News

    David Goldstein - .CM Typosquatting Domains Get 45 Million Visits Per Year

    23.05.2018

    Domain names registered in the Cameroon ccTLD .cm are a significant security risk, often registered by typosquatters who deliberately register domain names that mimic .com websites for some of the world’s largest companies. Visiting the websites it’s common for users to be bombarded with misleading malware alerts and websites filled with scams and spam. And it seems some of these large companies are doing very little about it.

    According to research reported by Krebs on Security, security expert Mathew Chambers analysed .cm access logs for the first quarter of 2018 and found the typosquatted websites were visited 11.8 million times, which would equate to around 45 million visits per year. Many of those accidentally visiting these websites are then bombarded “with misleading malware alerts and redirected to scammy and spammy websites.” As a result, operators of the websites are likely making “a pretty penny regardless of the content that ends up getting served through it.”

    The research came about after some internet users reported to Chambers the problems that followed after they’d, reportedly, typed in espn.com, reported Krebs on Security. But they’d actually typed in espn.cm. Visiting espn.cm (don’t do it!), Chambers found “he quickly had his computer screen filled with alerts about malware and countless other pop-ups.”

    “One thing we notice is that any links generated off these domains tend to only work one time, if you try to revisit it’s a 404,” Chambers wrote, referring to the standard 404 message displayed in the browser when a Web page is not found. “The file is deleted to prevent researchers from trying to grab it, or automatic scanners from downloading it. Also, some of the exploit code on these sites will randomly vaporize, and they will have no code on them, but were just being weaponized in campaigns. It could be the user agent, or some other factor, but they definitely go dormant for periods of time.”

    Krebs on Security, run by internet security expert Brian Krebs, has some advice for internet users who directly type in the internet address – don’t do it!

    “If you’re in the habit of directly navigating to Web sites (i.e. typing the name of the site into a Web browser address bar), consider weaning yourself of this risky practice. As these ubiquitous typosquatting sites show, it’s a good idea to avoid directly navigating to Web sites you frequent. Instead, bookmark the sites you visit most, particularly those that store your personal and financial information, or that require a login for access.”

    Digging a bit deeper into which domain names were typosquatted, Krebs found over a thousand of the domains for some of the largest companies are hosted on the same IP address and belong to a company run by previously convicted felon.

    “It’s remarkable that so many huge corporate brand names aren’t doing more to police their trademarks and to prevent would-be visitors from falling victim to such blatant typosquatting traps.”