1. Risk analysis
First, we have created a risk profile, setting apart the various risks for this particular company. Based on this risk profile, we have identified three main threats to this company that come with typosquatting:
1. Phishing - pages impersonating the bank to obtain client's personal and login information.
2. Information theft - typo's set up to farm misdelivered e-mails
3. Marketing abuse - pages showing advertisements or commercial content, capitalising on the bank's customers.
1.1 PhishingExisting customers often visit their bank's webpage in order to conduct business or to find updates and information. Whenever a customer attempts to type in the bank's domain name into their browser, there is a 5.53% chance (see chapter 2) of making a typographical error that takes them to another domain name instead of the bank's domain name. A phishing page would be engineered to look similar to the website of the bank, but will attempt to steal information from unsuspecting visitors. By building a phishing site on typographical errors, there is a passive stream of unsuspecting targets. Phishing also often takes place through e-mail, where criminals send e-mails that look like they origin from the bank. Using a domain name that optically resembles a trademark increases the likelihood of visitors falling for the scam.
As this particular bank has been, and still is, the target of e-mail phishing attempts, we can conclude that the risk of phishing schemes by typo squatting is VERY HIGH.
When a customer or a bank employee sends an e-mail to anyone with an e-mail address at the bank's domain name, there is a risk of making typographical errors. When the typo occurs before the @, there is most likely not that much risk involved. The e-mail is delivered to the bank's e-mail server and either redirected to the correct receipient or discarded. However, if a typo is made behind the @, the e-mail will be delivered to an entirely different domain and mailserver. This opens up the possibility for e-mail theft. Cybercriminals register typographical errors of domain names which are used for e-mail and collect the wrongly delivered e-mails which often contain sensitive information. This opens up possibilities of blackmail, information leaks, identity theft and corporate espionage. The bank in this case study sends highly sensitive information by e-mail. In a brief e-mail routing test we have discovered that some domain names are already being used for e-mail theft. We can conclude that the risk of e-mail theft is EXTREMELY URGENT.
1.3 MarketingThe majority of domain names that contain typographical errors is used to generate income though pay-per-click advertising (PPC). These pages with advertisements are highly lucrative to the exploitant, at the cost of the trademark holder.
Each time a visitor clicks on an advertisement, it hurts the trademark holder, regardless of the nature of the advertisement.
Customers or potential new customers who attempted to type in the website of the trademark holder, find themselves on a page with advertisements. If an advertisement for a rivalling brand is clicked, the customer disappears to a competitor and the trademark holder loses or misses out on their business.
Many brand owners advertise by bidding on keywords on the leading search engine(s). What they are often unaware of, is that these search engines also place their advertisements on these so-called 'parking pages' that typosquatters place on their typo domain names. This means that they are now paying for each click on their advertisements that are shown on the typo's of their own brand.
We have analyzed the majority of the parking pages that infringe on the trademark of the bank in our study. Depending on the keyword, the bank would spend between 0.03 EUR and 7.97 EUR per advertising click. If we average this out, we come to an average cost of 1.66 EUR per clicked advertisement. the cost of losing customers to competing banks is not something we can calculate, but obviously forms a risk that is rather avoided.
It is a possibility to file complaints with the advertising networks, in order to ban the infringing domains from the advertising network, but this usually has an even worse impact. The cybersquatters will move the domains to second and third tier advertising platforms which often feature advertisements containing adult content, affiliated products from competitors or even malware and spyware.
The bank in our study has filed several of these complaints, which is why we see less than average PPC pages but a wide range of other abuse. We can conclude that the marketing risk for this bank is VERY HIGH.
2. Found abuse
Out of the 100 most common typographical errors and misspellings of the bank's domain name, 57 are currently being abused in various ways. 41 domains are available for registration and only one typo domain is owned by the bank in question. Now, if we look at absolute visitor numbers, we see a somewhat different picture.
According to our metrics and calculations, the total visitor count of these 100 most common typos and misspellings is ±24,250 visitors per month. Only 7.25%, 1759 of these visitors, do not form a direct threat to the bank. That's 269,892 visitors per year that are redirected to pages that harm the bank, of which 147,840 land on PPC parking pages. At an average cost of 1.66 EUR per click the potential lost advertising cost of these pages is 245,414.40 EUR.
If we assume the parking page click-through rate of the country-industry average (banking in the Netherlands) of 26.12%, this comes down to a direct monetary loss of 64,102.24 EUR per year. The additional potential cost of lost business due to customers clicking on advertisements competitors is not something that we can calculate. Your marketing division probably has a better idea of those numbers.
An estimated 6,322 visitors per month, or 75,864 per year face 'customer theft' pages. 'Customer theft' is how we classify visitors that are redirected to businesses in similar industries. In this case we have seen informative websites, loan providers and product purchase offers such as financial books.
An estimated 1500 visitors per month, or 18,000 visitors per year are redirected to 'get rich quick'-type and other types of scams.
An estimated 1164 visitors per month, or 13,968 visitors per year are redirected to casinos.
An estimated 1034 visitors per month, or 12,408 visitors per year are redirected to surveys, not affiliated with the bank but often featuring the bank's full name and logo.
An estimated 151 visitors per month, or 1812 visitors per year are redirected to pages which attempt to install malware on the visitor's machine.
Only 345 visitors per month are redirected to pages owned by the bank or to empty pages.
There were no domains used for phishing at this point.
We expect an estimated 21,265 wrongly delivered e-mails on typo domains of the bank's main email domain.
Over 25% of these e-mails contain confidential information. At this point we have identified several domain names which have 'catch-all' e-mail accounts active and are most likely gathering confidential e-mails for future criminal activity. The damages that this may cause is unforeseeable but it is critical to put an end to this severe security flaw.
To ensure discretion, we won't publish the name of this particular bank until further notice.