- TechRadar investigation found five VPNs affected by typos
- About 14% of the 980+ domains are malicious
- It serves as a reminder to always check the URL.
Cybercriminals employ a variety of tactics to distribute malware and collect data, but few are as simple as misusing fraudulent web domains. While often associated with attacking online shoppers, new research from TechRadar found that even users of the world’s most secure VPN providers are not immune to these attacks.
The technique – known as typography – involves threat actors registering domain names that are nearly identical to those of popular websites, based on intentional misspellings or subtle character changes. The goal is to catch users who make a small mistake on the keyboard and redirect them to a dangerous landing page before they realize the mistake.
TechRadar’s lead security reviewer, Mike Williams, identified more than 980 of these lookalike domains targeting major VPN companies, including NordVPN, Proton VPN, Surfshark, ExpressVPN, and Private Internet Access (PIA).
While many of these sites were parked or inactive, approximately 14% were found to contain active threats, ranging from phishing and malicious ads to direct malware distribution.
Typosquatting of popular VPN domains
Williams described typosquatting as a “simple but dangerous attack,” noting that many users fail to detect the threat even after close inspection. “Some misspelled domain names are so similar to the original that they are really difficult to detect, even when you look closely,” he explains.
To quantify the risk for those seeking privacy tools, Williams used a detection service to analyze the volume of fraudulent domains imitating five of TechRadar’s top-rated VPN apps.
This investigation generated an extensive list of domains with typos, which Williams then investigated using NordVPN Threat Protection Pro. By running the domains through this security suite, he was able to identify exactly how many were marked as active threats.
|
VPN service |
Tested URLs |
Threats encountered |
malware |
Phishing |
Dangerous ads |
Trackers |
Several. security issues |
Copycat sites |
|
ExpressVPN |
302 |
34 (11.3%) |
5 |
4 |
9 |
2 |
N/A |
14 |
|
NordVPN |
256 |
21 (8.2%) |
10 |
1 |
1 |
1 |
5 |
3 |
|
surfer shark |
204 |
49 (24%) |
32 |
1 |
N/A |
1 |
6 |
9 |
|
Private Internet Access (PIA) |
112 |
4 (3.6%) |
2 |
N/A |
N/A |
N/A |
1 |
1 |
|
Proton VPN |
110 |
32 (29.1%) |
3 |
7 |
1 |
N/A |
6 |
15 |
While ExpressVPN, NordVPN, and Surfshark emerged as the top targets of typosquatters, Proton VPN faced the most aggressive threat landscape, with 29% of its associated fake domains flagged as malicious.
In contrast, PIA seemed to be the least attacked: of the 112 similar domains identified, only four turned out to be potentially dangerous.
Encouragingly, some providers are taking proactive steps to combat the problem by registering and redirecting common spelling errors to their legitimate sites. ExpressVPN led on this front, securing at least 22 of these domains to protect its users from keyboard errors.
As Williams explains, attackers rely on the difficulty of detecting a misleading URL. “If the dubious domain points to a fake site disguised to look like the website you expect, there may be no reason to look closely. You might just assume you’re in the right place,” he said.
While it’s difficult to quantify the exact risk these sites pose to everyday users, arriving at a site infested with malware and invasive trackers can jeopardize the security of your device and the privacy of your data—precisely what you’re trying to avoid by signing up for a virtual private network (VPN) service.
Beyond the threat of infection, TechRadar found at least 42 domains with typos that redirected to fraudulent copycat stores. These sites are designed to trick users into making a purchase, effectively handing over sensitive banking details to cybercriminals.
Web browsing is not the only vector of these attacks either. Williams notes that these fraudulent URLs are frequently used as bait in phishing emails and social media posts. Attackers deploy them in the hopes that a user will see a URL that looks “correct” and trust that it is safe to click.
VPN companies respond
When approached by TechRadar, all five VPN providers confirmed that they are actively monitoring typosquatting campaigns.
“Brand trust is important in the cybersecurity industry, and when you combine that with high brand visibility, it creates an attractive opportunity for bad actors looking to exploit user trust through brand hijacking and typosquatting,” a NordVPN spokesperson said.
ExpressVPN noted that the global and open nature of domain registration makes this trend difficult to stop. “Anyone can register a domain at any time and post spoofing or misleading content without authorization,” the company said.
While it’s not a company’s legal responsibility to monitor the entire internet for fraudulent URLs, all the brands we spoke to have established mitigation strategies.
Paulius Dauknys, head of risk management at Surfshark, described the situation as an ongoing “cat and mouse” dynamic. “New domains often appear shortly after others have been removed,” he warned.
The process usually begins with automated web monitoring to detect suspicious or nearly identical URLs. These domains are then analyzed for risk before providers coordinate with hosting companies and registrars to remove fraudulent sites.
However, even with these systems in place, the process is still slow. “The domain dispute process can still take a considerable amount of time,” said David Peterson, CEO of Proton VPN.
How to stay safe
The findings of this research serve as a stark reminder that even routine browsing can put your digital security at risk. It only takes a swipe on the keyboard to reach a compromised page.
As Mike Williams points out, there is no single magic solution to the problem. “Chrome first added basic URL checking in 2019, but it missed the vast majority of dangerous domains in our tests,” he said.
However, there are some easy steps to follow to mitigate the chances of falling victim to typos:
- Examine the URL: Remember, even a single letter can lead you to dangerous websites. If in doubt, run the URL through a link checking tool to verify its security.
- Look for frequently changed or missing characters: Domains like ‘n0rdvpn.com’ or ‘norvpn.com’ are very common as they are harder to detect. You should also be wary of URLs that simply add common words like “login,” “support,” or “store” to a domain name.
- Mark the originals as favorites: Once you’ve verified a provider’s legitimate homepage, save it to your favorites. Using a trusted bookmark is the most reliable way to avoid the risks of manually typing or clicking on suspicious links.
- Download your VPN app from official sites: Whenever possible, it is advisable to download your app from the official app stores.
- Check before you click: Treat unsolicited ads and emails with caution. If you are unsure about a link, manually type the known URL into your browser or use a link checker tool to verify its security.
- Use a malware and ad blocker: Use a dedicated ad and malware blocker. These tools are specifically designed to intercept phishing attempts and malicious scripts, providing a final safety net even if you accidentally click on a “dodgy” link.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
