CAPEC-630: TypoSquatting
An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.
Last updated
Overview
CAPEC-630 (TypoSquatting) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
- Research popular or high traffic websites.
- Step 2Experiment
[Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the TypoSquatted URL.
- Register the TypoSquatted domain.
- Step 3Exploit
[Deceive user into visiting domain] Finally, the adversary needs to deceive a user into visiting the TypoSquatted domain.
- Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the TypoSquatted domain.
- Assume that a user will incorrectly type the legitimate URL, leading the user to the TypoSquatted domain.
What the attacker needs
Prerequisites
- An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.
Skills required
- Low skill: Adversaries must be able to register DNS hostnames/URL’s.
Consequences
What a successful CAPEC-630 attack can achieve.
Other
Affects: Other
Depending on the intention of the adversary, a successful TypoSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.
How to mitigate it
Defenses that reduce the risk of CAPEC-630.
- Authenticate all servers and perform redundant checks when using DNS hostnames.
- Purchase potential TypoSquatted domains and forward to legitimate domain.
Examples
An adversary sends an email, impersonating paypal.com, to a user stating that they have just received a money transfer and to click the given link to obtain their money. However, the link the in email is paypa1.com instead of paypal.com, which the user clicks without fully reading the link. The user is directed to the adversary's website, which appears as if it is the legitimate paypal.com login page. The user thinks they are logging into their account, but have actually just given their paypal credentials to the adversary. The adversary can now use the user's legitimate paypal credentials to log into the user's account and steal any money which may be in the account. TypoSquatting vulnerability allows an adversary to impersonate a trusted domain and trick a user into visiting the malicious website to steal user credentials.
Frequently asked questions
Common questions about CAPEC-630.
- What is CAPEC-630?
- An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.
- How does a TypoSquatting attack work?
- It typically unfolds over 3 phases. It begins with: [Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic.
- How do you prevent CAPEC-630?
- Authenticate all servers and perform redundant checks when using DNS hostnames.
- How severe is CAPEC-630?
- MITRE rates CAPEC-630 as Medium severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-630
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.