 |
Cashing in on Typos
By Shane Keats,
McAfee® Research Analyst
At some point, we all slip up when entering a URL into a browser. Even sophisticated users can easily enter the wrong URL when typing on a mobile device on a small keyboard during a bumpy taxi ride or when on the run.
Though it may sound farfetched, clever cyber profiteers have found a way to make money on typos. It’s called “typosquatting.” In a nutshell, typosquatters purchase domains that contain misspellings of popular brands, people, products, or topics and find ways to direct traffic to those sites. They make money by promoting pay-per-click advertisements for the very companies or brands they target by selling their domains as “ad space” through domain-syndication vendors, or parking services, who act as middlemen.
The Spread of Typosquatting
According to the McAfee® Typosquatting Study, the typical active Internet user has a one in 14 chance of landing at a typosquatting site. As Harvard professor Benjamin Edelman points out in his recent McAfee Security Journal article entitled “Typosquatting: Unintended Adventures in Browsing,” ending up at a typosquatter’s site is completely unintentional and may result from errors such as:
- Common spelling mistakes due to a simple slip of the finger, forgetting the correct spelling, or being a non-native speaker of English (www.macafee.com)
- Omitting the period that separates the domain from the “www” prefix (wwwmcafee.com)
- Mistakenly adding an extra “.com” to the URL (www.mcafeecom.com)
When you start to dig around, you’ll see that typosquatting is actually quite widespread. In May, 2008, McAfee® Avert® Labs found more than 80,000 typosquatting URLs on the top 2,000 sites alone. Some of the popular targets include fan sites, social networking sites, and sites frequented by children and teens: freecreditreport.com, cartoonnetwork.com, youtube.com, craigslist.com, blogspot.com, clubpenguin.com, wikipedia.com, bankofamerica.com, myspace.com, facebook.com, iphone.com, and a host of others.
To get an idea of how prevalent this phenomenon has become, let’s take a look at some statistics from our study:
- According to the World Intellectual Property Organization (WIPO), cases filed over cybersquatting, of which typosquatting is a variation, increased 20 percent in 2005 and another 25 percent in 2006
- Microsoft contends that “on an average day more than 2,000 domain names are registered that contain Microsoft trademark terms”
- The U.S. Government Accounting Office states that at least 8.65 percent of all domain names are registered with false or incomplete Whois information, a practice that makes domain squatting easier
The McAfee.com Example
To get an understanding of typosquatting, McAfee researchers studied 1.9 million typographical variations of 2,771 of the most popular sites on the Internet. The targeted sites were collected from a variety of sources that gather and publish popularity data, including Hitwise, Yahoo! Buzz, Nielsen, Billboard, and Google Zeitgeist, among others. By swapping characters (mcaefe.com), replacing characters (mkafee.com), inserting characters (mccafee.com) and deleting characters (mcafe.com), we generated more than 500 permutations for a five-letter domain and more than 800 permutations for an eight-letter domain.
Next, we tested the sites to determine whether they were “live” and then looked at the content to see if it contained text that indicated that the site was hosted by known “parking” companies, which serve up legitimate pay-per-click ads.
Figure 1. Example of a McAfee typosquatter site parked with trafficz.com.
Using our own site, mcafee.com, as an example, we tested 507 variations on the domain. The results showed that our home page had been typosquatted 74 times. We discovered that typos of mcafee.com are parked with every major parking service on the Internet, and, in fact, some of the parked pages display ads from legitimate McAfee affiliates.
Turning Typos into Gold
As we mentioned previously, typosquatters make money with pay-per-click ads. Penny by penny, they can pile up a tidy bundle of cash if they have a large enough portfolio of domains. Here’s a hypothetical example that illustrates how someone can make money from typosquatting:
- The domain speculator buys two misspelled domains for $6.00 each
- He registers the two sites with a parking company, which automates the process of serving advertising to those sites
- After a five-day “tasting period,” the squatter returns the less successful domain for a full refund
- The parking company uses an automated advertising syndication service, such as Google AdSense to serve ads to visitors who mistype the targeted URL
- Meanwhile, the owner of the real domain has probably contracted with Google to serve his ads on what he hopes are appropriate sites
- For every visitor who clicks on one of those ads on the parked, misspelled page, the domain’s owner pays the ad syndicator. In our example, we’ll assume a common cost-per-click rate of $0.20, but actual rates can be significantly higher (several dollars or even more per click) for specialty categories.
- The syndicator splits this advertising revenue 50/50 with the parking company
- The parking company then splits its share with the domain speculator
- The domain speculator ends up earning $.05, or 25 percent of the $.20 paid by the real domain’s owner for each click visitors make on the squatted domain
- To break even on an annual $6 investment, the squatter needs 120 total clicks or about one click every three days
- If the squatted domain gets one click per day, the speculator makes $12.25 per year
- If the squatter grows his portfolio to 1,000 sites, he makes $12,250 annually
- And, if he grows his portfolio to 10,000 sites, he makes $122,500 annually
Figure 2. How typosquatters make their fortune. (Source: McAfee SiteAdvisor®)
Legal Actions and Reactions
Edelman’s article notes that recent actions from the Internet Corporation for Assigned Names and Numbers (ICANN) will speed up the process of registering top-level domains, and soon we’ll be seeing more domains with .info, .biz, .travel, and even more specialized suffixes like .nyc. Of course, this could open the floodgates for typosquatters because there will be more real estate available. But that may not occur because the owners of top web sites are starting to take action to protect themselves from the encroachment of typosquatters.
According to Edelman, a large department store catering to the affluent sued a well-known domain registration company, claiming that it chose the domains it registered and profited from the ads served up. Other large players have initiated similar litigation. And, top ad networks are beginning to listen to complaints about typosquatters and are beginning to more closely monitor where ads are placed.
Protect Yourself
As Edelman points out, there are quite a few ways average Internet users can protect themselves against these Internet parasites:
- Take extra care when typing, especially with URLs that are long or difficult to spell
- When you finally arrive at your destination, make sure it’s the site you intended to visit by asking yourself a few commonsense questions. Are there paid ads on the site? If the site you want to visit is a government site, does the URL end in .gov rather than .com, for example?
- Use SiteAdvisor to help you quickly identify and avoid typosquatter sites
- Consider typo-protection services, such as OpenDNS, which automatically redirect browsers away from some squatted domains
- Use a search engine that provides alternatives such as “Did you mean …” with the probable correct spelling and resulting search list, so that you don’t wander into cybersquatting territory
For your free copy of McAfee SiteAdvisor, visit http://www.siteadvisor.com/.
|
 |
