Beware of Typosquatting and New Identity Theft Warnings

Typosquatting joins scam tactics as identity theft surges: Internet Scambusters #327

This week we have a couple of important Snippets for you
covering two critical areas of security, one you know well —
identity theft — and the other you may never have heard of —
typosquatting.

The rate at which our personal data is being compromised
through security breaches has reached alarming record
proportions, costing US victims alone $50 billion a year. We
bring you up to date with the latest news, including numbers
from a recent massive data breach, and pointers on how to
protect yourself.

We already know that crooks use phishing by directing us to bogus web pages as one technique for stealing our personal information.

Mostly this is done through emails, where you click on a link,
but there’s another way you can be fooled… typosquatting…
as we explain here.

Next, you may want to spend a moment looking at this week’s
most popular articles from our other sites:

Answers to 7 of the Biggest Questions About Photoshop Without
the Photo – Photo Realistic Art: An Interview With Bert Monroy, Part 1: Get an exclusive peek on using Photoshop without the photo in photo realistic art with one of the pioneers of Photoshop and digital art, Bert Monroy.

Five Things Your Child’s Easter Basket Can’t Be Without: Easter baskets can’t be considered finished until you add these last few items.

A Crash Course in Phishing: Protect yourself and your finances by learning the phishing techniques used by identity thieves.

Fun and Free Family Activities for Spring and Summer: No cost, fun activities you can do with the entire family that will help eliminate the “I’m bored” syndrome.

Now, here we go…


Beware of Typosquatting


How’s your typing? Ever think you keyed in a correct website
address only to find yourself in the wrong place? Our guess
is that you have. And if you did, and you noticed it, count
yourself lucky. Because if you hadn’t spotted it, you could be
in deep trouble.

When you make a mistake, you can become a victim of a little
publicized scam called typosquatting, in which someone
registers a website domain name based on misspellings of the
correct word or other typing mistakes — ‘typos’ as they’re
called in the printing world.

The scammer is effectively exploiting the popularity of the
real site you’re looking for — hence the ‘squatting’ part of
the name.

The scam has been dubbed by Internet security outfit McAfee as
“the plague of the imperfect typist.” Here are the main ways
you may unintentionally key in an incorrect address and find
yourself on a typosquatting page:

  • Simple spelling mistakes — like ‘nasdasq’ instead of ‘nasdaq’.

  • Transposing some of the letters in the name — such a
    ‘microsfot’ instead of ‘microsoft’ (though this particular
    error won’t take you to a typosquatting page).

  • Forgetting to put a dot after the ‘www’ part or before the
    ‘com’ part of an address, which your browser doesn’t
    recognize, so it inserts them. McAfee themselves are victims
    of this.

www.wwwmcafee.com (this is a typosquatting page — it’s just
shown here as an example of typosquatting — don’t use it.)

Typosquatting is generally outlawed in the US but sometimes
the crime is difficult to define and prove. And, of course,
scammers based overseas are out of reach.

But it’s what the typosquatting sites are used for that can
cause the real trouble.

Often, typosquatting sites are simply used to generate revenue
for the typosquatter, typically by offering per click
advertising when you click on any of the links on the page,
like the McAfee site example above.

However, often this form of typosquatting is used to upload
viruses and other malware onto your computer. You think you’re
on the right page, so you happily click links and even
willingly download stuff.

Other times it might be part of a phishing scam, inviting you
to key in your personal details. Just think what would happen
if you incorrectly keyed in your bank name and landed on a
typosquatting site that looked like the real thing. Such a
site would, of course, be considered fraudulent but that
doesn’t stop the crooks from trying it on.

Sometimes, the real page may not be copied exactly but the way
it’s presented can be sufficiently misleading for you not to
notice it’s the wrong site, especially if you’re unfamiliar
with it. Again, these may be used for malware but more often
they’re just packed with advertising links for which the owner
gets paid per click.

Yet further variations of typosquatting pages are merely lures
into dangerous, and often adult, sites.

OK, you vow to improve the accuracy of your typing. But
landing on a typosquatting page isn’t always because of
mistyping.

Many of the ‘squat’ sites are based around variations of the
real name — like using ‘.com’ when the real site is ‘.org’,
missing out a hyphen that should be there (or using a hyphen
that isn’t there) or simply taking a wrong guess at the
correct site name.

This was particularly common during the US elections when
typosquatters set up scores of sites with names similar to
those of the two presidential candidates.

How widespread is it? A 2008 study found 80,000 typosquatting
sites covering just the 2,000 most frequently visited
websites! And with one popular kids’ website there were more
than 300 scam sites hanging off of the real thing. And with a
leading credit reports site, almost 750!

More and more genuine website owners are trying to protect
themselves with their own typosquatting sites, so that if you
make a typing mistake you still get taken to the right site.
In other cases, browsers and built-in security programs may
actually spot the typing error or phishing attempt and
re-direct you.

But you can’t always count on others to rectify your mistakes
so you need to build in your own safeguards. Here are a few
things you can do to cut the risk:

  • Get into the habit of glancing at the address bar in your
    web browser after the page opens.

  • For regularly visited sites, use your browser’s ‘bookmarks’
    feature. By bookmarking a page you don’t have to key in the
    address next time; just click the bookmark link.

  • If you don’t know the correct site address, do a search for
    it; don’t guess.

  • If a site doesn’t look quite right, it probably isn’t, so
    don’t click links or download anything.

  • Type very carefully!

Action: use Opendns.com. It’s free and takes 2 minutes to set up. It helps protect you against typosquatting and phishing.


Many US consumers touched by ID theft threat nightmare


The threat of identity theft has touched the lives of more
than one third of all Americans in the past year, according to
figures from ID protection specialists LifeLock. And if you
add kids into the equation, the proportion soars to well
over half.

Most of us don’t realize this, if we’re lucky enough not to
fall victim, but, says LifeLock, 600 personal information
breaches in 2008 alone have affected more than 125 million US
consumers.

That doesn’t mean, of course, that half the population has
been a victim of ID theft.

“The organizations that have lost our information have ranged
from educational institutions to the government and military,
medical and healthcare facilities to banking and financial
institutions and your everyday businesses,” the firm explains.

“Identity theft costs US consumers $50 billion a year and is a
living nightmare.”

These shock figures come in the wake of recent news of a
massive data breach, involving Heartland Payment Systems, the
sixth largest credit card payment processor in the US.

In January 2009, Heartland disclosed that its systems had been
breached. At the time of the breach, the company was
processing around 100 million transactions a month for an
estimated 250,000 restaurants, retailers and other merchants.

The number of consumers actually exposed has not been
specified, but identity protection specialist TrustedID says
the figure runs into tens of millions.

A couple of other data breach events last year compromised
5 million credit and debit card accounts. But this is the
biggest data breach ever disclosed, says TrustedID, noting
that 40% of Heartland’s transactions are from restaurants
across the country.

Evidence of widespread card fraud, using card numbers stolen
in this latest breach, is already emerging and there have been
several arrests.

Steps you should take now:

  • Always scrutinize your credit card statement. If you have
    access online to your card account, check it frequently —
    every day if you can. Contact the credit card company if you
    spot any charges you don’t recognize.

  • Visit the Scambusters Identity Theft Information Center for more help and advice.

With the scale of identity theft and clever tricks like
typosquatting, it’s easy to become alarmed over the security
risks we face every day. But law enforcement and computer
security specialists are constantly fighting back on our
behalf.

You can play your part by being alert to the risks, keeping a
careful eye for telltale signs of a breach — and staying in
touch via Scambusters.

That’s it for today — we hope you enjoy your week!