Typographical errors (or ‘typo’ in short) are very common since the invention of printing press. It started with people inverting block letters in movable type. Still today, we can find plenty of them in books, newspapers or any other visual media, but also on the Internet. In classic(old) medias, this has no major impact but on Internet this could have side effects like redirection to websites with unexpected content (adult, ads) or security issues.
This is very old but typosquatting or URL hijacking is a very old way to attract visitors to websites they should normally never visit. It’s simply due to the fact that people type quickly on their keyboard without re-reading what they just typed or due to the keyboard layouts which can introduce errors by typing a key next to the one you should use.
Common examples are:
- gooogle.com (extra characters added)
- orqcle.com (mismatch between QWERTY and AZERTY keyboards)
- micros0ft.com (mistyped characters)
- yaho.com (missing characters)
Another common typo error is to use an alternative TLD (“Top Level Domain“). But what could be the impact of typosquatting? How to measure it? Here follows a good example.
Except if you’re living on the moon, you are aware that linkedin.com suffered of a major security breach this week. 6.5M passwords have been leaked on the Internet. Just after the announce of this incident, some people deployed websites to help people to detect if their password was leaked or not (some of them were good sites, others were fake with only one goal: collect more passwords – but it’s another story). One of those sites was called: leakedin.org:
I like the expression “leakedin” and I registered the domain leakedin.com in 2009. A few months ago, I started to re-use it for a new blog. So, what happened? The Twitter hashtag #leakedin spread quickly on Wednesday 6th of June and people started to visit my blog (.com) instead of the right one (.org). Besides the fact that this had an impact on my server load, it’s interesting to see some statistics. First, people came mainly from the United States but also from all over the world:
More than 95% were new visitors which proves that they landed on my site “by mistake”. The top-three sources were:
- 45% : Direct access (people typed the URL in this browser – human error)
- 39% : Google (once a bad URL indexed, it’s too late!)
- 10% : slate.com
Slate.com? Indeed, in his article, a journalist made a reference to my site instead of the right one:
And if your password wasn’t among those “ <a href="http://www.leakedin.com/">cracked and leaked</a>,” did that mean you were safe?</p>
Finally, here is the visual effect of this story on my site. I’m still receiving traffic but the buzz seems over 😉
Conclusion? The side effects of typosquatting or typo errors can’t be ignored. You can become a target with multiple consequences (bandwidth consumption, server downtime, slow response times, …). This is called the Slashdot effect. From a malicious point of view, it’s less and less easy to register domain names closed to the official ones for big organizations or brands. Most of them are already registered (sometimes by the brand owner to keep control of them). But attacks remain possible by spreading wrong URLs across social media (using URL shorteners) to attract visitors.