What is Typosquatting?
Typosquatting is the deliberate registration of domain names that mimic a legitimate brand through typographical errors, character substitutions or visual variations (homoglyphs), with the goal of deceiving users into entering credentials, downloading malware, falling victim to fraud or being redirected to illegitimate content.
TL;DR
- Variants include typing errors (gogle.com), homoglyphs (gооgle.com with Cyrillic), alternate TLDs (.io vs .com), hyphens, plurals and deceptive subdomains.
- One of the most-used techniques for targeted phishing and brand fraud.
- Effective detection requires continuous monitoring of Certificate Transparency logs, DNS records and new TLD zones.
- Proactive defense: register obvious variants before malicious actors do (defensive registration).
- Reactive defense: automated takedowns to registrars and hosting providers.
Typosquatting techniques
Typographical errors: omission, insertion, substitution or transposition of characters (microsft.com, gooogle.com, facebok.com).
Homoglyphs (visually identical characters): use of Unicode characters from other alphabets that look the same (Cyrillic а vs Latin a, Greek ο vs Latin o). Detectable through Punycode analysis.
TLD swapping: registering the same brand with an alternate TLD (legitimate on .com, attacker registers .net, .co, .io or another ccTLD).
Combosquatting: adding words to the domain (login-mybank.com, mybank-secure.com).
Bitsquatting: exploiting hardware memory errors that flip a bit of the target domain.
Subdomain squatting: using deceptive subdomains on genuine-looking domains (mybank.com.attacker.tk).
How typosquatting is detected automatically
Algorithmic generation: a brand protection platform generates all possible variants of the target domain (typing errors, substitutions, homoglyphs, common TLDs) and queries them against DNS repositories and WHOIS databases.
Certificate Transparency monitoring: every issued SSL certificate is published in public CT logs. Real-time monitoring of these logs allows detecting new suspicious domains within minutes.
Content analysis: once a candidate domain is detected, content scraping identifies whether it copies logos, forms or text from the legitimate brand.
Risk scoring: combining factors (TLD, domain age, similarity, presence of login form, copied content) to prioritize response.
Defense strategy against typosquatting
Proactive defense: register the most obvious variants of the main domain — common typos, frequent TLDs (.com, .net, .co, .io and the ccTLDs relevant to your markets) and typical combosquats. Low cost, high return.
Continuous detection: a DRP platform must permanently monitor new registrations and certificate issuances matching patterns similar to your brand.
Fast takedown: when an active malicious domain is detected, file takedown with the registrar (standard process for clear cases of trademark and phishing) and with the hosting provider. Takedown times range from hours to days depending on jurisdiction.
Report to browser protection tools: Google Safe Browsing, Microsoft SmartScreen and similar. A reported domain becomes inaccessible for most users within hours.
Frequently asked questions
Is typosquatting legal?
Generally not, when a registered trademark is involved. Mechanisms like ICANN's UDRP (Uniform Domain-Name Dispute-Resolution Policy) allow a trademark holder to claim domains registered in bad faith. Additionally, each country NIC (.ar, .cl, .mx, .es, .br, etc.) has its own procedures. Legal complaint and pressure on the registrar are the two primary paths.
How many typosquat domains exist for a large brand?
For internationally recognized brands, easily thousands. A brand protection platform focused on critical signals (not every typosquat is active — many are parked or third-party defensive) can reduce thousands of candidates to dozens of real threats requiring action.
How long does a typical typosquat domain takedown take?
For clear cases (active phishing replicating a registered brand), hours to 2-3 days with a cooperative registrar. For gray cases or uncooperative registrars, it can take weeks and require the legal route. Platforms with a dedicated human takedown team achieve significantly shorter times than purely automated workflows.
What do I do if I find an active typosquat of my brand stealing credentials?
Immediate steps: 1) Capture evidence (screenshots, WHOIS, certificate, content). 2) Report to the registrar and hosting provider (with phishing evidence). 3) Report to Google Safe Browsing and Microsoft SmartScreen. 4) Notify your communications and support teams in case customers ask. 5) If a DRP platform is already active, all the above steps execute automatically in parallel.