- TechRadar investigation found five VPNs affected by typosquatting
- About 14% of the 980+ domains are malicious
- Acts as a reminder to always double check the URL
Cybercriminals employ a variety of tactics to distribute malware and harvest data, but few are as simple as misusing fraudulent web domains. Although often associated with targeting online shoppers, a new TechRadar study has found that even users of the world’s most secure VPN providers are not immune to these attacks.
The technique – known as spelling mistake – involves threat actors registering domain names that are nearly identical to popular websites and relying on deliberate misspellings or subtle character substitutions. The goal is to catch users making a minor slip at the keyboard and redirect them to a dangerous landing page before they realize the mistake.
TechRadar’s Lead Security Reviewer, Mike Williams, identified over 980 of these lookalike domains targeting major VPN companies, including NordVPN, Proton VPN, Surfshark, ExpressVPN and Private Internet Access (PIA).
While many of these sites were parked or inactive, approximately 14% were found to contain active threats, ranging from phishing and malicious advertising to outright malware distribution.
Typosquatting of popular VPN domains
Williams described typosquatting as a “simple but dangerous attack,” noting that many users fail to detect the threat even under close inspection. “Some misspelled domain names are so similar to the original that they’re really hard to spot, even when you look closely,” he explains.
To quantify the risk to those seeking privacy tools, Williams used a detection service to analyze the volume of fraudulent domains impersonating five of TechRadar’s top-rated VPN apps.
This research generated an extensive list of typosquatted domains, which Williams then investigated using NordVPN Threat Protection Pro. By running the domains through this security suite, he was able to identify exactly how many were flagged as active threats.
|
VPN service |
URLs tested |
Threats found |
Malware |
Phishing |
Dangerous ads |
Tracks |
Various security issues |
Copycat websites |
|
ExpressVPN |
302 |
34 (11.3%) |
5 |
4 |
9 |
2 |
REACH |
14 |
|
NordVPN |
256 |
21 (8.2%) |
10 |
1 |
1 |
1 |
5 |
3 |
|
Surfshark |
204 |
49 (24%) |
32 |
1 |
REACH |
1 |
6 |
9 |
|
Private Internet Access (PIA) |
112 |
4 (3.6%) |
2 |
REACH |
REACH |
REACH |
1 |
1 |
|
Proton VPN |
110 |
32 (29.1%) |
3 |
7 |
1 |
REACH |
6 |
15 |
While ExpressVPN, NordVPN and Surfshark emerged as the primary targets of typosquatters, Proton VPN faced the most aggressive threat landscape, with 29% of its associated fake domains flagged as malicious.
Conversely, PIA appeared to be the least targeted – of the 112 identical domains, only four were found to be potentially dangerous.
Encouragingly, some providers are taking proactive steps to combat the problem by detecting and redirecting common misspellings back to their legitimate sites. ExpressVPN led the way on this front, securing at least 22 such domains to protect its users from keyboard slips.
As Williams explains, attackers rely on the difficulty of detecting a deceptive URL. “If the dodgy domain points to a fake site dressed up to look like the site you expect, there may be no need to look any further. You can just assume you’re in the right place,” he said.
While it’s hard to quantify the exact risk these sites pose to regular users, landing on a site infected with malware and invasive trackers can put your device’s security and data privacy at risk—exactly what you’re trying to avoid by signing up for a virtual private network (VPN) service.
In addition to the threat of infection, TechRadar found at least 42 typosquatted domains that redirect to fraudulent copycat storefronts. These sites are designed to trick users into making a purchase, effectively handing over sensitive banking information to cybercriminals.
Web browsing is not the only vector for these attacks either. Williams notes that these fraudulent URLs are often used as bait in phishing emails and social media posts. Attackers deploy them in the hope that a user will see a URL that looks “about right” and trust that it’s safe to click.
VPN companies are responding
When contacted by TechRadar, all five VPN providers confirmed that they actively monitor typosquatting campaigns.
“Brand trust is important in the cybersecurity industry, and when you combine that with high brand visibility, it creates an attractive opportunity for bad actors looking to exploit user trust through brandjacking and typosquatting,” said a NordVPN spokesperson.
ExpressVPN noted that the global, open nature of domain registration makes this a difficult trend to curb. “Anyone can register a domain at any time and publish imitation or misleading content without permission,” the company said.
While it’s not a company’s legal responsibility to police the entire Internet for fraudulent URLs, all of the brands we spoke to have remediation strategies in place.
Paulius Dauknys, Head of Risk Management at Surfshark, described the situation as an ongoing “cat and mouse” dynamic. “New domains often appear shortly after others have been taken down,” he warned.
The process typically begins with automated web monitoring to flag suspicious or nearly identical URLs. These domains are then analyzed for risk before the providers coordinate with hosting companies and registrars to remove the fraudulent sites.
But even with these systems in place, the process remains slow. “The domain dispute process can still take a long time,” noted David Peterson, General Manager of Proton VPN.
How to stay safe
The results of this study serve as a stark reminder that even routine browsing can put your digital security at risk. It only takes a single keystroke to land on a compromised page.
As Mike Williams notes, there is no single, silver bullet solution to the problem. “Chrome only added basic URL checking in 2019, but it missed the vast majority of dangerous domains in our tests,” he said.
However, there are some easy steps to follow to reduce the chances of falling victim to typosquatting:
- Examine the URL: Remember, even one letter can land you on some dangerous websites. If in doubt, run the URL through a link checker to check for security.
- Look for commonly switched characters or missing characters: Domains like ‘n0rdvpn.com’ or ‘norvpn.com’ are very common as they are harder to spot. You should also be wary of URLs that simply add common words like “login”, “support” or “store” to a domain name.
- Bookmark the originals: Once you’ve verified a provider’s legitimate website, save it to your bookmarks. Using a trusted bookmark is the most reliable way to avoid the risk of manual entry or clicking on suspicious links.
- Download your VPN app from official websites: Whenever possible, it is advisable to download your application from official app stores.
- Confirm before clicking: Treat advertisements and unsolicited emails with caution. If you are unsure about a link, manually enter the known URL into your browser or use a link checker to verify its safety.
- Use a malware and ad-blocker: Use a dedicated malware and ad-blocker. These tools are specifically designed to intercept phishing attempts and malicious scripts, providing a definitive safety net even if you accidentally click on a “weak” link.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
