If you’re tired, in a hurry or just have clumsy sausage fingers like me, you know how easy it is to type the wrong URL. And – particularly since ICANN started rolling out the new gTLDs – there are some people (the brilliantly named ‘typosquatters’) who are registering reaaaally similar domain names to popular sites to lure traffic away, or even attack visitors. Here’s the skinny on what’s been happening!
Typosquatting – or ‘URL hijacking’/’fake URL’ – is a type of cybersquatting (and sometimes brandjacking too) where squatters create domain names that are similar to popular existing ones, and rely on our ‘fat-fingered’ typing errors to take us to their site when we mistype the domain; and as the devices get smaller, it’s only going to get worse.
What’s making it particularly easy right now is the new ‘.uk’ domain. The typosquatters are trying to make some dolla by cashing in on popular .co.uk domain names by sticking ‘co’ on the end of popular domain names then registering the .uk version in order to try and steal traffic from the already popular .co.uk version, e.g. paypalco.uk (there are also a few comedy examples – like if you try microtoft.com you get: “This fansite for our adorable friend, the very small Mr Mike Toft, also called “MicroToft” is under construction”).
They then make money from the traffic. They can do this in a couple of ways, like showing ads related to the legit domain they’re essentially impersonating, using referral sites to redirect people to the actual site (through brand affiliate programmes usually), or even by sending the visitors to a competitor’s site. Whilst that’s not good, the real danger is the phishing potential it has, through intercepting passwords as the visitors pass through the site; or tricking the visitor into thinking they’re actually on the real site, or installing malicious things like drive-by malware (although the latter is less likely apparently, maybe because it’s not easy for the squatter to abandon the site if it gets tipped as malicious). Last year Facebook even won a case against typosquatters – the ruling turned over around 100 typosquat domains to the social media giant and awarded about $2.8m in damages!
To try and stop this happening, owners of the .co.uk versions of domains were given automatic rights to the .uk version if they wanted it when they became available in June, if there was no other equivalent domain in existence (so if you had the domain.co.uk version, you’d be given domain.uk automatically unless domain.org.uk, .ltd.uk etc. was already taken). The reservation period runs for five years, and no one else is allowed to register that domain during that time even if the original people decide not to use it.
Even so, the typosquatters seem to have found a way around it; there are a fair few out there, from nationalrailco.uk to several banks, including nationwideco.uk and natwestco.uk. Especially with the financial implications of this – where you’re asked to put sensitive info into a website – the potential for fraud is pretty serious.
To help reduce the risk, it’s important to check that the domain you’re using is correct, as well as the normal checks like making sure ‘https’ is present in the toolbar for secure transactions. If you’re a company worried about typosquatters, you can use a Fraud Detection service [http://www.netcraft.com/anti-phishing/fraud-detection/] to help check that no one’s impersonating you. And – importantly – if you accidentally end up on the wrong URL, don’t follow any links, even if it looks like it’ll link you back to the page you originally intended to go to – there are some bad eggs out there!