The .cm typosquatters accidentally exposed their logs, revealing the incredible scale of typojacking

.cm is the top-level domain for Cameroon, and the major use-case for .cm domains is typosquatting -- registering common .com domains as .cm domains (like microsoft.cm or apple.cm), in the hopes of nabbing traffic from users who fatfinger while typing a domain, and sometimes serving them malware or directing them to scams.

After a Krebs on Security report, one of Brian Krebs's readers noticed that the full logs for the scammiest .cm domains were available online; Krebs on Security managed to download these logs before the .cm people deleted them, and Matthew Chambers has collaborated with Krebs to analyze the logs.

Chambers found that the .cm typosquatters raked in 12 million visits from 8.5 million unique visitors in the first quarter of 2018, suggesting a total per-year visitor count of 50,000,000. A large number of these visitors were attempting to visit porn sites, which makes sense, as privacy-aware users are more likely to visit them in private browsing mode and thus hand-enter those addresses rather than bookmarking them or using history autocompletes.

The logs reveal that 80 visitors from the DoJ landed on a .cm scam; the typo count was 104 for NASA IPs; 47 for the US House of Reps; and 6 for the CIA.

A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.

Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018 [Brian Krebs/Krebs on Security]