What is keyword squatting?

Keyword squatting is the practice of registering domains that pair brand names with high-value keywords like login, secure, or support. This guide covers the technique's relationship to combosquatting, common keyword patterns observed in large-scale research, real-world campaign examples, and detection strategies.

4 min read

What it is#

Keyword squatting is a form of domain abuse where an attacker registers a domain that appends one or more high-value keywords to a brand name, a generic term, or both. Domains like paypal-login.com, microsoft-support-help.net, or crypto-wallet-download.com all fall into this category. The added keyword gives the domain a veneer of legitimacy or commercial relevance that a random misspelling would not.

Unlike other typosquatting permutation techniques, keyword squatting is semantic. The domain does not approximate an existing name through character substitution or omission; it constructs an entirely new string from meaningful components. When one of those components is a trademarked brand name, keyword squatting overlaps directly with combosquatting.

Common keyword patterns#

Some of the most frequently observed keywords in combosquatting domains identified across global DNS traffic include:

  1. support
  2. com
  3. login
  4. help
  5. secure
  6. www
  7. account
  8. app
  9. verify
  10. service

These keywords share a common trait, in that they evoke trust or urgency. A domain containing "login" or "verify" implies the visitor must authenticate; "support" and "help" suggest an official assistance channel; "secure" signals safety. Attackers choose these terms deliberately because they align with the high-stakes moments such as account recovery, payment confirmation, password reset, where victims are least likely to scrutinize the URL.

Hyphenation is a frequent structural feature. Hyphens allow attackers to keep the brand name visually distinct from the keyword (amazon-secure-login.com reads more convincingly than amazonsecurelogin.com). See hyphenation squatting for a closer look at how hyphens function as a permutation technique.

How it relates to combosquatting#

A landmark longitudinal study analyzed over 468 billion DNS records across nearly six years. Key findings included:

  • Scale. Combosquatting domains vastly outnumber typosquatting domains. Because any keyword can be prepended or appended to a brand name, the combinatorial space is effectively unbounded.
  • Persistence. Nearly 60% of abusive combosquatting domains remained active for more than 1,000 days, suggesting that takedown efforts lag far behind registration rates.
  • Attack diversity. The same domain registration pattern supports phishing, social engineering, affiliate abuse, trademark infringement, and advanced persistent threats.

The distinction between keyword squatting and combosquatting is largely one of framing. Combosquatting describes the structural technique (brand name plus keyword). Keyword squatting emphasizes the attacker's motive: choosing keywords that maximize traffic capture, search visibility, or social-engineering effectiveness. In practice, most brand-targeted keyword squats are combosquats, and the defenses are the same.

Detection challenges#

Keyword squatting is harder to enumerate than character-level permutation techniques like bitsquatting or vowel swap. Those methods produce a bounded, deterministic set of variants from a known domain. Keyword squatting, by contrast, draws from an open vocabulary. The same brand can be combined with thousands of keywords in arbitrary order, with or without hyphens, across hundreds of TLDs. Exhaustive enumeration is impractical.

Effective detection therefore relies on pattern matching against newly registered domains rather than precomputed variant lists:

  • Substring scanning. Monitoring newly registered domain feeds for brand-name substrings combined with high-risk keywords (the Akamai top-50 list provides a practical starting vocabulary).
  • Certificate Transparency logs. A keyword-squatted domain that obtains a TLS certificate is almost certainly preparing to serve content, not just park the name.
  • WHOIS and RDAP monitoring. Registration metadata (creation date, registrar, privacy shielding) helps distinguish opportunistic bulk registrations from legitimate domains.

Legal considerations#

Generic keyword domains (best-pizza-delivery.com) are generally not actionable under trademark law because they contain no protected marks. The picture changes when a brand name appears: trademark holders can pursue UDRP complaints or action under the Anticybersquatting Consumer Protection Act (ACPA) if the registration demonstrates bad faith. See brand protection enforcement and brand protection strategy for more on legal remedies.

The combinatorial scale of keyword squatting makes defensive registration impractical as a primary defense. Unlike bitsquatting, where the variant set is small enough to register comprehensively, keyword squatting requires monitoring-first strategies supplemented by targeted takedowns.

Monitoring with Have I Been Squatted#

Have I Been Squatted scans newly registered domain feeds for brand-keyword combinations alongside common keyword patterns and character-level permutations. The platform applies domain threat intelligence signals, including registration metadata, certificate issuance, and DNS activity, to surface keyword-squatted domains that pose an active risk rather than generating unbounded false positives from the open keyword space.

More from Typosquatting

View all

IDN homograph attacks

IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.

Typosquatting examples

Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.

Typosquatting permutations

Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features