Combatting Typo-Squatting

(Also known as URL Hijacking or Brand Jacking)

Introduction:
Typo-Squatting is a type of Cybersquatting method aimed at targeting
novice net users who accidentally type in the target website URL
incorrectly in the browser address or search bar. This is usually aimed at
redirecting the traffic of a popular website generated by genuine internet
users who have unknowingly made a typo error in querying for their target
website. [1]
For example, instead of typing in www.microsoft.com, the user
mistakenly types in wwwmicrosoft.com or mikrosoft.com or micro-
soft.com or microosoft.com or mircosoft.com or micosoft.com, etc
which take the user to another website, which may even look like the
original Microsoft website but is actually owned and operated by other
people with the sole aim to hijack the traffic going to the original
www.microsoft.com website and either redirect the traffic to competing
websites and/or sell competing products & services, deceive unsuspecting
users into entering their personal/login information (phishing), making the
unsuspecting visitors participating in fake surveys and lucky draws, deploy
malicious software to spread malware and steal business sensitive
information, blackmail the original website owner, etc. [2]

Proactive Steps to Prevent Typo-Squatting:

When registering the domain name, the real website owners should use
various typo-squatting tools like URLCRAZY
(http://tools.kali.org/information-gathering/urlcrazy) to find out the various
ways in which your domain name can be typed in by the user
(misspellings, singular/plural & hyphenated/non-hyphenated versions,
changing TLD domain extensions, etc.) that might occur while typing in
the domain name and buy those variations as well and redirect them to
the main website. Also, you must also purchase all possible domains that
you think might appeal to your customer (a computer repair shop should
buy a domain like www.FixYourPC.com) or your website haters (a popular
brand like Countdown might purchase domains like
www.CountdownSucks.com) might possibly use. [3]
When registering the domain name, make sure it is registered in the name
of the real owners of the business so that in case the employee leaves the
organization, there is no scope for blackmailing in future and/or the
website does not get taken down due to not getting timely notification
about renewing the domain name before expiry. [3]
All the selected domain names and brand names should be registered
proactively through reputed domain registrars with Internet Corporation
for Assigned Names and Numbers (ICANN) and the World Intellectual
Property Organization (WIPO). In addition, companies should trademark
their brand names & websites and register their trademarks with the
authorized Trademark and Patenting organizations like United States
Patent and Trademark Office. [3]

How to Fightback Typo-Squatting:

Under the Uniform Domain-Name Dispute-Resolution Policy (UDRP),
trademark holders can file a case at the World Intellectual Property
Organization (WIPO) against typo-squatters. The complainant has to show
that the registered domain name is identical or confusingly similar to their
trademark, that the registrant has no legitimate interest in the domain
name, and that the domain name is being used in bad faith. [1]
Filing the case thorough Uniform Dispute Resolution Process (UDRP)
administered by the Internet Corporation of Assigned Names and Numbers
(ICANN) is known as arbitration and is considered as a quite cheap
($1200-$1500) but time consuming process (6 months to 1 year) and
maybe unpredictable. Alternatively, one can also sue under the provisions
of the Anticybersquatting Consumer Protection Act (ACPA) and use a
lawyer to file the lawsuit and get a quicker resolution; the court may get
an injunction within 6 weeks to stop the other party from using the
domain name, however this is the more expensive route costing upwards
of $5000. A fairly cheaper and less time-consuming solution would be to
come to an out-of-court settlement with the disputing party agreeing to
transfer the domain for less than $600.
[3]

Difficulty in Dealing with Typo-Squatting Sites:

The incidences of Typo-Squatting have been increasing every year
primarily due to the low investment required for this fraud business. For
less than $10, one can easily purchase any domain in the world. All one
has to do is to make a list of possible domains suitable for typo-squatting
activities and buy them. On the purchased domain, the typo-squatter can
create and host the content appropriate for the purpose of typo-squatting.
[8]
The domain could be Parked, by using domain parking programs. The
website could be connected with advertising networks and used to show
pay-per-click ads and earn revenue. Due to the immense number of
parked sites and no one complaining about them, it is not feasible to
monitor such typo-squatting sites. [8] Also, it is very profitable for
advertising networks to show ads on such sites hence they share revenue
with the site owners. The revenue from misspelled sites globally is
estimated to be millions of dollars. It would be quite surprising to note
that the world's most notorious cybersquatter, John Zuccarini has earned
millions every year since the early days of the internet. [6]
Also, a lot of automation tools are available at the disposal of professional
cybersquatters and help the quickly generate and analyse a variety of
domain names that can be targeted. Domains that are about to expire as
also a very good target. Automated tools for Drop Catcher and Bidder
Services are also available which can help cybersquatters identify and
grab these domains within seconds of their getting expired. [7]
Another roadblock in dealing with typo-squatters is the time and money
involved in fighting a legal case to get the domain name back. As
mentioned earlier, the ICANN administered Uniform Dispute Resolution
Process (UDRP) can take minimum $1200 and 6 months to resolve. Taking
the help of Anticybersquatting Consumer Protection Act (ACPA) and a
qualified lawyer can set you back by atleast $5000. A new domain name
will be cheaper. [8]

How to Take Down Typo-Squatting Sites:

Back in 2012, popular sites like Twitter.com and Wikipedia.com were the
targets of adept typo-squatters wherein they registered similar looking
domains, Wikapedia.com and Twtter.com and even designed the
websites to look exactly similar so that unsuspecting visitors would not be
able to tell the difference between the original and the fake websites.
However, on the fake websites, they showed ads for iPad and MacBook
competitions. In order to win the iPads and MacBooks, the unsuspecting
visitor was encouraged to enter their mobile numbers. After entering the
phone numbers, the website would send a PIN to their mobile phones to
use for participating in the competitions. Subsequently, they would start
receiving text messages on their phones with various quiz and survey
questions. The unsuspecting consumers would be encouraged to keep
responding to the questions by text and would be charged an unspecified
amount for each text. One consumer reported having being charged
nearly $80 towards sending these text messages. Upon complaints, the
case was investigated by the UK authorities, and the websites were
ordered to be shut down. Subsequently the companies running the
fraudulent websites were fined $156000 in addition to being ordered to
pay back the charges levied by the phone companies on the unsuspecting
consumers for misleading the website visitors. So, strong consumer
protection and copyright/trademark protection laws and prompt/strict
enforcement by the regulatory bodies and government agencies can go a
long way to reduce Typo-Squatting sites. [4]

Some Solutions:
As they say Prevention is better than cure, the first step would be to
implement all the solutions we have already discussed under the section
of proactive steps to take. The first steps would be to buy as many
domains names that might be possibly interest typo-squatters. The
website registration information provided should belong to the owner.
Appropriate Trademark & Copyright protection steps should also be taken.
Another offbeat solution proposed by Alex Tajirian, CEO at DomainMart is
to incentivize the typo-squatter for redirecting traffic from the typo
domain to the original site. This would be like buying traffic from the
competing typo-site to redirect the web users to the correct site. But,
many people see this solution akin to incentivising criminals to turn good
and stop resorting to blackmailing since the traffic would have originally
landed to the correct website had the competing typo site not been taken
by the typo-squatter. [5]
Additionally, Government regulatory authorities should step in and take
strong action against the people intentionally running typo-squatting sites
just like UK Watchdog took action against the companies running the fake
sites, wikapedia.com and twtter.com.

Conclusion:
Typo-Squatting is a threat to any business which depends significantly on
online traffic. Not only can this impact the visitors coming to the website,
but also impact the brand name, credibility and financial bottom-line of
the company. Out of all the proposed solutions (Arbitration, Lawsuit or
Out-of-court settlement), which solution should be pursued is best left to
the website owner to decide. Every solution would end up costing them
time and money eventually, and they need to decide which route to take
to deal with typo-squatters since at the end of the day it will be a loss to
the website owners.

References:
1. https://en.wikipedia.org/wiki/Typo-Squatting
2. https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-
typo-squatting/
3. http://www.inc.com/guides/201102/how-to-protect-your-domain-name-
from-cybersquatting.html
4. https://thenextweb.com/insider/2012/02/16/typo-squatting-sites-
wikapedia-and-twtter-have-been-fined-300000-by-uk-
watchdog/#.tnw_BPhJbdLR
5. http://www.circleid.com/posts/typo-squatting_a_solution/
6. https://www.theregister.co.uk/2003/09/04/worlds_most_notorious_cybersqu
atter_arrested/
7. https://umbrella.cisco.com/blog/blog/2016/02/25/typo-squatting-on-the-
2016-presidential-campaign-trail/
8. http://aliasencore.com/services/defensive-registration