Beware of Typosquatting and New Identity Theft Warnings

Typosquatting joins scam tactics as identity theft surges: Internet Scambusters #327

This week we have a couple of important Snippets for you covering two critical areas of security, one you know well — identity theft — and the other you may never have heard of — typosquatting.

The rate at which our personal data is being compromised through security breaches has reached alarming record proportions, costing US victims alone $50 billion a year. We bring you up to date with the latest news, including numbers from a recent massive data breach, and pointers on how to protect yourself.

We already know that crooks use phishing by directing us to bogus web pages as one technique for stealing our personal information.

Mostly this is done through emails, where you click on a link, but there’s another way you can be fooled… typosquatting… as we explain here.

Now, here we go…

Beware of Typosquatting

How’s your typing? Ever think you keyed in a correct website address only to find yourself in the wrong place? Our guess is that you have. And if you did, and you noticed it, count yourself lucky. Because if you hadn’t spotted it, you could be in deep trouble.

When you make a mistake, you can become a victim of a little publicized scam called typosquatting, in which someone registers a website domain name based on misspellings of the correct word or other typing mistakes — ‘typos’ as they’re called in the printing world.

The scammer is effectively exploiting the popularity of the real site you’re looking for — hence the ‘squatting’ part of the name.

The scam has been dubbed by Internet security outfit McAfee as “the plague of the imperfect typist.” Here are the main ways you may unintentionally key in an incorrect address and find yourself on a typosquatting page:

  • Simple spelling mistakes — like ‘nasdasq’ instead of ‘nasdaq’.
  • Transposing some of the letters in the name — such a ‘microsfot’ instead of ‘microsoft’ (though this particular error won’t take you to a typosquatting page).
  • Forgetting to put a dot after the ‘www’ part or before the ‘com’ part of an address, which your browser doesn’t recognize, so it inserts them. McAfee themselves are victims of this. (this is a typosquatting page — it’s just shown here as an example of typosquatting — don’t use it.)

Typosquatting is generally outlawed in the US but sometimes the crime is difficult to define and prove. And, of course, scammers based overseas are out of reach.

But it’s what the typosquatting sites are used for that can cause the real trouble.

Often, typosquatting sites are simply used to generate revenue for the typosquatter, typically by offering per click advertising when you click on any of the links on the page, like the McAfee site example above.

However, often this form of typosquatting is used to upload viruses and other malware onto your computer. You think you’re on the right page, so you happily click links and even willingly download stuff.

Other times it might be part of a phishing scam, inviting you to key in your personal details. Just think what would happen if you incorrectly keyed in your bank name and landed on a typosquatting site that looked like the real thing. Such a site would, of course, be considered fraudulent but that doesn’t stop the crooks from trying it on.

Sometimes, the real page may not be copied exactly but the way it’s presented can be sufficiently misleading for you not to notice it’s the wrong site, especially if you’re unfamiliar with it. Again, these may be used for malware but more often they’re just packed with advertising links for which the owner gets paid per click.

Yet further variations of typosquatting pages are merely lures into dangerous, and often adult, sites.

OK, you vow to improve the accuracy of your typing. But landing on a typosquatting page isn’t always because of mistyping.

Many of the ‘squat’ sites are based around variations of the real name — like using ‘.com’ when the real site is ‘.org’, missing out a hyphen that should be there (or using a hyphen that isn’t there) or simply taking a wrong guess at the correct site name.

This was particularly common during the US elections when typosquatters set up scores of sites with names similar to those of the two presidential candidates.

How widespread is it? A 2008 study found 80,000 typosquatting sites covering just the 2,000 most frequently visited websites! And with one popular kids’ website there were more than 300 scam sites hanging off of the real thing. And with a leading credit reports site, almost 750!

More and more genuine website owners are trying to protect themselves with their own typosquatting sites, so that if you make a typing mistake you still get taken to the right site. In other cases, browsers and built-in security programs may actually spot the typing error or phishing attempt and re-direct you.

But you can’t always count on others to rectify your mistakes so you need to build in your own safeguards. Here are a few things you can do to cut the risk:

  • Get into the habit of glancing at the address bar in your web browser after the page opens.
  • For regularly visited sites, use your browser’s ‘bookmarks’ feature. By bookmarking a page you don’t have to key in the address next time; just click the bookmark link.
  • If you don’t know the correct site address, do a search for it; don’t guess.
  • If a site doesn’t look quite right, it probably isn’t, so don’t click links or download anything.
  • Type very carefully!

Action: use It’s free and takes 2 minutes to set up. It helps protect you against typosquatting and phishing.

Many US consumers touched by ID theft threat nightmare

The threat of identity theft has touched the lives of more than one third of all Americans in the past year, according to figures from ID protection specialists LifeLock. And if you add kids into the equation, the proportion soars to well over half.

Most of us don’t realize this, if we’re lucky enough not to fall victim, but, says LifeLock, 600 personal information breaches in 2008 alone have affected more than 125 million US consumers.

That doesn’t mean, of course, that half the population has been a victim of ID theft.

“The organizations that have lost our information have ranged from educational institutions to the government and military, medical and healthcare facilities to banking and financial institutions and your everyday businesses,” the firm explains.

“Identity theft costs US consumers $50 billion a year and is a living nightmare.”

These shock figures come in the wake of recent news of a massive data breach, involving Heartland Payment Systems, the sixth largest credit card payment processor in the US.

In January 2009, Heartland disclosed that its systems had been breached. At the time of the breach, the company was processing around 100 million transactions a month for an estimated 250,000 restaurants, retailers and other merchants.

The number of consumers actually exposed has not been specified, but identity protection specialist TrustedID says the figure runs into tens of millions.

A couple of other data breach events last year compromised 5 million credit and debit card accounts. But this is the biggest data breach ever disclosed, says TrustedID, noting that 40% of Heartland’s transactions are from restaurants across the country.

Evidence of widespread card fraud, using card numbers stolen in this latest breach, is already emerging and there have been several arrests.

Steps you should take now:

  • Always scrutinize your credit card statement. If you have access online to your card account, check it frequently — every day if you can. Contact the credit card company if you spot any charges you don’t recognize.
  • Visit the Scambusters Identity Theft Information Center for more help and advice.

With the scale of identity theft and clever tricks like typosquatting, it’s easy to become alarmed over the security risks we face every day. But law enforcement and computer security specialists are constantly fighting back on our behalf.

You can play your part by being alert to the risks, keeping a careful eye for telltale signs of a breach — and staying in touch via Scambusters.

That’s it for today — we hope you enjoy your week!