| Name |
TypoSquatting |
|
| Likelyhood of attack |
Typical severity |
| Low |
Medium |
|
| Summary |
An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering. |
| Prerequisites |
An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic. |
- Research popular or high traffic websites.
|
| 2 |
Experiment |
[Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL. |
- Register the TypoSquatted domain.
|
| 3 |
Exploit |
[Deceive user into visiting domain] Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain. |
- Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain.
- Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain.
|
|
| Solutions | Authenticate all servers and perform redundant checks when using DNS hostnames. Purchase potential TypoSquatted domains and forward to legitimate domain. |
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-89 |
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed. |
| CAPEC-543 |
Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware. |
| CAPEC-616 |
An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource. |
|