Website Spoofing and Typosquatting – Social Engineering and Cybercrimes – 2024

Website Spoofing and Typosquatting – Social Engineering and Cybercrimes

Website Spoofing and Typosquatting: How Scammers Use Fake Domains to Trap Scam Victims through Social Engineering Techniques

How Scams Work – A SCARS Institute Guide

Author:
•  Tim McGuinness, Ph.D. – Anthropologist, Scientist, Director of the Society of Citizens Against Relationship Scams Inc.

Article Abstract

Website spoofing and typosquatting are common cybercriminal tactics used to deceive users into visiting fraudulent websites that look legitimate. Scammers utilize various strategies, such as misspelling domain names, homograph attacks (using look-alike characters from different alphabets), and subdomain spoofing to create convincing URLs.

Once victims are lured to these fake sites, cybercriminals can steal sensitive information, install malware, or commit financial fraud. By leveraging social engineering techniques, such as creating a sense of urgency or trust, scammers make their websites appear genuine, often using HTTPS to build credibility. To protect against these schemes, users should double-check URLs, avoid clicking suspicious links, and use security tools to detect malicious sites. The evolution of these tactics highlights the importance of vigilance and education in cybersecurity.

Website Spoofing and Typosquatting: How Scammers Use Fake Domains to Trap Scam Victims through Social Engineering Techniques

Website Spoofing and Typosquatting: How Scammers Use Fake Domains to Trap Scam Victims through Social Engineering Techniques

Website spoofing and typo domains (also known as typosquatting) are common techniques used by scammers, cybercriminals, and fraudsters to deceive internet users. By creating deceptive websites that appear legitimate, criminals aim to steal sensitive information, distribute malware, or lure victims into scams like pig butchering scams, phishing, or fraudulent investment schemes. Below, we’ll explore the most common methods scammers use to spoof domains and how they exploit them to trap unsuspecting victims.

Typosquatting: The Use of Misspelled Domain Names

Typosquatting involves registering domain names that are deliberately misspelled versions of legitimate, well-known websites. Scammers rely on the fact that users may accidentally type a web address incorrectly and end up on the fake site instead of the intended legitimate site.

Example techniques:

Omitting a letter: For example, typing “googel.com” instead of “google.com.”

Swapping adjacent letters: Common in typosquatting, this includes domains like “amzon.com” instead of “amazon.com.”

Adding extra characters: Domains that add extra letters like “faceebook.com” can trick users into believing it’s the real website.

Changing domain extensions: Switching “.com” to “.co” or “.net” is a common strategy. Scammers may use “paypal.co” to deceive someone intending to visit “paypal.com.”

These sites often look identical to the real ones, and scammers may install malicious software or steal login credentials, leading to identity theft or further fraud.

Homograph Attacks: Using Look-Alike Characters

A homograph attack involves using characters from different alphabets that look nearly identical to those in the legitimate domain name. Scammers take advantage of the fact that many characters in non-Latin scripts resemble Latin letters, and they replace letters in a legitimate URL with these characters.

Example:

Replacing the letter “o” in “google.com” with a Cyrillic “о” (which looks visually identical but is a different Unicode character).

Using accented letters like “paypaĺ.com” instead of “paypal.com.”

These fraudulent URLs can be hard to detect by simply glancing at the address bar, making them highly effective for phishing attacks.

Homograph attacks, also known as IDN (Internationalized Domain Name) homograph attacks, exploit visually similar characters from different writing systems or character sets to deceive users into thinking they are visiting legitimate websites. Below are 55 pairs of look-alike characters used in homograph attacks:

  • a (Latin) and а (Cyrillic)
  • o (Latin) and ο (Greek)
  • i (Latin) and і (Cyrillic)
  • e (Latin) and е (Cyrillic)
  • c (Latin) and с (Cyrillic)
  • p (Latin) and р (Cyrillic)
  • x (Latin) and х (Cyrillic)
  • s (Latin) and ѕ (Cyrillic)
  • r (Latin) and г (Cyrillic)
  • u (Latin) and υ (Greek)
  • h (Latin) and һ (Cyrillic)
  • w (Latin) and ѡ (Cyrillic)
  • y (Latin) and у (Cyrillic)
  • d (Latin) and ԁ (Cyrillic)
  • n (Latin) and п (Cyrillic)
  • b (Latin) and Ь (Cyrillic)
  • v (Latin) and ν (Greek)
  • m (Latin) and м (Cyrillic)
  • l (Latin) and ӏ (Cyrillic)
  • k (Latin) and κ (Greek)
  • f (Latin) and ғ (Cyrillic)
  • t (Latin) and τ (Greek)
  • g (Latin) and ɡ (Cyrillic)
  • z (Latin) and ʐ (Cyrillic)
  • q (Latin) and զ (Armenian)
  • A (Latin) and А (Cyrillic)
  • B (Latin) and В (Cyrillic)
  • C (Latin) and С (Cyrillic)
  • E (Latin) and Е (Cyrillic)
  • H (Latin) and Н (Cyrillic)
  • I (Latin) and І (Cyrillic)
  • J (Latin) and Ј (Cyrillic)
  • K (Latin) and Κ (Greek)
  • M (Latin) and М (Cyrillic)
  • N (Latin) and Ν (Greek)
  • O (Latin) and О (Cyrillic)
  • P (Latin) and Р (Cyrillic)
  • S (Latin) and Ѕ (Cyrillic)
  • T (Latin) and Τ (Greek)
  • V (Latin) and Ѵ (Cyrillic)
  • W (Latin) and Ѡ (Cyrillic)
  • X (Latin) and Χ (Greek)
  • Y (Latin) and Ү (Cyrillic)
  • Z (Latin) and Ζ (Greek)
  • r (Latin) and г (Cyrillic)
  • d (Latin) and ԁ (Cyrillic)
  • q (Latin) and ԛ (Cyrillic)
  • L (Latin) and ʟ (Cyrillic)
  • F (Latin) and Ғ (Cyrillic)
  • p (Latin) and ρ (Greek)
  • a (Latin) and α (Greek)
  • i (Latin) and ι (Greek)
  • u (Latin) and ц (Cyrillic)
  • n (Latin) and η (Greek)
  • v (Latin) and ѵ (Cyrillic)
  • L (Latin) and ӏ (Cyrillic) – the latter is a straight line like a lowercase “L.”
  • G (Latin) and Ϭ (Coptic) – similar to the uppercase “G.”
  • S (Latin) and Ƨ (Latin retroflex S) – an unusual character that can look like an “S.”
  • d (Latin) and ԁ (Cyrillic) – they appear almost identical.
  • a (Latin) and ɑ (Latin script) – a subtle difference, with “ɑ” being the Latin script for a turned “a.”
  • t (Latin) and т (Cyrillic) – difficult to differentiate at a glance.
  • r (Latin) and (Devanagari) – both appear similar in many fonts.
  • u (Latin) and µ (Greek Mu) – common confusion, especially in technical URLs.
  • p (Latin) and (Mathematical symbol rho) – looks like a stylized version of “p.”
  • k (Latin) and ĸ (Greenlandic) – a unique character that closely resembles the Latin “k.”

These character pairs are used to create URLs that appear legitimate at first glance, tricking users into believing they are visiting trusted websites when, in fact, they are accessing malicious ones.

Subdomain Spoofing and URL Masking

Subdomain spoofing is another tactic where fraudsters create a URL that looks like a legitimate domain by placing a subdomain that resembles a trusted brand in front of their malicious domain.

Example:

“paypal.com.fakesite.com”: This might trick a user into thinking it’s a legitimate PayPal website, while in reality, it’s hosted on “fakesite.com.”

Criminals exploit the fact that users may focus on the familiar brand name at the beginning of the URL, ignoring the real domain that follows. These sites often host phishing forms or malicious software.

Using HTTPS and SSL Certificates

While users are often taught to trust websites that display the HTTPS prefix and a padlock symbol in their browsers, scammers have caught onto this practice and now use legitimate SSL certificates on fake domains. The presence of HTTPS may give users a false sense of security, leading them to trust a spoofed website.

Scammers can easily obtain SSL certificates for malicious websites. As a result, many phishing sites now appear secure, tricking users into submitting personal and financial information on these sites.

URL Shorteners and Redirects

Scammers often use URL shorteners (like bit.ly or tinyurl.com) to mask the actual domain they’re sending victims to. These shortened URLs may be shared through emails, social media, or text messages. Once clicked, the user is redirected to a malicious or spoofed site.

How they work:

A URL like “bit.ly/abcdef” may look harmless, but when clicked, it redirects the user to a fake login page that mimics a trusted website like a bank or online store.

Scammers may use multiple redirects to mask the final destination, making it harder for users to detect malicious intent.

Cloned Websites and Fake Login Pages

Fraudsters often create exact clones of legitimate websites, copying design elements, logos, and even login forms. When a user unknowingly enters their credentials on these pages, the information is captured and sent to the attacker, who can then use it for further fraud, such as draining bank accounts or committing identity theft.

Example in scams like pig butchering:

In pig butchering scams, scammers might set up fake cryptocurrency investment platforms that look almost identical to legitimate ones. Victims are lured into thinking they’re investing in real assets, only to realize later that the site is fraudulent and their money is gone.

Exploiting Similar Domains for Email Scams

Scammers frequently create look-alike email addresses based on spoofed domains to launch phishing attacks. These emails often appear to come from trusted sources, such as banks, employers, or family members, urging recipients to click on links or download attachments.

Examples:

An email from support@faceboook.com (with an extra “o”) may appear to be from Facebook’s support team but is actually a scammer attempting to steal credentials or deliver malware.

In some cases, scammers may use domain names with minor differences to impersonate a well-known business, leading to fraudulent invoices or financial requests being approved.

Combo-Squatting

In combo-squatting, scammers combine the legitimate brand name with additional keywords to create convincing but fraudulent domains. For instance, they might add words like “support,” “login,” or “secure” to make the URL appear more authentic.

Examples:

“paypal-support.com” could trick users into thinking they are visiting PayPal’s customer support page.

“amazon-login.com” might lead users to believe it’s a legitimate login page for their Amazon account, while it’s a phishing site.

Domain Hijacking and DNS Spoofing

Domain hijacking occurs when scammers gain unauthorized access to the domain registration and transfer the domain to their control. Once in control of the domain, they can create fraudulent pages or redirect users to malicious websites. DNS spoofing (also known as DNS poisoning) involves corrupting the Domain Name System so that users are directed to fraudulent websites without even knowing the domain has been compromised.

Social Engineering Techniques and Psychological Manipulation

Scammers don’t just rely on technical tricks but also employ social engineering and psychological manipulation to convince victims to visit spoofed domains. They may use urgency, fear, or promises of rewards (like investment returns or prizes) to trick users into visiting fake websites and submitting personal information.

How to Protect Yourself from Spoofed Domains

  1. Always double-check the URL before entering sensitive information. Pay attention to slight misspellings, misplaced characters, or unfamiliar extensions.
  2. Use browser extensions or tools that identify potentially dangerous websites.
  3. Avoid clicking on suspicious links in emails or messages, particularly those from unfamiliar senders.
  4. Enable two-factor authentication (2FA) wherever possible to add an extra layer of security.
  5. Report suspicious websites to your browser or cybersecurity firms. Visit reporting.AgainstScams.org to learn how to report.

Summary

Website spoofing and domain manipulation are evolving tactics that scammers use to exploit users’ trust and trick them into handing over personal information or money. As criminals become more sophisticated in their methods—leveraging typosquatting, homograph attacks, and social engineering—users must remain vigilant, informed, and cautious to avoid falling victim to these deceptive strategies. The rise in HTTPS adoption for fraudulent sites adds another layer of difficulty in identifying legitimate websites, making education and awareness key tools in the fight against cybercrime.

Please Leave Us Your Comment
Also, tell us of any topics we might have missed.

Leave a Reply

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you

Your email address will not be published. Required fields are marked *

Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.

Recent Reader Comments

Important Information for New Scam Victims

If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org

If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines

A Question of Trust

At the SCARS Institute, we invite you to do your own research on the topics we speak about and publish, Our team investigates the subject being discussed, especially when it comes to understanding the scam victims-survivors experience. You can do Google searches but in many cases, you will have to wade through scientific papers and studies. However, remember that biases and perspectives matter and influence the outcome. Regardless, we encourage you to explore these topics as thoroughly as you can for your own awareness.

SCARS Resources:

Other Cyber Resources

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment below!

Legal Disclaimer:

The content provided on this platform regarding psychological topics is intended solely for educational and entertainment purposes. The publisher makes no representations or warranties regarding the accuracy or completeness of the information presented. The content is designed to raise awareness about various psychological subjects, and readers are strongly encouraged to conduct their own research and verify information independently.

The information presented does not constitute professional advice, diagnosis, or treatment of any psychological disorder or disease. It is not a substitute for professional medical or mental health advice, diagnosis, or treatment. Readers are advised to seek the guidance of a licensed medical professional for any questions or concerns related to their mental health.

The publisher disclaims any responsibility for actions taken or not taken based on the content provided. The treatment of psychological issues is a serious matter, and readers should consult with qualified professionals to address their specific circumstances. The content on this platform is not intended to create, and receipt of it does not constitute, a therapist-client relationship.

Interpretation and Definitions

Definitions

For the purposes of this Disclaimer:

  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Disclaimer) refers to Society of Citizens Against Relationship Scams Inc. (registered d.b.a. “SCARS”,) 9561 Fountainbleau Blvd., Suit 602, Miami FL 33172.
  • Service refers to the Website.
  • You means the individual accessing this website, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
  • Website refers to RomanceScamsNOW.com, accessible from https://romancescamsnow.com

Website Disclaimer

The information contained on this website is for general information purposes only.

The Company assumes no responsibility for errors or omissions in the contents of the Service.

In no event shall the Company be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents on the Service at any time without prior notice.

The Company does not warrant this website in any way.

External Links Disclaimer

This website may contain links to external websites that are not provided or maintained by or in any way affiliated with the Company.

Please note that the Company does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.

Errors and Omissions Disclaimer

The information given by SCARS is for general guidance on matters of interest only. Even if the Company takes every precaution to ensure that the content of this website is both current and accurate, errors can occur. Plus, given the changing nature of laws, rules, and regulations, there may be delays, omissions, or inaccuracies in the information contained on this website.

SCARS is not responsible for any errors or omissions, or for the results obtained from the use of this information.

Fair Use Disclaimer

SCARS may use copyrighted material that has not always been specifically authorized by the copyright owner. The Company is making such material available for criticism, comment, news reporting, teaching, scholarship, or research.

The Company believes this constitutes a “fair use” of any such copyrighted material as provided for in section 107 of the United States Copyright law.

If You wish to use copyrighted material from this website for your own purposes that go beyond fair use, You must obtain permission from the copyright owner.

Views Expressed Disclaimer

The Service may contain views and opinions which are those of the authors and do not necessarily reflect the official policy or position of any other author, agency, organization, employer, or company, including SCARS.

Comments published by users are their sole responsibility and the users will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The Company is not liable for any comment published by users and reserves the right to delete any comment for any reason whatsoever.

No Responsibility Disclaimer

The information on the Service is provided with the understanding that the Company is not herein engaged in rendering legal, accounting, tax, medical or mental health, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, medical or mental health, or other competent advisers.

In no event shall the Company, its team, board of directors, volunteers, or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever arising out of or in connection with your access or use or inability to access or use the Service.

“Use at Your Own Risk” Disclaimer

All information on this website is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability, and fitness for a particular purpose.

SCARS will not be liable to You or anyone else for any decision made or action taken in reliance on the information given by the Service or for any consequential, special, or similar damages, even if advised of the possibility of such damages.

Contact Us

If you have any questions about this Disclaimer, You can contact Us:

  • By email: contact@AgainstScams.org

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use. 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

View the claimed and or registered indicia, service marks, and trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org

Share This Information - Choose Your Social Media!

Leave A Comment

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you


Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.