Typosquatting is a malicious tactic that cyberattackers employ to entrap users who mistype web addresses on their browsers. Often, mistyped domain addresses redirect to copycats of legitimate sites and are owned by threat actors. Typosquatters then compromise users’ accounts in different ways. For example, users who end up on typosquatting domains could be encouraged to click malware-laden ads or enter their login credentials.

Typosquatting persists because it works, and it has proven to be a lucrative source of income for criminals. One of the worst typosquatting cases, for instance, netted cybercriminals €24 million in Bitcoin. The attackers spoofed the website of a known cryptocurrency exchange in that particular case. Globally, typosquatting is a US$12.5 billion problem.

As with any cyberattack, users can mitigate typosquatting if caught early on. One effective way is by performing WHOIS lookups on domains that communicate with their networks. Tools like WHOIS Lookup, Brand Monitor, and Typosquatting Data Feed, for example, enable infosec professionals to identify malicious domains from their logs. Let’s examine a typosquatting attack on a settlement page to demonstrate how WHOIS lookups can help uncover similar incidents.

Settlement Pages: A Fast-Growing Target

We are seeing an increase in incidents targeting settlement pages. Tech-savvy fraudsters keep up with the news and often spring into action around the same time as high-profile class action litigations and settlements. They sometimes even register domains ahead of their targets, just like in our featured case.

Around January 2018, customers of North American retail electricity provider Gateway Energy sued the company for charging very high rates. The company settled three separate class-action lawsuits (i.e., Hamlen v. Gateway Energy Services Corporation, Wagar v. Gateway Energy Services Corporation, and Eisig, et al. v. Gateway Energy Services Corporation) for a total of US$9.25 million. The deadline for filing claims was August 2019. The final hearing took place in September 2019.

It comes as no surprise that several variants of the official settlement site for the energy company (https://www[.]gatewayenergysettlement[.]com) surfaced months before the filing deadline. We obtained these lookalike domains using the Typosquatting Data Feed:

• gatewayenergyssettlement[.]com
• gatewayenergysettelment[.]com
• wwwgatewayenergysettlement[.]com
• gatewayenergysettlment[.]com

Using WHOIS Lookup, we retrieved each domain’s WHOIS records, and observed the following similarities:

• While the typosquatting domains were created hours before the real settlement site’s domain came into circulation, that is not surprising. The copycat domains’ owner could be following case developments rigorously.
• The offending domains were registered all at once via NameSilo LLC, probably with the use of a bulk registration service.
• They all used the same privacy protection service, PrivacyGuardian.org. Its listed address in Phoenix, Arizona, also appeared in the domains’ WHOIS records.

• The domains shared the same nameservers, NS1[.]PARKINCREW[.]NET and NS2[.]PARKINGCREW[.]NET. The server’s names suggest that the domains are currently parked.

We also ran a WHOIS search on the real Gateway Energy settlement site. The site’s owner obtained the domain from Network Solutions. Additionally, its registration location is in Jacksonville, Florida.

While it uses a privacy-protection service, its WHOIS records also revealed that it has been using different nameservers from the start.

Overall, our findings on the domain lookalikes hint at the likelihood that a single registrant, possibly a criminal group, reserved them. They could be looking to make a quick buck off claimants by obtaining their credentials and file for claims on their behalf.

* * *

Typosquatting is a nuisance, and it’s even more dangerous when left unchecked. As such, organizations should make sure that they proactively hedge against its perils. Resources such as WHOIS Lookup and Typosquatting Data Feed allow organizations to identify and subsequently block suspicious newly registered domains that are interacting with their network.