You thought typos were harmless?
A recent PCMag.com blog post points out that the fake White House website whitehouse.org (no, I won't link you to it) has been hacked and is serving up malware. Part of the issue here is that many people attempting to go to the government website www.whitehouse.gov will accidentally mistype it as whitehouse.org. This is a specific case of a very real threat.
If you look at the list of the top 500 most popular websites according to Alexa.com. How many of these domain names are easily misspelled or mistyped? There is nothing stopping bad people from registering common typos of popular domains and then presenting the user with something that looks like the website they were expecting, complete with a login field ready to steal your username and password.
How catastrophic could it be if I accidentally typed ertade.com instead of etrade.com and a malicious user had set up a site that looks like E*Trade? If I don't notice my mistake and attempt to log in, I have just given away the user name and password to critical financial information. Not only will the attacker have access to my finances, they will also have access to even more personal information about me such as my home address, phone numbers, birthday, etc. This information may be enough to commit full fledged identity theft.
This attack is called Typo-Squatting. My fellow Symantec employee Oliver Friedrichs has written a very informative post on the Symantec Security Response blog about typo-squatting and its implications on the 2008 election.
The good news: Companies can combat this by registering the domain names for the most common typos of their domains. For instance if you go to http://www.gooogle.com (with an extra 'o') you will be redirected to http://www.google.com.
The moral of the story: Check that address bar twice before you hit enter!
Message Edited by jgonzales on 02-11-2009 07:02 PM