“Simplicity is the ultimate sophistication.” – Leonardo da Vinci
This quote even holds true when it comes to cyber threats.
While experts discuss the impending battle royal between cybersecurity, and attackers and hackers, focusing in on “good AI” vs. “evil AI” in an ever-escalating, highly-sophisticated cyber arms race, it’s sometimes the simplest of threats – and mistakes – that can be the most dangerous and frustrating.
Take typosquatting, for example. Typosquatting has been around since the first URLs were created and first web pages published. Typosquatting – also known as cybersquatting – in one form relies on a user making a spelling error in the URL they are typing into their web browser. We’ve all done it. You fat-finger an “h” instead of a “g”, or forget to type in the second “o” or the “e” at the end when trying to reach the Google homepage. Another form of typosquatting is when an attacker registers a domain name that very much resembles a trusted domain, but can easily fool users into trusting it’s the right URL – like “app1e.com” vs. “apple.com”. So, you misspell the URL or believe you’re clicking on the right domain name, and, simple as that, you could be opening Pandora’s Box.
When the web was just getting started, if you mistyped a URL, there was an equal chance that you could reach the webpage you meant to access, as many organizations licensed URLs that included common misspellings of their company name or URL, or some enterprising person would purchase the misspelled domain, then redirect back to the original webpage and collect commissions via an affiliate link; open a “404 – Page Not Found” error page; get a webpage pitching you on purchasing the misspelled URL; or, open a porn site’s webpage.
But, today, it’s much more likely that you will be directed to a very legitimate looking phishing website that is intent upon stealing and harvesting your user credentials and/or downloading malware – including ransomware – onto your device. According to the recently published “State of the Web 2017” report from Menlo Security, typosquatting is alive, well, and still wreaking havoc all these years later.
For example, in 2015, millions of Anthem health insurance subscribers provided personal information to typosquatting sites such as “we11point.com”, because they couldn’t notice the difference from Anthem’s actual URL, which was “wellpoint.com”. More recently, just this week, Reddit, the fourth most popular website in the U.S., and its users fell victim to a typosquatting attack, when an enterprising attacker created a very real looking Reddit website, but with the URL “Reddit.co” – with the domain extension “.co” meant for sites in Colombia – and not the correct “Reddit.com”. The intent of this typosquatting attack was to steal Reddit user credentials. The website even had the little padlock indicating it was secure – but, not with the right security certificate for Reddit. (This example was captured by security researcher Alec Muffett, and reported in Forbes.)
But, it goes deeper than just being able to create a legitimate looking webpage with a misspelled URL like “wellsforgo.com” or “yotuube.com” and the intent to steal user credentials or download malware for fun and profit. Because, according to Menlo Security researchers, to reduce the odds that their phishing websites would be detected by URL filters in a secure web gateway or next-gen firewall, attackers were able to find ways to have their phony websites listed as either “Uncategorized”, or fall into a trusted category, like “News & Media”.
Now, that’s scary.
So, a new approach is needed to stop even the simplest of cyberattacks, like typosquatting.
And that new approach is isolation.