Typosquatters have always sought to profit from typing mistakes. But the typosquatters who recently used domains similar to those of three large health insurers—Anthem, Premera Blue Cross and CareFirst BlueCross BlueShield—have taken the practice to a dangerous new level.
Most typosquatting tactics lead fat-finger typists to ads. A recent Internet Society typosquatting study found that just over 50% of illegitimate web pages are used for ad parking. But according to recent reports by Bitglass and PCWorld, there’s a brazen new use of typosquatting used to gain access to the hacker holy grail: lucrative health insurance information and Social Security numbers. Bitglass calls it “spellcheck phishing.” Here’s how it works:
- Cybercriminals buy a domain similar to the one they want to exploit.
- They set up the web page to look very similar to corporate internal services, such as human resources or a VPN. (Lookalike pages are known as bait and switch).
- They send phishing emails to employees that link to the fake site.
- Employees are duped into providing logins and passwords, which give the attackers access to the insurer’s real systems.
In the Wall Street Journal’s CIO blog, Adam Meyer, chief security strategist of threat intelligence consultancy SurfWatch Labs, speculated on what happened once Anthem attackers got inside:
They likely hunted for administrators’ accounts, giving them access to sensitive information, such as names and Social Security numbers, which are typically hosted in the company’s enterprise resource planning application. From there, they likely queried the database behind the ERP app and began to siphon data to a cloud storage provider. Using trusted accounts to transfer data to trusted storage enabled them to remain undetected.
Indeed, the Anthem attackers remained undetected for more than a month. The Premera attack wasn’t discovered for more than eight months. And the CareFirst attack wasn’t discovered for a year. Here’s a recap:
- 78.4 million records
- Announced January 2015
- Typo: we11point.com (WellPoint is the former name of Anthem)
Premera Blue Cross
- 11 million records
- Announced March 2015
- Typo: prennera.com
CareFirst BlueCross BlueShield
- 1.1 million records
- Announced May 2015
- Typo: caref1rst.com
The takeaway? For starters, your company should be using defensive registrations, in which you buy up variant domains and redirect them to your actual site. Sadly, too few companies do this today, even though most domain name registrars make it easy with a service to automatically register a wide range of possible cybersquatting domain names when you register.
While 95% of the top 500 domains are victims of typosquatting, according to the Internet Society study, only 31% protect themselves by proactively registering logical variants.
If you want to see who’s typosquatting on your domain, try the five models used to find typosquatters in the Internet Society study:
- Missing-dot typos: The dot following “www” is missing: wwwcode42.com
- Character-omission typos: One character is omitted, e.g., www.coe42.com
- Character-permutation typos: Consecutive characters are swapped, e.g., www.coed42.com
- Character-substitution typos: Characters are replaced by their adjacent ones on a keyboard: www.cofe.42
- Character-duplication typos: Characters are mistakenly typed twice: www.codde42.com
If you find malicious squatters, you may be able to get legal recourse through the Anticybersquatting Consumer Protection Act (ACPA).
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.