http://www.businessweek.com/magazine/when-you-mean-facebook-but-type-faecbook-11032011.html
Scammy websites that capitalize on misspellings are on the rise—and can draw hundreds of thousands of accidental visitors
Any company that achieves a sizable online presence faces the threat of typosquatters. They’re the ones who buy up domain names spelled similarly to those of real companies and take advantage of fat-fingered users. In October, the National Arbitration Forum dismissed a complaint filed by (GOOG)Google seeking control of three typosquatting sites, goggle.com,goggle.net, and goggle.org. The arbitration panel said it lacked jurisdiction. The sites, registered to a Barbados-based businessman named David Csumrik—that’s not a typo—divert users to a visitor survey that promises a chance to win prizes such as iPads. According to several watchdog groups, it’s a scam: Victims don’t win any prizes, and their e-mail addresses are blitzed with spam. Csumrik did not respond to repeated requests for comment.
Small typing errors are causing outsize problems for companies. A 2010 study conducted by FairWinds Partners, a Washington (D.C.)-based Internet consulting firm, estimates that typosquatting costs the 250 most-trafficked websites $285 million annually in lost sales and other expenses. “Typosquatting is rampant,” says Benjamin G. Edelman, an assistant professor at Harvard Business School who has researched the topic. “It’s not unusual for a top website to be targeted by more than a thousand typosquatting domains.”
Typosquatting has been around since the dawn of the Internet, but Edelman says the practice has increased with the proliferation of online ad networks, which make it easier for squatters to earn money off their ill-gotten traffic. Companies can defend against attacks by registering any available typo domains themselves or by taking legal action, but tracking down the owners of typo domains is difficult and time-consuming. Sites can also submit a complaint to ICANN, the nonprofit that oversees domain names, but have to prove that squatters are using their name in “bad faith.”
In recent months, Google filed complaints with ICANN against two sites in the Philippines that took advantage of (GOOG)YouTube’s popularity to display the same type of survey scam used by the Goggle sites. In July, Facebook filed a lawsuit in California against more than 100 alleged typosquatters that the social network site contends are infringing on the company’s trademarks, using domain names such as facebobk.com, facemook.com, and faecbook.com.
Weather Underground, an Ann Arbor, Mich., online weather forecasting service, is litigating against four companies that registered more than three dozen domain names that are close misspellings of its wunderground.com URL. “Typosquatting harms trademark owners by confusing consumers, and that’s especially important to businesses that exist mostly online like ourselves,” says Chris Schwerzler, director of Weather Underground. The potential damage goes beyond mere confusion. Researchers at San Diego-based security firm (WBSN)Websense reported that more than 62 percent of the active domain names based on common misspellings of Facebook (and not owned by Facebook) led to scams or malicious sites.
Typosquatting is a cheap way to get a lot of traffic. According to Com-pete.com, Goggle.com received 824,850 unique U.S. visitors in September—more than many top blogs, including Lifehacker, Boingboing, and Daily Kos.
Google is in the unusual position of being both a victim and a beneficiary of typosquatting. Through its AdSense program, the search company splits the revenue from ads with third-party sites that agree to display them. Harvard’s Edelman, who served as co-counsel in an unsuccessful class action seeking to hold Google liable for benefiting from typosquatting, estimates that the search giant brings in $500 million annually from advertisements on typosquatters’ sites. Google spokeswoman Andrea Faville says “we take trademark violations very seriously” and, when they’re discovered, ” we take prompt action including disallowing ad serving.”
Typosquatting also potentially puts corporate secrets at risk. When a squatter registers a domain name, he can easily harvest any e-mails erroneously sent to that name. If an advertiser trying to reach his sales contact at Google mistypes and fires off a message to someone “@goggle.com,” for instance, the Goggle site’s owner receives the message. Godai Group, a San Francisco-based information security firm, recently conducted a test to see what kind of information typo—squatters can access. The researchers set up phony domains based on the names of the 500 largest U.S. companies by revenue, but omitting the period between the domain and subdomain. They managed to scoop up more than 120,000e-mails containing confidential employee user names, passwords, and trade secrets. One e-mail listed the passwords and configurations for the routers at a large IT consulting firm—basically a blueprint for would-be hackers. “It’s scary because in our test, we collected information that certainly could be used for corporate espionage,” says Garrett Gee, founder of Godai Group. And it’s a reminder that on the Internet, things are not always what they seem. Or, for that matter, what they sseem.
The bottom line: The top 250 websites lose $285 million annually due to typosquatting and are filing more lawsuits.
Posts
5 comments:
In class, we discussed a lot about the lack of privacy that the advancement of technology consequently carries along. More than just being careful to where we intentionally register our personal information, this article shows that the simplest typos can lead to serious information breaches. I wonder to what extent is reasonable for companies to register the majority of “wrong” domain names just to prevent problems like this, and what would be alternative systems that could help decrease the problem.
Like Juliana, I wondered why companies don't just buy up many similar domains. Then I read in this article that there can be a possible 1,000 typosquatting domains around only one top site. It seems like it would take a lot of money, time and energy to even secure the top typosquatting domains.
Also taking legal action to prove "bad faith" also seems like a lot of work. If a company has a popular site but not a large legal team, it could be hard for the company to take legal action to resolve the problem. Don't the majority of users who are looking for a specific site just leave the wrong site when they come upon it? Or are people really dumb enough to put in their email at a phony site?
So I typed in these false domains into my Google (not goggle) search bar and Google always directed me to the site I intended to go. One easy way the people avoid being take away to these typosquatting sites is to use a search engine when looking for a site.
While these lawsuits are definitely justified, it seems like typosquatting is fair game on the internet. Personally, I think if the big conglomerates like Google and Facebook spent more time driving traffic to their site than worrying about these squatters, they could better diminish all the potential $$$ lost.
If you go to goggle.com, clearly marked under the content is this: "Notice: This site is not associated with Google.com. If you intended to reach Google.com, click here, www.Google.com"
Maybe they are typo-squatting, but people still need to click on the scam in order to have their information breached. I think there is a certain amount of personal responsibility here that we cannot discount.
I wonder if it would be more cost effective for Google to just buy these sites outright. They might have to spend a couple million, but that's peanuts in the long run.
I agree with Alex, there should definatly be some responsibility to the user. When sending an email with sensitive information recheck the address it is being sent to. Of course I dont agree with the typo squaters, but at the same time I do not see it as such a big issue that so much time, effort and money should be put into.
Post a Comment