When visitors fail to recognize that the site they visit is a fraudulent copy of that of a famous brand, they can expose themselves to cybercrime and other attacks. As part of these attacks, typosquatting is a common technique that hackers use to lure victims. They create websites that very closely resemble that of the brand they are trying to hijack so the victims would not have a clue that it is fake.

As such, one typo can easily land users on a hijacked site that may:

• Allow hackers to harvest their personally identifiable information (PII) and other account details
• Cause reputational damage for the company that is spoofed, as it may be accused of exposing its clients and consumers to malicious domains
• Download malware onto the visitors’ computers, or worse, company networks

A Closer Look at Leboncoin Marketplace’s Case

Cybercriminals often target brands that have a considerable following. For them, the more page views a brand’s site gets, the better it is to spoof.

Leboncoin is France’s No. 1 marketplace that corporations often use when they need to look for candidates for job openings. It is also popular among vehicle and real estate buyers and sellers. That said, it can be a pretty enticing target for hackers.

Recently, we discovered six domains that may be used to spoof Leboncoin’s domain leboncoin[.]fr using our typosquatting tool. At a glance, they may look like legitimate country versions of the site:

• leboncoin-nr[.]top
• leboncoin-nq[.]top
• leboncoin-lb[.]top
• leboncoin-ls[.]top
• leboncoin-nl[.]top
• leboncoin-lc[.]top

The company can have registered these misspelled variants of its domain as a means to protect against typosquatting. But, it is also possible that cybercriminals registered them to target Leboncoin’s users. The point is, we can’t be sure until we check. Simple Google searches might do the trick. Then again, we don’t want to accidentally visit a malicious website that could have bypassed the search engine’s built-in filters by doing so. To avoid such a drawback, we used WHOIS Lookup, a WHOIS domain name search tool.

We retrieved the domains’ WHOIS records and found that:

• All of the domains were recently registered, specifically on April 10, 2019. Their registrations are also set to expire on April 10, 2020. That is odd for a legitimate business like Leboncoin, which should, as best practice, register domains for long-term use.
• They were also registered in Indonesia. That is also unusual in that the company is based in France.
• They were privately registered. Though that’s not a crime, it is a means to throw off the authorities’ scent if their owners have something to hide.

Here is an example of the said records:

While the results seem suspicious, we need to be sure. So we ran Leboncoin’s domain, leboncoin[.]fr, on WHOIS API too to retrieve and compare its records with those of the six domains mentioned above:

We found that Leboncoin’s site was registered in 2007, and, as expected, it’s registration isn’t set to expire in just a year. Also, the domain was registered in France, which makes sense since it sports the country-code top-level domain (ccTLD) .fr. Finally, its registrant data is publicly accessible, unlike those of the six domains.

If Leboncoin was responsible for registering the six domains, it is logical to assume they would contain the same or similar details as those in its website’s WHOIS record. As we’ve seen, they don’t. And so, it is highly advisable to stay away from the sites hosted on the six domains we investigated. They may soon figure in phishing and other attacks.

* * *

These days, to avoid falling for phishing scams due to typosquatting, users can rely on domain name search tools such as WHOIS Lookup that can help spot fake domains by comparing them with legitimate ones through their WHOIS records.