{"id":3011,"date":"2014-03-20T10:00:47","date_gmt":"2014-03-20T14:00:47","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=3011"},"modified":"2018-07-13T19:39:18","modified_gmt":"2018-07-13T15:39:18","slug":"typosquatting-malware-infection-triggered-by-mistyping","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/3011\/","title":{"rendered":"Typosquatting: Malware Infection Triggered by Mistyping"},"content":{"rendered":"<p>If you\u2019ve ever mistyped a website URL \u2014 a double or missing letter, <em>amazom<\/em> for <em>amazon<\/em> \u2014 and ended up on some strange website, you may have fallen victim to an old but effective trick: <em>typosquatting<\/em>, which is also sometimes called <em>URL hijacking<\/em>. For various reason people buy domains that resemble those of legitimate websites to lure Internet users to their pages. And sometimes these people are cybercriminals and the reason is spreading malware. <\/p>\n<p><b><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124904\/Typosquatters-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4144\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124904\/Typosquatters-1.png\" alt=\"Typosquatters\" width=\"640\" height=\"480\"><\/a><\/b><\/p>\n<p>Typosquatting is a nuisance for businesses, and some have even brought court cases to combat it. Of course, it\u2019s also a threat for consumers, who may find themselves looking at unwanted spam sites, or worse, infected by malware. Before we look at an example, we should point out that as part of our efforts to reduce the number of victims of malware infection, when we find a compromised website, we always try to alert its administrator.<\/p>\n<h3>A real-world example<\/h3>\n<p>The following is the WHOIS information of a website we encountered that unintentionally hosts malware. In the \u201cAdministrative Contact\u201d field, you will see the string \u201cA***3JP\u201d. That\u2019s a JPNIC handle managed by Japan Registry Service (JPRS), which is a key to figuring out who is the administrator of the site. (In other cases, e-mail addresses are registered in this field.)<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124904\/squat-01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4145\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124904\/squat-01.png\" alt=\"squat-01\" width=\"533\" height=\"257\"><\/a><\/p>\n<p>We checked who administers the \u201cA***3JP\u201d domain:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124903\/squat-02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4146\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124903\/squat-02.png\" alt=\"squat-02\" width=\"387\" height=\"184\"><\/a><\/p>\n<p>The e-mail address in the \u201cE-Mail\u201d field is the contact information for the person who should be made aware of the malware infection on his\/her website. Alerting administrators who are unaware of infections is one of the important steps in the process of preventing malware from spreading further.<\/p>\n<p>Taking a closer look, however, we found a flaw in the address. It looks like a Gmail address, but actually it is not. A letter is missing.<\/p>\n<p>For some countries, having correct registration of domain information is a legal obligation. However, in Japan, sometimes registered information is not correct, and what\u2019s worse is that errors may be intentional. In any case, without the right e-mail address, we are unable to alert the site administrator.<\/p>\n<p>In this case, however, the intention of the Gmail-like domain was clear.<\/p>\n<p>The website could be displayed in various languages depending on a visitor\u2019s language environment, including Japanese, German, Spanish, Italian, Dutch, Polish, Portuguese, Russian, Swedish, and Turkish, but not English. As you can see from the sample screenshots of the website, its legitimate look could easily trick accidental visitors into downloading and installing the object.<\/p>\n<p>Japanese:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124902\/squat-ja-08.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-4147\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124902\/squat-ja-08.png\" alt=\"squat-ja-08\" width=\"1024\" height=\"793\"><\/a><\/p>\n<p>Russian:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124902\/squat-ru-08.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-4148\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/85\/2014\/03\/05124902\/squat-ru-08.png\" alt=\"squat-ru-08\" width=\"1024\" height=\"794\"><\/a><\/p>\n<p>Typosquatting is not actually new; it\u2019s been around for a while. Despite the method being well known, its victims continue to increase worldwide. To avoid being a victim of typosquatting-driven malware, try to slow down and take care when typing URLs. Most important, regularly update your OS and <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">security software<\/a> \u2014 that way you\u2019ll be much less likely to get into trouble even if you mistype a website address.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A variety of methods can lead users to malicious sites, but the one known as \u201ctyposquatting\u201d relies entirely on unforced user error.<\/p>\n","protected":false},"author":212,"featured_media":3012,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[282,36,97],"class_list":{"0":"post-3011","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cybersecurity","9":"tag-malware-2","10":"tag-security-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/3011\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/3114\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/3418\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/3401\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/4143\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/4143\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/typosquatting-malware-infection-triggered-by-mistyping\/4143\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/cybersecurity\/","name":"Cybersecurity"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/212"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=3011"}],"version-history":[{"count":4,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3011\/revisions"}],"predecessor-version":[{"id":11446,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/3011\/revisions\/11446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/3012"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=3011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=3011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=3011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}