What is addition typosquatting?
Addition typosquatting registers domains with an extra character inserted, exploiting double-tap errors, adjacent-key slips, and touch-screen imprecision. This guide explains how insertion variants are generated, how to measure their scale, and how to prioritize and monitor them.
5 min read
What it is#
Addition typosquatting (also called insertion typosquatting) registers domain names that contain one extra character compared to the legitimate domain. The technique exploits typing errors where a user double-taps a key, clips an adjacent key alongside the intended one, or appends a trailing character. Because every legitimate character remains present and in order, the extra character can be difficult to spot on quick visual inspection.
Concrete examples:
| Legitimate domain | Addition variant | Pattern |
|---|---|---|
google.com | gooogle.com | Repeated o |
facebook.com | faceboook.com | Repeated o |
amazon.com | aamazon.com | Leading duplication |
twitter.com | twittter.com | Repeated t |
paypal.com | paypall.com | Trailing duplication |
Addition sits alongside omission, transposition, and vowel swap as one of the core keyboard-error permutation categories. Have I Been Squatted's twistrs library further subdivides the category into insertion (an extra character placed between existing characters), repetition (doubling an existing character), and addition proper (a character appended or prepended to the label).
How insertion errors happen#
Insertion errors stem from predictable keyboard behaviors:
- Double-tapping. The finger presses the same key twice when only one press was intended. This is especially common with letters that are frequently doubled in natural language (
l,s,t,o), because muscle memory is primed for the double stroke. - Adjacent-key contact. The finger strikes the intended key but also clips a neighboring key, inserting an extra character. On a QWERTY layout, typing
amay also registers; typingnmay also registerm. Adjacent-key errors vary by keyboard layout, with AZERTY and QWERTZ keyboards producing different insertion sets than QWERTY, and attackers have been observed registering layout-specific variants accordingly. - Trailing characters. After completing the domain, the typist's finger hits an additional key before pressing Enter. This is especially common on mobile, where the spacebar and surrounding keys are close to the letter row.
- Touch-screen imprecision. On mobile devices, the absence of physical key boundaries increases accidental multi-key contact. Large-scale mobile typing studies measuring tens of thousands of participants report an average uncorrected error rate of roughly 2.3%, with insertion being one of the four primary error types alongside omission, substitution, and transposition.
Permutation count and scale#
For a domain label of n characters, insertion can occur at n + 1 positions (before each character and after the last). If the insertion draws from 36 valid DNS label characters (a–z, 0–9), this produces up to (n + 1) × 36 raw variants.
Repetition (doubling an existing character) is a strict subset, producing exactly n variants for a label of length n. These repetition variants tend to be more dangerous than arbitrary insertions because doubled characters look natural, especially in domains that already contain repeated letters (google, twitter, apple).
An analysis of over 3.3 billion DNS records found that more than 2.3 million potential typosquatting names across eight permutation categories were registered and resolving to IP addresses. Insertion and repetition variants constituted a meaningful fraction of those registrations. Separately, security researchers have found that 86% of all possible single-character typosquatting variants for Apple, 83% for Google, and 81% for Facebook have been registered, leaving very few insertion slots unclaimed for the most popular brands.
Risk profile#
Addition variants carry moderate risk compared to omission and transposition. The extra character makes the domain slightly longer than expected, which is somewhat more visible than a missing or swapped character. Two factors elevate the risk:
- Repetition variants blend in. A doubled letter in
gooogle.comis harder to catch than an adjacent-key insertion likegokgle.com, because the human eye is accustomed to seeing repeated characters in English words. Domains that already contain natural doubles (apple,google,twitter) are particularly vulnerable. - Volume compensates for lower per-variant traffic. While each individual insertion variant captures less traffic than a top omission variant, the sheer number of possible insertions creates a wide net. Attackers often register dozens of insertion variants for a single target, frequently layering in keyword squatting and TLD squatting to expand coverage further. Bulk-registration enforcement cases are documented in detail elsewhere.
For defensive planning, insertion variants typically rank below omission and transposition in defensive registration priority, but repetition variants (doubled characters) deserve closer attention, particularly for brands with naturally repeating letters.
Detection and monitoring#
Insertion variants can be enumerated systematically by generating all single-character insertions at each position in the domain label, optionally filtered by keyboard adjacency, and appending the repetition set. The resulting list is larger than bitsquatting permutations but still tractable for automated monitoring.
Useful detection signals include:
- WHOIS and RDAP registration data. New registrations matching known insertion permutations surface potential abuse early.
- Certificate Transparency logs. An insertion variant that obtains a TLS certificate is likely preparing to serve HTTPS content, impersonate a login page, or intercept encrypted traffic.
- Passive DNS resolution data. Active resolution for an insertion domain confirms it is in use and warrants further investigation.
- HTTP and content analysis. Comparing the served page against the legitimate domain (via fuzzy hashing or screenshot comparison) helps distinguish phishing clones from parked or defensive registrations.
- Domain monitoring feeds. Continuous zone-file and CT-log monitoring catches registrations before they attract significant traffic.
Combining insertion monitoring with brand protection enforcement processes, such as UDRP complaints and registrar abuse reports, allows organizations to take down malicious insertion variants before they cause material harm.
Have I Been Squatted generates insertion and repetition permutations as part of its standard monitoring set, alongside omission, transposition, homoglyph, and many other lookalike domain categories. For each monitored domain, the platform enumerates all plausible insertion variants, checks registration status, and enriches registered domains with DNS, HTTP, RDAP, and certificate data to surface active threats. This proactive permutation-based approach catches insertion squats that passive feed-only monitoring would miss.
More from Typosquatting
View allIDN homograph attacks
IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.
Typosquatting examples
Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.
Typosquatting permutations
Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.