|
Sometimes, seeing several permutations of a famous company’s domain names is not just a mere coincidence. Often, these are typosquatting attempts. They are not merely a nuisance, either, because clicking such a URL can have severe effects.
Take the cases of several major companies like Netflix, Paypal, Samsung, and LinkedIn, among others. In a typosquatting campaign, cyber attackers created “.om” domains that mimicked those of popular brands so that people who mistakenly type ”.om” instead of “.com” would end up visiting the bogus sites.
Typosquatting is a known cybercriminal tactic to trick victims into visiting malicious pages. It is a tried-and-tested technique that can pose perils to both the spoofed business and its customers, including:
The Curious Case of “Apple Support” Pages
Having a huge following can be both a blessing and a curse. While more users mean more profits, it also translates to more potential cybercrime victims.
Apple is one example of a company with a huge “cult” following. In 2019, it had 1 billion active iPhone, iPad, and Mac users. And so it’s not surprising that threat actors may wish to spoof its domains. We found four domains from our typosquatting tool that seem to be spoofing its official support page:
We know that not all look-alike domains are malicious. Some companies buy misspelled variants of their domains as a countermeasure against typosquatting. And they also use country-code TLDs (ccTLDs) and the new gTLDs for product releases or local sites.
Organizations that want to invest in domains with up and coming gTLDs or protect their brands against abusers can continuously check for available names using a tool such as Domain Availability Check. They can also use Brand Monitor to spot potential brand abusers.
We also know, though, that a lot of typosquatted domains figure in phishing campaigns. And if Apple does not own any of the domains we found, then it may be best to stay away from them.
And so we dug deeper. First, we ran each domain on WHOIS API to see who their owners were. Here’s what we found:
While those details are not proof of foul play, we also know that should Apple Support email users, it is likely to use an address with the domain support[.]apple[.]com. We also took a look at the WHOIS record of its official support domain and found that:
If Apple registered the four domains, their records would likely show the same details as that of the real support page. While we can’t say for sure what the domain owner’s motives are, it may be a good idea not to interact with anyone who uses the appleidsupporta[.]info, appleidsupporta[.]org, appleidsupports[.]org, and appleidsupports[.]info domains, especially if that message sender is asking you to divulge personal information.
* * *
When faced with a suspicious-looking domain, merely relying on age-old tactics of making sure a URL is preceded by HTTPS or the presence of a company’s logo or brand in the domain name is no longer enough. Typosquatted domains can very closely mimic those of the popular organizations they are spoofing. These days, using tools such as WHOIS API that can’t be fooled by minor changes in spelling may be required.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign