Typosquatting
Typosquatting exploits mistakes and visual similarity to register deceptive domains that impersonate trusted brands. Learn what typosquatting is, permutation techniques from homoglyphs to bitsquatting, detection, and protection strategies.
Start with essential reading for a fast overview, then move into deep dives and reference material as you need it.
Start with essentialsEssential reading
IDN homograph attacks
IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.
Typosquatting examples
Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.
Typosquatting permutations
Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.
Typosquatting protection
A defense-in-depth approach to typosquatting, covering defensive domain registration, continuous monitoring, DNS-level blocking, email authentication, legal enforcement, and incident response. Includes cost/benefit analysis and an honest assessment of what scales and what does not.
What are homoglyphs?
Homoglyphs are characters from different scripts or encodings that look identical or nearly identical to each other. This guide explains Unicode confusable characters, the UTS #39 skeleton algorithm, browser defenses against homoglyph abuse, and detection strategies for identifying deceptive domain names.
What is typosquatting?
Typosquatting is the practice of registering domain names that resemble a target brand or popular site, usually through misspellings or other predictable permutations. It is often associated with mistyped URLs but commonly extends to lookalike domains used for phishing, advertising, and related abuse. This guide covers permutation categories, attacker motivations, scale, and legal frameworks.
Deep dives
Brand impersonation
Brand impersonation combines lookalike domains with cloned visual identity to deceive users at scale. This guide covers the domain techniques attackers use, the brands targeted most often, detection methods ranging from string similarity to computer vision, and strategies for response.
Lookalike domains
Lookalike domains are an umbrella category covering any domain designed to visually resemble a legitimate target, including typosquats, homoglyphs, combosquats, and TLD variants. This guide maps the full taxonomy, surveys detection techniques from edit distance to neural visual similarity, and outlines practical triage strategies.
Phishing domain detection
Phishing domain detection combines string similarity scoring, DNS and HTTP enrichment, Certificate Transparency monitoring, and machine learning classification to identify domains used in phishing campaigns. This guide covers the detection pipeline, key data sources, the timing gap between registration and weaponization, and the false positive challenges that shape operational triage.
What are internationalized domain names (IDNs)?
Internationalized Domain Names (IDNs) allow domain labels to contain non-ASCII characters, serving billions of users worldwide. This guide explains how IDNs work through the IDNA standard and Punycode encoding, and why they create security considerations around homograph attacks.
What is bitsquatting?
Bitsquatting exploits random single-bit errors in computer memory to redirect DNS queries to attacker-controlled domains. This guide explains the mechanism behind bit-flip domain hijacking, examines experimental evidence from multiple research campaigns, and covers detection strategies.
What is combosquatting?
Combosquatting appends or prepends keywords to a legitimate brand name to create deceptive domains like paypal-login.com or secure-amazon.com. This guide covers the research that quantified combosquatting at internet scale, explains why these domains persist far longer than typosquats, and outlines detection strategies.
What is keyword squatting?
Keyword squatting is the practice of registering domains that pair brand names with high-value keywords like login, secure, or support. This guide covers the technique's relationship to combosquatting, common keyword patterns observed in large-scale research, real-world campaign examples, and detection strategies.
What is Punycode?
Punycode is the ASCII-Compatible Encoding that allows Unicode characters in domain names. This guide explains how the Bootstring algorithm works, the xn-- prefix convention, browser display policies, and how attackers abuse Punycode to create deceptive lookalike domains.
What is TLD squatting?
TLD squatting registers a brand's second-level domain under a different top-level domain, exploiting user confusion between .com and alternatives like .co, .cm, or new gTLDs. This guide covers commonly confused TLD pairs, ICANN's new gTLD program and its effect on abuse rates, ccTLD confusion campaigns, and detection strategies.
Reference
What is addition typosquatting?
Addition typosquatting registers domains with an extra character inserted, exploiting double-tap errors, adjacent-key slips, and touch-screen imprecision. This guide explains how insertion variants are generated, how to measure their scale, and how to prioritize and monitor them.
What is hyphenation typosquatting?
Hyphenation typosquatting inserts or removes hyphens in a domain name to produce variants that resemble legitimate subservice or product names. This guide explains the DNS rules that govern hyphens, why hyphenated variants are unusually convincing, and how the technique overlaps with combosquatting.
What is omission typosquatting?
Omission typosquatting registers domain names missing a single character from a legitimate domain. This guide explains why skipped-key errors are among the most common typing mistakes, which characters are most vulnerable to omission, and how to detect and defend against these high-risk permutations.
What is transposition typosquatting?
Transposition typosquatting registers domains where two adjacent characters are swapped, mimicking one of the most common typing errors. This guide explains why transpositions occur, how they are enumerated, and their role in domain abuse.
What is vowel-swap typosquatting?
Vowel-swap typosquatting replaces vowels in a domain name with other vowels, producing variants that exploit spelling uncertainty, phonetic similarity, and the brain's tendency to prioritize consonants over vowels during reading. This guide covers the cognitive science behind the technique, its overlap with sound-squatting, and detection strategies.
Put what you learn into practice
Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.