When one letter off leads you to malicious advertisements rather than the former cybersecurity czar's website.
Sometimes, typing the wrong letter for a website address means sending visitors to a 404 page. When you're Rudy Giuliani, it means potentially sending hundreds of thousands of followers straight to a virus.
Hackers have been taking advantage of typos in tweets by the former New York City mayor, buying the mistyped domain names and redirecting visitors to a fake page designed to spread malware rather than to the original page that Giuliani had meant to type.
Jerome Segura, a director of threat intelligence at cybersecurity company Malwarebytes, discovered a tweet sent Sunday with a blatant typo that led to a website prompting visitors to download a Google Chrome extension, which would read people's browsing history and change their default search engine.
Giuliani didn't respond to a request for comment.
Typo-squatting is a common threat online. Hackers buy up domain names similar to those of popular websites in the hopes that someone misses a letter, ends up on their fake page and gets infected.
But while those attacks target the general public, Giuliani's typos on Twitter open up an avenue where hackers can directly target his more than 654,000 followers -- including politicians, journalists, and members of the Trump Organization like Donald Trump Jr. -- who would be exposed to his malware-laced typos.
Targeted typo-squatting for tweets isn't a common attack method, Segura said, but because Giuliani makes typos in his tweets so frequently, attackers have seen it as an opening.
"You're kind of relying on the user to make those typos and they happen once in a blue moon, so that's not ideal for attackers," Segura said. "With him, just looking at the last few days, there were multiple occasions where he created links by mistake."
Giuliani, who at one point was named the Trump administration's cybersecurity czar, meant to send his followers to his website, RudyGiulianics.com, in a tweet on Sunday. Instead, his tweet put a space after Rudy, sending visitors to just Giulianics.com.
There's a world of difference between the two. Giuliani's actual website was registered on Jan. 10, and an analysis from Segura showed no signs of malware on the page when he checked on Jan. 28.
The fake website, Giulianics.com, was registered on Jan. 31, and redirects about six times, all through websites that collect tracking data on visitors, until it lands on the unsecured website looking to install adware.
The extension, "Private Browsing by Safely," has been flagged as adware by BleepingComputer, and reads people's browsing data and changes the default search engine. BleepingComputer first found it through a typo-squatted domain for its own website in 2018.
"With malvertising, based on your device, you could end up on a drive-by download page and get your computer infected," Segura said. "When you see a domain registered with a Giuliani tweet with malware, that's not good for anybody."
This isn't the first time that people have exploited typos in Giuliani's tweets.
In November 2018, Giuliani sent out a tweet in which he failed to put a space between "G-20" and ".In," making it a URL. That link didn't lead to a page until Twitter user Jason Velazquez saw the mistake and registered the domain name to make it an anti-Trump website. It took about 15 minutes to make.
Velazquez said he's not surprised hackers are taking advantage of Giuliani's typos.
"I think what's more surprising is that our former cybersecurity adviser hasn't figured out how to tweet a proper hyperlink to his followers," he said. "Or he doesn't seem to understand that Twitter hyperlinks anything with a URL structure."
More than a year later, not much has changed for Giuliani's Twitter typos. On Sunday morning, he tweeted another wrong link to his website, this one spelled RudyGiuliancs.com, missing the last "i" in the URL.
That domain name was registered Feb. 7, showing that people are creating typoed versions of Giuliani's website in anticipation of a flub, Segura said.
That URL had redirected to the Wikipedia page about the Trump-Ukraine impeachment scandal.
In another tweet that Segura found, sent over the weekend, Giuliani forgot to put a space between "Watch" and "RudyGiulianics.com." That domain name was registered a day later, and redirected visitors to a website on getting help with drug addictions.
"This is not an accident. Given his history and pattern of making typos, you can register domains that are pretty close and hope he makes a mistake," Segura said.
Many of the typos that Giuliani has made were tweeted from an iPad , Segura found. He recommended that Giuliani either start to copy and paste verified links for Twitter, or just start using a keyboard to make fewer typos.
In January, New York Daily News editorial board member Laura Nahmias tweeted that she had tried to visit Giuliani's website and received malware shortly after.
She said she had clicked on a link to Giuliani's website from a tweet, and her browser warned that the page was a security risk. Nahmias said she then closed the window, but even so started getting pop-ups for a fake antivirus immediately afterward.
The malware had been persistent enough that she ended up getting a new laptop. It's still unclear whether she had clicked on a link with a typo from Giuliani himself or from someone else, but her computer was quickly infected, she said.
Nahmias noted that, as a journalist, she already takes extra precautions for cybersecurity, but she was still surprised that Giuliani's typos are a potential avenue for viruses.
"You would hope," Nahmias said, "that he's [tweeting] in a way that protects him and everyone who's following him and everyone he's working for."