Quick Links

One typing mistake and the typosquatters might catch you. It might sound like a cyberpunk thriller but it's a real cybersecurity threat. We explain what it is and how to protect yourself.

What is Typosquatting?

Typosquatting uses modified or misspelled domain names to trick users into visiting fraudulent websites. Threat actors have several different typosquatting techniques at their disposal. Of course, they all benefit the criminals and defraud someone else. That someone else might be website visitors or it might be the owners of the website.

At the heart of typosquatting is domain name registration. The threat actors register domain names that are very close to the real domain name they're impersonating, or they incorporate the genuine name and add elements to it. If a domain name isn't already registered, you can register it. It's that simple.

If it can be shown that the registration incorporates the name, product, or brand of another company and is likely to deceive the public or penalize the genuine organization, the ownership can be challenged. But that happens post-registration.

Typosquatting is different from cybersquatting. Cybersquatters register domains that they know or hope will be required in the future by other organizations. The domain names are not misspelled, adapted, or misleading. They're normal domain names for which the cybersquatters predict a forthcoming need.

For example, if they hear that a studio is adapting a book for the screen, they may register a domain in the name of the book. If the studio wants to create a website for its film, it'll find the name is already registered. They will have to haggle with the cybersquatter to buy it, or take legal action.

Sometimes this happens accidentally. A famous case involved an entrepreneur called Uzi Nissan. In the 1980s, he had several businesses named after himself. He registered the domain nissan.com in 1997, for his computer support company. After Datsun changed their name to Nissan they brought a case against Uzi Nissan, citing trademark infringement and brand dilution, and suing for $10 million. The legal wrangling ran on for eight years. It was finally settled 2007, in Mr. Nissan's favor---but fighting the case cost him $3 million. Nissan Motors currently uses the domain name nissanusa.com.

Typosquatting is classed as a form of social engineering because it relies on two human traits.

How Typosquatting Works

A typosquatting attack depends on one of two human traits. One is people mistyping a domain name. The other is people glance-reading a domain name and seeing what they expect to see.

Catching Typos

People mistype things, it's easy to do. Cybercriminals leverage that by registering domain names that are common misspellings of genuine domain names. Each person who mistypes the domain name in a way that matches your misspelled domain name will arrive at your website, not the genuine website. cybercriminals often register a whole range of domain names, capturing many variations in the spelling of the genuine domain name.

This trap works because unless the computer rejects what you've just typed, you don't know you've made a typing error. If you don't notice you've typed "amzon.com" instead of "amazon.com" and you're taken to a website that looks like the Amazon landing page, you're liable to believe you're on the real Amazon website.

There are many ways a typosquatting website can benefit typosquatters. It may:

  • Mimic a Login Page: It will harvest login credentials and other personal data.
  • Install Malicious Browser Extensions: It may install malicious extensions such as keyloggers or adware in your browser.
  • Download Malware: Malware such as remote access trojans or keyloggers might be installed on your computer.
  • Redirect Traffic to Competitors: People might be redirected to a competitor's website.
  • Affiliate Fraud: The bogus website may redirect traffic to websites with whom the typosquatters have an affiliate agreement. Websites that have affiliate schemes reward partners who send traffic to them. The typosquatters get paid a tiny amount each time they redirect someone to the affiliate website. They register a host of domain names each based on the genuine website domain name, with a different spelling mistake in it. Simply redirecting that to the genuine website earns the typosquatters some money.
  • Mimic Download Pages: Typosquatting websites may mimic download sites for software, such as open-source projects. The website visitors download tainted versions of software libraries and developer toolkits instead of the real thing. The fraudulent toolkits and libraries are used in the development of the victims' own products turning them into a distribution tool for the threat actors' trojans, malware, and backdoors.
  • Promote an Ideology: The typosquatting website may present the actual organization in an unfavorable, misleading, or embarrassing manner. This lends itself to hacktivism.
  • Extortion: The typosquatters may offer to sell the typosquatted domain name to the genuine domain name owner.

The other form of typosquatting involves registering domain names that are visually similar to the real domain name. These are used in links in phishing email campaigns.

The fake domain name must look like the genuine domain name, so it is constructed carefully to pass a quick glance. The types of trick used by typosquatters are:

  • Mimic Letters: Combining letters or digits to look like other letters. If you skim-read it, "rnicrosoft.com" looks like "microsoft.com", and "apqle.com" looks like "apple.com".
  • Insert Foreign Characters: This is a more subtle way to mimic letters, with the imposing name of IDN homograph attacks. Characters like the Greek letters alpha "α" and omega "ω" are difficult to spot in a typosquatting domain name.  If you didn't know in advance, these two links would probably not raise any suspicions:
    • cloudsαvvyit.com: That's not an "a" in "savvy."
    • hoωtogeek.com: That's not a "w" in "how."
  • Wrong TLD: The top-level domain might be wrong. Domain names like "cloudsavvyit.org" or "cloudsavvyit.net" are convincing because there are no funny characters and everything is spelled correctly.
  • Adding Words: Words related to the content of the genuine site can be used to mask typosquatting domain names: "technews-howtogeek.com."
  • Removing Letters: A domain name might be subtly trimmed so that it still looks like a feasible domain name: "cloudsavvy.com." The "it" is missing.
  • Add Periods: Adding periods to split the domain name is another easy modification that can fail to be spotted. Links are often underlined. This makes it more difficult to spot the inserted  periods: "cloud.savvyit.com."
  • Removing Periods: Registering a site like "wwwhowtogeek.com" can fool people into clicking a link> It has all the expected components, it's just missing a period.

These links are particularly effective in phishing campaigns because they pass one of the recommended tests. Staff are often told to hover their mouse pointer over a link in an email before clicking it. A tooltip or other on-screen notification will show them the destination of the link. If that matches the content of the email and the wording in the link, it is likely to be trusted.

Related: How a Password Manager Protects You From Phishing Scams

How To Protect Your Organization

You might already be a victim of typosquatting. You can use dnstwister.report to check.

You can preemptively register typosquatting domain names yourself to prevent others from being able to use those names against you.

Some internet service providers provide typosquatting protection as part of their services. if a user in your organization misspells a common domain name or clicks a look-a-like domain name in a link, they'll be blocked from connecting to the site. A warning page will tell them why.

Keep an eye on website traffic figures. If it suddenly dips, it might be an indicator that some of your traffic is being siphoned off to a typosquatting site.

Consider setting up and running your own in-house Domain Name System server.

Password managers will not offer to enter login credentials unless they are on the genuine domain. Typosquatting websites won't fool them into logging in.

Awareness is a large part of the solution too. Knowing these traps are out there helps you spot them, so don't forget to update your staff.