Typos in URLs put consumers at risk of serious fraud

If you tend to access websites by typing the URL in the address bar, you could be putting yourself at risk of online fraud, cybercrime and exposure to counterfeit goods.

That is the conclusion of research by CSC which found that 70 per cent of misspelled domain names associated with the 10 largest online shopping brands – more than 1,550 URLs – were registered to third parties.

The phenomenon, known as domain spoofing, is well established, but CSC’s research points to the scale of the problem, with “hundreds of thousands of registered domains linked to third parties associated with some…top shopping destinations.”

These typo domains receive over 5 million visits annually, according to the security specialist, with activity inflated by consumers being restricted to their homes because of COVID-19, especially during the peak holiday shopping season.

Examining the misspelled domains, the study found that almost half (48 per cent) were configured with MX (mail) records that can be used to send phishing emails or to intercept email, and 40 per cent use domain privacy services to mask or hide their ownership.

Knock off the knock offs: The Importance of Changing Security Features

It also showed that 38 per cent of the top 100 most visited typo domains linked to advertising-related and pay-per-click web content, which can spread malware. Meanwhile, more than a quarter had no live web content but could be configured to send and receive email with MX records.

15 per cent were engaged in affiliate referrals, which could brand owners at risk of lost sales by unauthorised sellers, 12 per cent pointed at shopping-related web content that could expose consumers to counterfeits, ad 8 per cent pointed to malicious content like malware.

“We believe this domain-spoofing problem is vastly underestimated because we know there are hundreds of thousands of registered domains linked to third parties associated with some of these top shopping destinations,” says CSC.

It recommends that brand owners should form a domain security council with responsibility for strategy and policy, continuously monitor the domain space as well as marketplaces, apps, and email for brand abuse, infringements, and fraud, and devote resources to enforcement activities like takedowns and Internet blocking.

It also has the following advice for consumers: