Heimdal™ Security SOC Team Discovers Typosquatting Domain Masquerading as Crypto-Swapping Platform
Heimdal™ Security’s Security team has recently unearthed a new typosquatting domain specifically crafted to resemble Trader Joe XYZ’s URL, one of the most sought-after cryptocurrency trading platforms. Tricked by a typo in the spelling of the crypto-swapping platform’s URL, users would send their MetaMask wallets to an unknown party or parties that would ultimately despoil their contents.
Misspelled URL puts Thousands of Traders at Risk
Earlier today, Heimdal™ reported that a Trader Joe XYZ lookalike site was identified. The domain, associated with the IP address 220.127.116.11 and tracked via ARIN to US soil, contained the misspelled world “trader” (i.e. tradrjoexyz.com instead of the legitimate traderjoexyz.com). Additional metrics provided by a VirusTotal query suggest that the typosquatting domain has had numerous associations with other (potentially) harmful domains.
Heimdal™ cautions all users to pay extra attention when typing in domain names, especially when it comes to electronic financial instruments such as Trader Joe XYZ. It seems very likely that this isn’t the first time the platform was assaulted by typosquatters. A closer look at the website’s landing page reveals a cautionary message: “Always make sure the URL is www.traderjoexyz.com”. The webmaster also encourages its users to bookmark the website for future transactions. The investigation is ongoing. We will update the article in accordance as soon as new information becomes available.
What is Typosquatting?
Falling into the social engineering attacks category, typosquatting is a technique that leverages hard to detect spelling mistakes for the purpose of redirecting the user to a crafted website, specifically engineered to steal users’ credentials. Typosquatting can be carried out relatively easily since setting up these domains takes very little time. Just like in the case of Trader Joe XYZ, the fake domain has a single changed letter or, rather, a missing one. The difference is so subtle that, without a Google search, it’s impossible to spot. Typosquatters rely on this aspect – users typing in the domain directly into the search bar instead of Google-searching it.
Apart from spelling errors, typosquatting domains can contain other types of incongruities: hyphenated structures (e.g. xyz-corp.com instead of xyzcorp.com), altered TLDs (e.g. example. cim instead of example. com or example.uk), and language-dependent spelling (i.e. using UK English word forms instead of US English). Again, typosquatting relies on the above-mentioned artifices in order to trick the user into giving up his credentials.
How to Protect against Typosquatting
Since most of these attacks leverage search bar typing instead of Google searching, the most obvious course of action would be to Google-search your domain instead of typing it. Checking the SSL certificate icon next to the search bar is also a good way to ensure that the site you’re using is safe (i.e. look for the padlock icon on next to the URL). Here are some other things to try out in order to safeguard your endpoint and credentials against typosquatting domains.
- Don’t click on suspicious pop-ups. Many typosquatting domains use malicious popups to carry out attacks. The rule of the thumb says that you should avoid popups if you somehow find yourself navigating on a potentially harmful website.
- Double-check the URL before committing your credentials.
- Use a DNS traffic-filtering solution. Malicious websites can be quickly mapped out by a DNS traffic-filtering solution. Heimdal™’s Threat Prevention Home can easily identify malicious domains, blocking the domain before the malicious files get transferred to your machine.
Trader Joe XYZ’s case isn’t singular. Every day, thousands of typosquatting domains are generated, some of them so flawless in design that not even an expert’s eye could tell them apart. So, as always, Heimdal™ recommends extra caution when navigating unknown websites and, of course, searching them on Google before committing your credentials.