Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Imitation may be the sincerest form of flattery, but “immitation,” or “imittation,” or “imitatioon” may be the sincerest sign of a typosquatting cyberfraudster.
Cybersecurity firm Cado Security recently spotted a suspicious domain that looked identical to its usual site, minus an only slightly misspelled URL.
What concerned Cado solutions engineer Paul Scott more than a typosquatting attack—a longtime tactic used by threat actors to trick users into visiting malicious replicas of a known destination—was the scale of the operation and the number of companies seemingly targeted by one campaign.
“It’s either one person doing this constantly, all the time—or more likely, a small group of people doing this as their way of generating income,” Scott told IT Brew.
Mission imposter-ble. During a recent routine check, the Cado team spotted a site that “bore a striking resemblance,” according to an August 21 blog post, to the cybersecurity company’s corporate domain.
The poorly spelled imposter destination—Scott said the threat actor had “security” with an L, not an I—redirected to Cado’s legitimate domain, indicating that a threat actor aimed to phish members of the company.
Unlike a consumer-facing typosquatting attack that might send users, for example, to a fraudulent Olympics-merchandise site to steal their money, Scott imagines a scenario where a threat actor uses the domain specifically for its email capability and targets company employees, asking someone in, say, accounts payable, to send funds to a new (fraudulent) bank.
The FBI, in an annual fraud report released in March 2024, revealed 21,489 complaints in 2023 related to business email compromise, amounting to $2.9 billion in reported losses.
What to do.
- Cado used a command-line tool called DNSTwist, which provides automated searches for common URL variations, to spot the typosquat. (A site version also exists for one-time checks.)
- The first step for an IT team once they spot an evil site twin, Scott said: Check company inboxes to see if any mail has been sent from the lookalike, and place a block rule from the domain.
- According to its blog post, Cado contacted the DNS registrar, who then suspended the domain. Scott recommends typo-targeted companies do the same, and possibly even involve other entities like internet service providers and law enforcement (if malicious activity is detected).
Cado Security found that 49 other suspicious domains—some listed on the blog post—resolved to the same IP address. Scott doesn’t believe threat actors specifically targeted the company, given the volume of IP addresses.
“I don’t think it was anything special about Cado. I think we just happened to fall into whatever searching they do to pick victims,” Scott said. “But obviously, they will carry on doing it across multiple industries and companies.”