Google Chrome Is Making Sure You Do Not Fall for Lookalike URLs
Phishing, as you most likely know, is one of the most popular types of online attacks, and it's perfect for crooks that have next to no technical skills. While they might not be computer wizards, phishers have quite a few tricks up their sleeve to ensure that you click the link, enter your login credentials and (unwillingly) send them their way. The thing is, there is one fundamental flaw with the classic phishing scheme.
The crooks can use all the social engineering ploys to entice you into visiting the fake login form. They can make the said login form look identical to the real thing in order to fool you into believing that there's nothing to worry about. What they can't do is ensure that the address of the phishing page is the same as the address of the real one. This is a bit of a problem for phishers because modern browsers display the URL in a prominent place. That won't stop them from trying, though.
How many times have you typed anazon.com instead of amazon.com or gooogle.com instead of google.com? People frequently make typos and hackers know it. They also know that if you put your phishing page on a domain that looks similar to the real one, even more experienced users will likely be in too much of a hurry to notice the discrepancy, especially if the social engineering tricks have worked their magic. The technique of using lookalike URLs to scam users is called typosquatting.
Google tackles typosquatting
Here's something you can try at home. Go to Google.com and enter "goo gle". Above the results, you should see the following message "Did you mean: google". To combat typosquatting, the search engine giant is thinking of implementing a similar functionality in its Chrome web browser.
The idea is that when you type facevook.com instead of facebook.com into the address bar and press enter, Chrome will ask you whether this really is the URL you're looking for. To see a screenshot of the feature in action, click here.
The warnings were first implemented last year in Chrome Canary – the public testbed which Google uses to decide which features to include in the browser's stable version and which to leave out. You can also activate it in Chrome's latest official release, but since it's still in the experimental stage, you need to go to the following address (in Google Chrome) to enable it:
Being experimental, it doesn't always work, and Google needs to put a bit more work into it which is why we still don't know when it will become available by default.
Can the new feature completely eradicate typosquatting?
If Google's engineers can refine it sufficiently (and there's little reason to believe that they can't), this feature could end up saving quite a few people from unwittingly relinquishing their sensitive information. You can't expect a small ribbon with a suggestion to solve the whole problem, though.
For one, there are too many websites out there, and teaching Chrome to warn users about every single potential typo is simply not possible. Furthermore, phishers have a number of other mechanisms to fool you, and the fact that this type of scam is still so prolific clearly shows that they work just fine. Relying solely on your browser to protect you isn't a good call.