Election Security Spotlight – Typosquatting

What it is

Typosquatting attempts to take advantage of typographical errors (i.e. “typos”) introduced by users when URLs are typed directly into the address bar. Similarly, malicious actors may seek to trick users taking a quick glance at a URL into opening a visually similar, yet malicious link. These visual similarities are accomplished through six techniques, which are used individually or in combination. Take for example our domain: cisecurity[.]org.

Omission – “csecurity[.]org” (first “i” omitted)
Addition – “cissecurity[.]org” (an “s” added)
Substitution – “cisecurlty[.]com” (last “i” and “.org” swapped for “l” and “.com”)
Transposition – “csiecurity[.]org” (first “i” switched places with “s”)
Hyphenation – “ci-security[.]org” (hyphen “-“ added between “i” and “s”)
Homoglyph – “cіsecurіtу[.]org” (Latin “y” homographed with  Cyrillic U “у”)

Note: In reports, cybersecurity firms often put brackets around the ‘dot’ on all URLs to avoid accidental clicks on what could be a malicious domain.

Why does it matter

A successfully typosquatted election domain could impact the public’s confidence in the U.S. electoral process. It is common for actors to use typosquatted domains to display custom images or text, conduct scams, capture sensitive data, or infect users with malware. Typosquatted domains may also be designed to mimic the original website. This tactic could be used to mislead voters or trick them into divulging personal information. Additionally, typosquatted domains may give users the impression that the legitimate domain is compromised.

Not all typosquatted domains are malicious. Prior to the 2016 election, the domain registrar responsible for the “.vote” top-level domain, created multiple “state.vote” domains which redirected to the appropriate state voter registration website. At the time many believed these sites were malicious. Many domain owners also purchase renditions of their domain name to direct users to the correct website and protect against typosquatting.

What you can do

Make it a practice to closely examine links before clicking as the subtle changes in typosquatted domains are only noticeable upon close inspection. The easiest way to accomplish this is to view the link by hovering over it with your mouse. Additionally, election offices should consider the following:

  1. Consider purchasing domains similar to your website, especially .com or .org, to protect against illegitimate registrations.
  2. Bookmark frequently visited websites to ensure you always navigate to the correct site.
  3. Search for a website in the browser instead of manually typing in a URL.

For additional recommendations and technical details on this topic, please see the MS-ISAC’s Typosquatting Security Primer.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].