Proactively blocking attackers in their domain spoofing attempts has been one of the main workhorses in cybersecurity for years.
Users, brands and organizations are at high risk from these email attacks and there are techniques to subtly trick those who receive these manipulated messages.
One of them is typosquatting, which consists of creating a domain that resembles the legitimate one, taking advantage of spelling mistakes and possible carelessness on the part of the victim.
It is easier than you might think to let your guard down for a second and click on a Goggle.com link. Yes, that tiny change can go unnoticed when the user is on autopilot. Before they realize they are on a malicious site downloading malware.
This is nothing new, but, at a time when mobile usage is more than widespread among the population, the odds of succeeding with these attacks multiply.
These devices are much more limited than a computer where you can quickly look up an address on the Internet to assess whether it is correct. This flexibility is not so easy with a smartphone, which is why many users decide to enter a link without stopping to think about the possible consequences.
It also happens that, due to size limitations, the mobile browser sometimes cannot display the full URL in the navigation bar, which contributes to these typos being overlooked.
Despite the fact that domains created by typosquatting do not have protocols such as SSL and TLS, which enable secure communications on the Internet, many may have already been considered as spam by users and, as a result, have obtained negative reputation markers, something that would help browsers to issue warnings to potential victims.
Another detail that may be striking, and raise alarm bells, is if the domain contains the acronym 'apk', the executable file extension for Android applications, because it may be an impersonation. Watch out for paltpal-apk[.]com, instead of PayPal; or tlktok-apk[.]link, for TikTok downloads. These examples may show the trick from a distance, but they have worked for some attackers to distribute malware.
You should be as cautious as possible, especially when entering valuable information such as credit card numbers or personal data, to make sure you are dealing with a legitimate website. If it is on a secure server, the web address will begin with 'https://' instead of the usual 'http://'. The browser may also display an icon to indicate that the page is secure, but this is not foolproof.
Cybercriminals often use free certificates in their attacks, so the safest option is to type the URL directly into the address bar - and without misspellings or typos, of course.
As users, we are critical links in effectively managing security, so any awareness of threats is not enough. Even so, there are organizations that need to do more, because they are not always taking adequate measures to protect against domain spoofing.
SPF (Sender Policy Framework) records can be added to ensure validation of the sender addresses of incoming emails; compare the addresses listed in the 'From' section and designate those domains that are trusted, where possible; include an 'external' label on the sender to report that the message supposedly comes from an organization, but in fact originates from an external domain.
Also coming in here would be the use of Domain Key Identified Mail (DKIM) authentication methods; the application of reputation-based content filters to reduce the likelihood of users clicking on a malicious link; and, of course, having a DMARC (Domain-based Message Authentication, Reporting and Compliance) registry, one of the most powerful and proactive tools to date in the fight against phishing and spoofing. Once again, the combination of technology and people will be key to addressing the threats.