What is typosquatting?

Typosquatting vs cybersquatting

Typosquatting is similar but not identical to cybersquatting. The distinction matters as typosquatting presents critical reputational and data security risks.

Cybersquatters register domain names that resemble legitimate sites or may be used by companies in the future. Squatters sometimes occupy domains to build phishing websites. More often, cybersquatters intend to sell the domain registration to the legitimate company. Companies often pay a premium to claim domains that resemble their own sites to protect their reputations and avoid secondary attacks.

Typosquatted domains also resemble the addresses of legitimate sites, but play a more malicious role. Typosquatted domains generally host fraudulent websites that trick users into providing credentials or making payments.

It's important to note that the two attack techniques are closely related. Cybersquatters often earn money by threatening to sell domains to criminal collectives with the skills to build convincing fake sites. This foregrounds the need to control related domain registrations and scan for potential typosquatting activities.

How does typosquatting work?

Typosquatters always start by purchasing domain names related to legitimate businesses or organizations. For example, squatters may purchase "amaz0n.com" as they know a few visitors will accidentally type "0" instead of "O".

Common typosquatting techniques include:

• Simple typos: Single letters or digits result in slight variations in domain names. Rushed web users often enter domains, make a tiny error, and fail to check for mistakes before submitting the URL.
• Misspelled domains: Attackers add common spelling errors related to legitimate companies. For instance, the misspelled domains Coka-Cola or Nikee could well trick distracted web users.
• Regional variations: Attackers use variations of brand names or organizations that don't fit specific regions. For example, they might register a website for the UK fashion brand Barbour as "barbor.co.uk". This may catch North American visitors.
• Hyphenation: Typosquatters add hyphens or em dashes to domain names, creating false variations. For example, email phishers often use domains like "Amazon-saleshelp" that drive traffic to fake customer service sites.
• Incorrect domain endings: Websites always have a suffix that usually identifies a geographical location or type of organization. Attackers create domains with false endings while retaining the brand name. Colombia's ".co" suffix is popular as it closely resembles ".com.", although Iceland's ".is" and Tuvalu's ".tv" are also effective.

Advanced typosquatters also strategically use common typing mistakes to generate domain names. For instance, keyboard users often exchange "M" and "N" as the two letters sit next to each other on QWERTY keyboards. So "anazon.com" could be a valuable domain name.

Victims do not always reach typosquatted domains via the browser address box. Phishing attacks also embed malicious links inside convincing emails.

Clicking the link takes users to a fake site with a URL that resembles the intended destination. In these cases, attackers build trust through email content and the appearance of fake sites. The URL needs to be superficially plausible to avoid arousing suspicion.

What happens when users visit typosquatted sites?

From the company's perspective, typosquatted domains become harmful when customers visit the fraudulent website. Remember: users rarely detect their mistakes. They believe they have landed at a legitimate site. This gives attackers leverage to exploit their trusted position.

Typosquatted sites superficially look plausible. For example, they use corporate logos and layouts that echo e-commerce portals. However, they tend to pressure visitors to click on certain links or use forms to submit valuable information.

If users fall for the ruse, typosquatted sites extract user names, passwords, contact addresses, and financial information. Criminals can use this information in identity theft attacks or build profiles to use in spear phishing campaigns. In worst-case scenarios, attackers gain access to personal emails, business logins, and other confidential resources.

Types of typosquatting

Typosquatting is a relatively simple form of cyber-attack, but it takes several forms. Companies must actively monitor URL registrations to combat every sub-variety, as phishers use every available weapon. Here are the most common typosquatting approaches:

Website imitation

In classic typosquatting attacks, fake sites appear almost identical to the real thing. Attackers take care to use familiar graphics, typefaces, website layouts, and even audiovisual content. Fake sites operate just like normal. The difference is that users provide credentials to threat actors, not trusted businesses.

Diverting web traffic to competitors

These attacks use typosquatting techniques to attract customers from legitimate sites. Fake websites direct the traffic to third parties that provide similar services to the spoofed company. Criminals extract fees from clients while victims lose business.

Affiliate links

Opportunist threat actors use URL hijacking to create fake sites as normal. In this case, they redirect traffic back to the victim's landing pages. When they funnel traffic through affiliate marketing schemes, each forwarded visitor earns a small commission. Victims pay for clicks without needing to do so.

Monetizing traffic

Attackers squat domains and attract traffic as usual. Instead of extracting data, they serve ads to visitors or deliver pop-ups. This generates steady revenue streams without much labor.

Bait & Switch

Victims click on URLs to purchase goods or access services. Fake domains deliver them to malicious websites that appear to sell the items they desire. Victims enter their details and make payments. Customers never receive the goods, but criminals take payment regardless.

Fake customer interaction

Typosquatted sites serve visitors with fake customer surveys or prize contests. Often, these pages resemble real-life giveaways or marketing exercises. However, criminals extract the data that contestants or customers enter. This enables identity theft and further phishing attacks.

Drive-by malware installers

Criminals use typosquatted websites as vectors for malware delivery. Malicious sites automatically deliver adware or malware or prompt visitors to install risky applications. Either way, targeted systems become infected and compromised, potentially leading to network-wide attacks.

Malicious pranks

Sometimes, threat actors register domains to mock companies or make political points. These techniques are more than an irritation. Convincing content can damage corporate reputations and ruin brand identities.

Typosquatting examples

Cybercriminals constantly look for typosquatting opportunities. Almost every brand with a significant online presence has encountered their activities. Sometimes, the consequences have severely dented reputations and harmed customer safety. Let's quickly explore a few landmark cases.

Goggle.com

Many years ago, even the world's number one search engine lost control of its domains and suffered a typosquatting attack. Criminals registered goggle.com, instantly generating a flood of incorrect traffic.

When visitors arrived at the fake Google site, the owners flooded browsers with pop-ups and automatically downloaded malicious apps like SpySheriff and SpywareSTOP. Google eventually purchased the Goggle domain (it's now managed by a domain registration partner) after losing a case with the National Arbitration Forum.

BlackRock

In 2024, financial giant BlackRock filed suit to reclaim 32 alleged typosquatting domains. Most importantly, the company identified a fake site registered as Blackrockindia.net.

Apparently, criminals used the Indian domain name to lure visitors into making non-existent investments. They combined website squatting with email spoofing to create a believable persona that resembled a BlackRock employee but engaged purely in malicious activities.

Equifax

Sometimes, typosquatters latch onto famous data breaches to make their sites appear more convincing. Equifax is a great example of how this works.

In 2017, the credit rating company reported a data breach affecting 147 million American accounts and millions more worldwide. As part of compliance action, Equifax set up a website for victims to submit compensation requests and assess their exposure. However, the chosen name equifaxsecurity2017.com was perfectly designed for typosquatters.

A wave of Equifax phishing scams ensued, with criminals registering multiple domains that looked as legitimate as the actual landing page.

How to prevent typosquatting attacks?

We continue to rely on domain names to structure the web and host corporate sites. That won't change in the near future. Companies must actively deter and block typosquatters wherever possible. Here are some best practices to achieve that goal:

Adopt a proactive domain registration strategy

Companies should purchase existing typosquatted domains and ensure they redirect traffic to legitimate websites. If you have not already done so, register variations of your main website in other jurisdictions or top-level domains (for example, .cn and .net).

Registering related domains with hyphens or common alternate spellings is also advisable. Again, be sure to redirect traffic from those domains to your main website.

Organize take-downs of squatted domains

Companies should waste no time when dismantling typosquatted websites. Start by reporting suspicious domains to the registrar (you can usually discover the registrar with a basic WHOIS query).

The next step is invoking ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP). Victims submit cases via approved arbitrators such as the World Intellectual Property Organization (WIPO), which makes rulings and demands remedial action.

To succeed, you will need to prove that:

• The squatted domain name is confusingly similar to an existing trademarked website name.
• The holders of the squatted domain lack a legitimate reason to own it.
• The squatted domain is being used in bad faith (for example, cybersquatting, damaging a competitor, or stealing user data)

Domain holders have 20 days from commencement of the proceeding to file a response. If they cannot meet the above requirements, typosquatted websites typically revert to the legitimate owner, or WIPO orders their cancellation.

Take advantage of trademark monitoring

The Internet Corporation for Assigned Names and Numbers (ICANN) offers a valuable service known as the Trademark Clearinghouse. It authenticates trademark data and enables Sunrise and Claims services in the new gTLD space.

Registered brands can use the tool to identify domains that use trademarked terms. Users also benefit from sunrise periods. These periods provide a window to register sites when new top-level domains become available.

Threat intelligence services can also help you manage cybersquatting risks. For example, NordStellar monitors top-level domain registrations in real time to detect uses of related keywords.

Build trust with SSL certificates

SSL certificates don't prevent typosquatting. Instead, they send a signal to visitors that your website is secure and legitimate. This is because SSL/TLS certificates validate the website owner, proving they are who they claim to be. SSL also guarantees a secure, encrypted connection, which is why sites with SSL certificates add the "padlock" icon to browser navigation panels.

Take action to manage typosquatting risks

Typosquatting exploits typing mistakes and phishing links to trick website visitors. In the most severe cases, typosquatters can steal user credentials, make false payments, and deliver malware to unwitting users. Companies need strategies to monitor domain registrations and take down malicious sites before harm results.