Internet and Networking

What Is Typosquatting or URL Hijacking?

At some point, some of us have accidentally mistyped a URL for a famous website. For example, (notice the missing ‘e’ at the end) instead of the proper version

Tying into this probability of human error, some cybercriminals practice what is known as typosquatting or URL hijacking.

Defining Typosquatting or URL Hijacking

Online hackers & criminals buy domain names of common misspelling variations of famous websites. When that happens, a user who mistakenly inputs a typo of a recognized website into their address bar is actually taken to a landing page instead of a 404 page — which usually is the natural state of the web, when a URL doesn’t exist.

Now, the landing page of the typo-ed website, in many instances, mimics the real website very closely, so the user who inadvertently went there cannot tell the difference. As a result, they may carry on their regular activities without realizing that they’re outwardly giving away their personal information to malicious actors or leaving their doors open to malware or other similar dangerous code getting installed on their device.

This entire trickery of trying to fool online visitors into thinking they’re visiting a legitimate website because of a typo, while the cybercriminals gain access to their personal info or break into their personal devices, is referred to as typosquatting or URL hijacking. As a broader classification, typosquatting falls into the category of a Social Engineering attack.

How To Prevent Typosquatting or URL Hijacking

There are multiple technical approaches to preventing typosquatting. And while the responsibility should be shouldered by both individuals and organizations, one of the most common-sense approaches is to be vigilant and aware of what you’re doing online.

For example, check if you’re not misspelling something. Additionally, certain web browsers like Microsoft Edge provide extra support against typosquatting.

To enable the typosquatting protection in Edge, go to your main browser settings. Then, head over to the Privacy, search, and services option from the left panel. Finally, under the sub-heading of “Security,” enable Typosquatting Checker. Doing so should prompt warnings when you’re being navigated to a potentially malicious site — after erroneously keying in a typo.

typosquatting checker in Microsoft Edge browser
Typosquatting checker in Microsoft Edge browser.

Other Methods presents more solutions against URL hijacking. Two of the cool highlights are shared below.

  • Choosing an ISP that may offer in-built support to safeguard against typosquatting.
  • Trademarking your domain, so you can potentially sue attackers propagating typosquatting attacks surrounding your domain name.

You May Also Want to Check Out:

Typosquatting Is Illegal in the U.S.

In 1999, the Anticybersquatting Consumer Protection Act (ACPA) declared that typosquatting is illegal in the United States. Specifically, the Act states that using domain misspellings for profit is against the law. However, if you think about it, to a certain degree, making money in some shape or form is the ultimate goal of typosquatting.

Not only that, many non-supporters of typosquatting even consider it to be an unethical activity. Believe it or not, not all URL hijacking attacks have malicious intent. For example, someone would make a misspelled website as a prank or to pull jokes.

Irrespective of what is going on externally, the best defense against typosquatting for you is to be aware of how you’re conducting yourself online, and at the same time, organizations or individuals doing their part to prevent this type of attack in the first place — as much as they can.

Levelheaded companies like Microsoft, for instance, even offer a mechanism in place to report websites you’ve landed on as a result of typosquatting.

Technically, typosquatting can apply to any site, not just the famous ones. Although, the recognizable sites are where such types of attacks are prevalent.