Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Preventing Typo Squatting

About Typo Squatting

Typo squatting is a strategy used by attackers to compromise victims who accidentally mistype a domain name in their browser. For example, an attacker might register a domain such as "googel.com" in hopes that potential victims might try to go to Google and transpose the "l" and the "e." As a result, the victim would unknowingly visit the attacker's website.

This method of attack may be used broadly to target a wide range of potential victims or focused on specific organizations. For example, an attacker targeting a company named Contoso might register the domain "conotoso.com" to specifically aim at that organization.

Typo Squatting Policy

Skyhigh Security offers a prebuilt policy ruleset in the Ruleset Library to protect against typo squatting attacks. Below you will find an explanation of how this policy works and how to use it in your Skyhigh Cloud SWG Web Policy. Here is an explanation of how this policy functions and how to utilize it in your Skyhigh Cloud SWG Web Policy. This guide will show you how to effectively implement it within your Skyhigh Cloud SWG Web Policy.

How it Works

The policy takes a very simple approach for identifying potential typo squatting URLs. First, the policy identifies a list of domains to check for typo squats. By default, this is the list of the 100 top most commonly visited sites on the internet. It is highly recommended that customers edit this list to include sites that are relevant to their industry and organization.

Next, when a user requests a site, the policy will calculate the number of single-character changes (character additions, deletions, or replacements) required to change the requested domain into each of the domains in the list. This is known as the edit distance. If any domain in the list has an edit distance less than or equal to the configured threshold (which is 2 by default), then the request is blocked. For example, if the user requests amezon.com and amazon.com is in the list, then the edit distance will be 1 because it only requires replacing a single character to go from amezon.com to amazon.com. If the threshold is 2, then that request would be blocked.

Configure Typo Squatting Policy

Follow these steps to add and configure the prebuilt policy to your Web Policy:

  1. Login to Skyhigh Security Cloud and go to Policy -> Web Policy -> Policy.
  2. Select the ruleset in the policy tree on the left into which you want to add the Typo Squatting policy.
  3. Click the three dots on the ruleset and select Add New Ruleset from Library.
  4. Under the Web Filtering category, select the Typo Squatting policy, and then click Add.
  5. If you want to add or remove relevant typo squatting target domains, then click the blue Typo Squatting Target Domains link to be taken to the List Catalog to modify the list.
  6. If you want to change the default edit distance threshold, then click on the text box labeled Edit Distance Threshold and modify the value.  Increasing the number will block more sites. The minimum value is 1, and it is not recommended to increase the value above 3.
  7. Click the shield icon on the top-right corner of the page and then click Publish.
  • Was this article helpful?