More often than not, it was the US military. 

Pardon me, your slip is showing: Typosquatting vs typo leaking 

The more innocent version of typosquatting is ‘typo leaking.’ This usually happens when two legitimate addresses or domains are so similar that users frequently misdirect their communications by mistake. Because no criminality is involved, it often results in no real harm.

However, in July 2023 the FT reported that a typo leak had misdirected millions of US military emails to Mali.

Mali’s country identifier is .ml and the suffix to all US military email addresses is .mil – as the old joke goes, this created numerous problems between the chair and the keyboard. 

Johannes Zuurbier, a Dutch internet entrepreneur who managed Mali’s country domain, had spent nearly ten years trying to get the US to pay attention.

Zuurbier wrote to the Pentagon in July 2023 that, “This risk is real and could be exploited by adversaries of the US.” His sense of palpable urgency was understandable – on 24 July 2023, control of the .ml domain reverted from Zuurbier to Mali’s government, which is closely allied with Russia. 

Although much of the email Zuurbier has intercepted was spam, a lot of it was not. 

According to the FT, Mali received the full travel itinerary for Gen James McConville, the US army’s chief of staff, and his delegation to Indonesia ahead of an official visit in May 2023. 

Even more alarming is the FBI agent with a naval role who tried to send six emails to their military address, but misdirected all of them to Mali. The agent’s communications included briefings on domestic terrorism labelled “For Official Use Only”, and a global counter-terrorism assessment marked “Not Releasable to the Public or Foreign Governments.” 

Keeping it real 

• Double-check URLs when visiting a site for the first time, especially before submitting any personal information. 
• Use bookmarks or favourites for frequently visited sites. 
• Enable your browser’s built-in security features. 
• Keep your antivirus and security software up to date. 
• Report suspected typosquatting to the person or organisation being impersonated – even if there’s little they can do to take the fake site down, they may be able to alert their users.