The Phantom Pharmacy: How a Single Misspelled Character Put Thousands of Shoppers at Risk

A deep-dive into a typosquatting campaign targeting a major Southeast Asian health and beauty retail chain — and how I found it by…

NekoSecurity

~7 min read · April 28, 2026 (Updated: April 28, 2026) · Free: Yes

A deep-dive into a typosquatting campaign targeting a major Southeast Asian health and beauty retail chain — and how I found it by accident.

It started the way most interesting discoveries do — not from a planned investigation, but from a passing moment of curiosity while scrolling through my phone after dinner.

I was waiting for a delivery from LumiCare Health & Beauty, one of the largest pharmacy and wellness retail chains in the region, when I decided to check if my order had shipped. I opened Chrome on my phone, started typing the URL from memory, and hit Enter before I noticed I'd made a typo. What loaded next made me sit up straight.

"The site looked identical. The logo, the layout, the product categories. For five full seconds, I genuinely didn't know if I was on the real site or not."

That five-second window of confusion is exactly what the attacker was counting on.

What is Typosquatting?

Typosquatting — also called URL hijacking or a brandjacking attack — is the practice of registering domain names that are deliberate misspellings, transpositions, or near-visual duplicates of legitimate, high-traffic domains. The goal is to intercept users who make small typing errors and redirect them to fraudulent content.

The technique is deceptively simple. A threat actor identifies a high-value domain — one visited frequently by users who trust it implicitly — then registers every plausible variation they can think of. The cost? Often less than ₱1,000 per domain per year. The potential return? Credential theft, phishing, malware distribution, and ad revenue from confused visitors.

The Discovery

After that unsettling five seconds, I checked the URL bar carefully. I had typed lumicrehealth.com.ph instead of lumicarehealth.com.ph. One transposition — the r and e swapped — and I'd landed on an entirely different server.

My security instincts kicked in. I immediately switched to a sandboxed browser environment and began documenting what I found. The site cloned the visual design of LumiCare almost perfectly — header, footer, product categories, promotional banners. But several things were wrong on closer inspection:

Mapping the Full Scope

Once I confirmed this was a malicious clone, I did what any researcher would do: I started looking for more. How many variations had this threat actor registered? Using public WHOIS data, certificate transparency logs, and a controlled passive reconnaissance approach, I began building a picture of the campaign.

Here are the domain variations I identified (all fictitious names are used here — patterns reflect real findings):

Seven domains. All registered within a short window. At least three of them hosting active clones of the LumiCare web interface. The campaign was not the work of an opportunistic amateur — someone had specifically targeted this brand, researched common typing errors, and invested in multiple domains.

The WHOIS Investigation

Public WHOIS records are one of the first places a researcher turns when mapping a domain-based campaign. The data available before privacy redaction can reveal registration patterns, name server choices, registrar preferences, and sometimes — when actors are careless — contact information that clusters across multiple malicious domains.

Here is a sanitized reconstruction of what a WHOIS lookup revealed on one of the typosquat domains:

The name server clustering was the most telling indicator. When multiple domains — especially suspicious-looking ones — share identical infrastructure, it strongly suggests they're operated by the same threat actor. This is a classic indicator-of-compromise pattern used in threat intelligence work.

What Was the Attacker Actually After?

Based on what I observed in the cloned sites (without interacting with any form or system), the campaign appeared designed to achieve at least two objectives simultaneously:

1. Credential Harvesting

The login form — visually identical to LumiCare's actual member portal — was the primary trap. A logged-in LumiCare customer who landed on the typosquat and tried to sign in would hand over their email and password directly to the attacker. These credentials then have value far beyond LumiCare: most people reuse passwords, making a pharmacy account breach a potential skeleton key into email, banking, and social media accounts.

2. Payment Card Interception

The checkout flow was the more alarming vector. A customer attempting to purchase medication — something with obvious urgency — who didn't notice the URL discrepancy could have entered full payment card details, CVV, and billing address into a form controlled entirely by the threat actor.

Certificate Transparency: The Attacker's Paper Trail

One of the most powerful passive reconnaissance tools available to security researchers is certificate transparency (CT) logging. Every SSL/TLS certificate issued by a public certificate authority is logged in publicly accessible databases. This was designed to improve trust in the certificate ecosystem — but it also means every domain an attacker registers and points to HTTPS infrastructure gets logged publicly, often before the attack even begins.

Using crt.sh, the free certificate transparency search tool, I searched for all certificates issued for variations of the LumiCare domain pattern:

The attacker had gone further than I initially realized. They weren't just running a homepage clone — they had built out a full subdomain structure mirroring LumiCare's architecture: a shop portal, an account management page, a payment endpoint, and even a mobile-optimized version. This was a sustained, patient operation.

Responsible Disclosure

Once I had documented everything — screenshots, WHOIS data, certificate logs, network traces — I compiled a disclosure report and sent it through two channels simultaneously: the company's official security contact email (found in their privacy policy), and a direct message to their IT security team via LinkedIn.

The timeline from that point:

Day 0   — Discovery and initial documentation
Day 0   — Responsible disclosure report sent to LumiCare security team
Day 1   — Automated acknowledgment received
Day 3   — Personal response from their Head of Information Security
Day 5   — Company confirmed findings, engaged registrar abuse processes
Day 9   — Three primary clone domains suspended by registrar
Day 14  — All 7 identified domains deactivated
Day 21  — Company issued internal advisory to customers (no public breach)
Day 30  — This writeup published (30-day post-remediation window)

The security team was professional and responsive. They had not been aware of the campaign prior to my report. This is unfortunately common — organizations with significant consumer web presence rarely have active monitoring for typosquat registrations, even when the cost of doing so is minimal.

Lessons for Defenders

Typosquatting is a trivially cheap attack with potentially devastating consequences for consumers. Here is what organizations can do to protect their users:

Lessons for Everyday Users

You don't need to be a security researcher to protect yourself. These habits take seconds to build:

→Bookmark trusted sites. Use your bookmark for pharmacy, banking, and shopping sites — never retype the URL from memory.
→Check the full URL before entering credentials — especially on a mobile device where the address bar is truncated.
→Click the padlock icon and verify the certificate is issued to the company you expect, not just to a generic domain.
→Use a password manager. Good password managers autofill only on the exact domain — they will refuse to fill credentials on a lookalike domain.
→If something feels off — it probably is. Trust that instinct. Close the tab.

Final Thoughts

The five seconds of confusion I felt looking at that cloned homepage is a five-second window that the average user — someone buying medication for a sick child at midnight, or ordering vitamins in a rush between meetings — might not recover from. They'd fill in the form, submit their card details, and not know anything was wrong until a fraudulent charge appeared days later.

Typosquatting isn't a sophisticated technical attack. It requires no zero-days, no CVEs, no exploit code. It requires only a registrar account, a domain registration fee, and a basic HTML editor. That simplicity is precisely what makes it so prevalent — and so consequential.

The discovery cost me nothing but time. The report cost me one afternoon. And somewhere, a few thousand consumers are now safer because of it — even if they'll never know.

If you find something like this — document it carefully, report it responsibly, and write it up. The community learns from shared experience, and that learning is what makes the internet incrementally safer for everyone.

______________________________________________________________

#Cybersecurity #Bug Bounty #Typosquatting #Phishing #InfosecSecurity #Research #OSINT #Web Security

#typosquatting #web-security #bug-bounty

< Go to the original