Terrified of Typosquatting
Dear Sloan,
I’m a developer who works with a lot of open source software (OSS), and another developer told me to look out for typosquatting attacks. Is that a type of cyber attack I need to be really worried about as a developer?
Thanks,
Terrified of Typosquatting
Dear Terrified of Typosquatting,
This is a great question! While some cybersecurity attacks are well known and appear obvious to the security-conscious, some are quite advanced. I can share an example of a specific typosquatting attack that is particularly relevant to developers. But first, I want to explain what makes some cyber attacks more effective than others.
Let’s Talk about Social Engineering
Social engineering relies on psychological techniques to give bad actors access to sensitive information. It’s about using biases and cultural norms to manipulate people into specific outcomes.
Phishing is a very well known type of social engineering attack. The goal of a phishing attack is to compromise someone’s data or security through some form of direct communication, like email.
Sometimes there are clear signs that an email is fraudulent, like if the sender has a suspicious email address or the email is full of typos. Other times phishing emails can invoke qualities like respect for authority or a desire to help others exploit targets.
Let’s say you receive an email from what looks like the head of accounting at your company stating that you need to confirm your bank account number so that you can get paid this week. An email using your company’s logo and the name of the head of accounting could look pretty convincing. That email is using impersonation tactics, but also adding a sense of urgency (you want to get paid, right?) to encourage you to share your information. An email like that uses several social engineering tactics!
So do not underestimate any type of cyber attack! As cybersecurity awareness increases so does the level of skill, technical and non-technical, that accompanies some of these attacks. This non-technical skill really comes out in luring targets into a false sense of security using social engineering tactics. As you’ll see here in a moment, social engineering tactics aren’t exclusive to phishing attacks.
Introducing Typosquatting
You asked if typosquatting is something with which you should be particularly concerned, and the answer is “yes”; particularly as a developer.
Typosquatting is a type of social engineering attack where bad actors impersonate a valid entity with a fake one that is close to the true entity. Sonatype researchers recently found malicious Python packages named after a popular library called “Requests.”
These typosquat PyPI packages had names like requesys, requesrs, and requesr, in the hopes that users looking for “requests” would misspell their query and find one of these instead. After a developer downloaded one of these malicious packages, they’d find that they had installed ransomware.
Awareness is Key
It’s important to understand the social engineering factors that go into cyber attacks. There are a lot of clever ways that cyber criminals try to fool you that aren’t technical in nature.
Bad actors are getting creative with their attacks, as we see with the spoofed “Requests” Python library. Impersonation can be a very powerful social engineering tool, especially when done well.
There are definitely other methods to look out for when it comes to social engineering attacks. I encourage you to do some research about other ways that cyber criminals are exploiting psychology to come up with stronger cyberattacks. Our Sonatype blog can also help keep you up to date with the latest vulnerability news, like new typosquatting attacks. Our eLearning courses and guides can help you get the most out of Sonatype’s tools to keep your security game strong. Drop any comments or questions you have for Sloan in the comments below!
Stay safe out there,
Sloan