Any company that achieves a sizable online presence faces the threat of typosquatters. They’re the ones who buy up domain names spelled similarly to those of real companies and take advantage of fat-fingered users. In October, the National Arbitration Forum dismissed a complaint filed by Google (GOOG) seeking control of three typosquatting sites, goggle.com,goggle.net, and goggle.org. The arbitration panel said it lacked jurisdiction. The sites, registered to a Barbados-based businessman named David Csumrik—that’s not a typo—divert users to a visitor survey that promises a chance to win prizes such as iPads. According to several watchdog groups, it’s a scam: Victims don’t win any prizes, and their e-mail addresses are blitzed with spam. Csumrik did not respond to repeated requests for comment.
Small typing errors are causing outsize problems for companies. A 2010 study conducted by FairWinds Partners, a Washington (D.C.)-based Internet consulting firm, estimates that typosquatting costs the 250 most-trafficked websites $285 million annually in lost sales and other expenses. “Typosquatting is rampant,” says Benjamin G. Edelman, an assistant professor at Harvard Business School who has researched the topic. “It’s not unusual for a top website to be targeted by more than a thousand typosquatting domains.”
Typosquatting has been around since the dawn of the Internet, but Edelman says the practice has increased with the proliferation of online ad networks, which make it easier for squatters to earn money off their ill-gotten traffic. Companies can defend against attacks by registering any available typo domains themselves or by taking legal action, but tracking down the owners of typo domains is difficult and time-consuming. Sites can also submit a complaint to ICANN, the nonprofit that oversees domain names, but have to prove that squatters are using their name in “bad faith.”
In recent months, Google filed complaints with ICANN against two sites in the Philippines that took advantage of YouTube’s (GOOG) popularity to display the same type of survey scam used by the Goggle sites. In July, Facebook filed a lawsuit in California against more than 100 alleged typosquatters that the social network site contends are infringing on the company’s trademarks, using domain names such as facebobk.com, facemook.com, and faecbook.com.
Weather Underground, an Ann Arbor, Mich., online weather forecasting service, is litigating against four companies that registered more than three dozen domain names that are close misspellings of its wunderground.com URL. “Typosquatting harms trademark owners by confusing consumers, and that’s especially important to businesses that exist mostly online like ourselves,” says Chris Schwerzler, director of Weather Underground. The potential damage goes beyond mere confusion. Researchers at San Diego-based security firm Websense (WBSN) reported that more than 62 percent of the active domain names based on common misspellings of Facebook (and not owned by Facebook) led to scams or malicious sites.
Typosquatting is a cheap way to get a lot of traffic. According to Com-pete.com, Goggle.com received 824,850 unique U.S. visitors in September—more than many top blogs, including Lifehacker, Boingboing, and Daily Kos.
Google is in the unusual position of being both a victim and a beneficiary of typosquatting. Through its AdSense program, the search company splits the revenue from ads with third-party sites that agree to display them. Harvard’s Edelman, who served as co-counsel in an unsuccessful class action seeking to hold Google liable for benefiting from typosquatting, estimates that the search giant brings in $500 million annually from advertisements on typosquatters’ sites. Google spokeswoman Andrea Faville says “we take trademark violations very seriously” and, when they’re discovered, ” we take prompt action including disallowing ad serving.”
Typosquatting also potentially puts corporate secrets at risk. When a squatter registers a domain name, he can easily harvest any e-mails erroneously sent to that name. If an advertiser trying to reach his sales contact at Google mistypes and fires off a message to someone “@goggle.com,” for instance, the Goggle site’s owner receives the message. Godai Group, a San Francisco-based information security firm, recently conducted a test to see what kind of information typo—squatters can access. The researchers set up phony domains based on the names of the 500 largest U.S. companies by revenue, but omitting the period between the domain and subdomain. They managed to scoop up more than 120,000e-mails containing confidential employee user names, passwords, and trade secrets. One e-mail listed the passwords and configurations for the routers at a large IT consulting firm—basically a blueprint for would-be hackers. “It’s scary because in our test, we collected information that certainly could be used for corporate espionage,” says Garrett Gee, founder of Godai Group. And it’s a reminder that on the Internet, things are not always what they seem. Or, for that matter, what they sseem.