Volume 6, Issue 3 May 11, 2011

Download PDF Print Page

When Squatting Spreads Malware

FairWinds Partners Measures Prevalence of Malware in Typos of Popular Websites

Google, Amazon, The New York Times – these are all sites that Internet users visit everyday. But one mistyped letter when typing in their web addresses can expose users to computer-infecting viruses, invasive spyware, or information-stealing Trojan horses.

In previous studies that FairWinds Partners has undertaken, the primary focus has revolved around the monetary harm that various types of cybersquatting inflict on brands. Squatted sites cost brand owners money in the form of unnecessary advertising costs, lost impressions and lost sales. But it’s not only brands that suffer harm at the hands of cybersquatters.

In some cases, cyber criminals use domain names that contain recognizable, well-known brand names to spread malware to unsuspecting Internet users. Malware is software designed to access computer systems without the owners’ knowledge or consent; viruses, worms, Trojan horses, spyware and adware are all types of malware.

Internet users can become exposed to this type of harmful and invasive software when they type a squatted domain into their browser bar, or by clicking on a link containing the squatted domain. Once exposed, users are vulnerable to computer systems damage or destruction, or in some cases, identity theft.

In our 2010 study “The Cost of Typosquatting,” FairWinds examined the impact of typosquatted domain names on the 250 most highly trafficked websites. Typosquatting refers to the practice by which individuals seek to monetize or otherwise benefit from traffic generated by spelling or keystroke mistakes made by direct navigators attempting to reach specific websites. In total, we found that the typos of the 250 domains in our study receive over 448 million visitors per year.

Recently, we undertook the task of testing a sample set of domain names to see how many host malware. We opted to analyze the sample we had examined in our Cost of Typosquatting study because we were curious to see which typos of major brand domains are secretly spreading harmful malware. All the domains in that study are typo variations of the domains of the 250 most highly trafficked websites that contain six or more characters (with fewer characters in the root of the domain name, there is an increased risk that a “typo” is actually another correctly spelled word or acronym).

In total, we found that over 200 typo variations of 82 brands’ domain names are responsible for spreading various types of malware. This list includes typographic variations of the domain names owned by such major brands as Ticketmaster, USA Today, Priceline and MapQuest.

The most heavily abused brand in our dataset was Google, for which we identified 10 different typo domains hosting malware. The next most exploited brands were, Microsoft, PayPal and Travelocity, with eight malware-hosting typo domains apiece. These five brands, which make up just six percent of the 82 brands whose typos are spreading malware, account for 18 percent of the total malware-hosting typo domains. Additionally, we found that multiple squatted domain variations of PayPal in particular were used for phishing attempts.

According to the FBI’s Internet Crime Complaint Center (IC3), malware attacks are among the biggest threats to Internet users. In 2010, “Computer Crimes,” which the IC3 uses to refer to adware, spyware, viruses and other related activities, was the fourth most reported crime by Internet users.1


Figure 1: Top 5 Brands Affected by Malware on Typosquatted Sites [+]

This statistic, while telling, may not fully encompass the scope of the malware problem that Internet users face.

Most crimes that Internet users report to the IC3 are those that, like identity theft or non-delivery of merchandise, result in immediate monetary losses. Unfortunately, the problem with malware is that its impact is typically not immediately felt by victims. Many viruses attack in a manner that is undetectable by the average Internet user and by the time the owner realizes there is a problem, it is too late. And when a cybercriminal exploits a recognizable and trusted brand name to spread malware, it can be even more misleading to Internet users. Instead of making a complaint to the proper authorities, they may direct their anger toward the company in question.

“We see it all the time,” says Supervisory Special Agent Charles Pavelites of the IC3. “People believe what they see on the Internet and in emails. If a consumer visits a copycat site hosting malware that looks like it belongs to a legitimate company, he or she is more likely to believe that whatever harm is incurred is the company’s fault.”

Take, for example, the domain – a typo of missing the first T. To the average user, this domain name appears to resolve to the official Washington Post site. See the screen shot here:


Figure 2 [+]

What we discovered, however, is for a split second before resolving to the Washington Post site, the domain name directs to the domain, which according to our research, has been associated with distributing malware. The redirect happens so quickly that any user who navigates to does not notice – instead, he or she will assume that no error has been made.

This type of trickery is actually fairly ingenious, because it is almost impossible for brand owners to notice as well. They may assume that there is no problem and they do not need to recover the domain, or at the very least, it may fall low on the list of prioritized recoveries for legal and brand protection staff. As a result, this type of domain name could go unnoticed for a very long time, continuing to ensnare a large number of victims.

Other times, the malware-depositing domains appear to be pay-per-click (PPC) sites, as in the example of, a typo of with an extra P. See the screenshot:


Figure 3 [+]

Unfortunately, many of the in-house lawyers and brand protection specialists that we work with have tended to overlook the importance of recovering domain names that host PPC sites. Our analysis of these domain names should give these professionals a reason to reconsider their stance on PPC sites. It is clear that in certain cases, what appears to be a seemingly innocuous PPC site could actually be distributing harmful malware.

Whether in the form of PPC sites or redirects, in our experience working with brand owners we have observed that most do not check to see whether third party owned typos and other squatted variations of their domain names spread malware. This is a grave oversight, because users who find themselves on these pages risk having their entire computer infected.

And while the impact on the user is tremendous, the impact on the brand itself can be even greater. If the user realizes that the malware was connected to the brand, it can lead to severe distrust and other consumer loyalty issues. In addition, this manifestation of squatting tends to garner a greater level of media attention than pay-per-click sites or other schemes perpetrated by squatters.

Brand owners must be diligent about enforcing their brands in the domain name space and protecting their customers. The invisible and far reaching harm associated with malware-spreading domain names should compel brands to look beyond the amount of traffic a domain receives and the observable content it hosts. By pursuing squatted domains that spread malware, brand owners have the opportunity to vastly improve their online audience’s brand experience by protecting them from these invisible assaults.

To learn how your brand is being affected and how FairWinds can help, please contact us at