What is omission typosquatting?
Omission typosquatting registers domain names missing a single character from a legitimate domain. This guide explains why skipped-key errors are among the most common typing mistakes, which characters are most vulnerable to omission, and how to detect and defend against these high-risk permutations.
8 min read
What it is#
Omission typosquatting registers domain names that are missing a single character compared to a legitimate domain. The technique exploits one of the most frequent keyboard errors: the skipped key, where a finger fails to press hard enough, moves past a key too quickly, or loses a keystroke in the transition between characters. The resulting domain is one character shorter than the original, but every other letter remains in sequence, making the difference difficult to spot at a glance.
Examples include:
| Legitimate domain | Omission variant | Pattern |
|---|---|---|
google.com | gogle.com | One o dropped from the doubled pair |
facebook.com | facebok.com | One o dropped |
amazon.com | amzon.com | Interior a skipped |
twitter.com | twiter.com | One t dropped from the doubled pair |
microsoft.com | micosoft.com | r skipped between two consonants |
Because every remaining character stays in its expected position, omission variants pass the visual plausibility test more reliably than transposition or addition variants, where letter order or length changes can occasionally catch a reader's eye.
Why omission errors are so common#
Typing research classifies character-level errors into several categories: adjacent-key substitution, skipped key (omission), doubled key, transposition, and hand confusion. Large-scale keystroke studies (spanning hundreds of millions of keystrokes across tens of thousands of participants) show that while adjacent-key substitutions dominate overall error counts on physical keyboards, omission errors rise sharply on touchscreens, where the absence of physical key travel makes it harder to confirm that a press registered. Mobile typing studies report an average uncorrected error rate of roughly 2.3%, with omissions accounting for a significant share of those mistakes.
Several factors make omission errors particularly relevant to domain abuse:
- Easy to mistype on mobile. Virtual keyboards, small targets, and fast one-handed use make missed taps common, and a tap that does not register produces no character rather than the wrong one. With the majority of web traffic now originating from mobile devices, this error mode affects a large share of direct-navigation attempts.
- Doubled letters are especially vulnerable. Characters that appear consecutively, like the
ooingoogleor thettintwitter, create a specific failure mode: the typist believes the key was pressed twice when it registered only once. The cognitive expectation of a repeated motion masks the missing keypress. - URL bars lack autocorrect. Mobile autocorrect systems catch many spelling errors in prose, but browser URL bars typically do not apply autocorrect, leaving omission errors uncorrected. A skipped key in a domain name goes directly to DNS resolution.
- The error is involuntary. Unlike a spelling mistake, where a user might pause and reconsider, an omission error produces no conscious signal that something went wrong. The user has no awareness that a character was missed.
Which characters get omitted most often#
Not all positions in a domain name are equally vulnerable. Certain character patterns attract omission errors at higher rates:
Doubled letters are the highest-risk targets. When a domain contains consecutive identical characters (oo, tt, ll, ss, ee), dropping one copy produces a string that still looks plausible. gogle.com, twiter.com, aple.com, and boking.com all read naturally enough to avoid raising suspicion.
Interior consonant clusters are also prone to omission. Characters embedded in clusters of consonants, like the r in microsoft or the n in amazon, can be skipped without making the result unpronounceable. The surrounding consonants provide enough phonetic context to mask the gap.
Short function words within a domain sometimes lose characters. A domain like bestbuy can become bestby or bestbu, where the missing vowel is easy to overlook in a quick scan.
The risk is lower for characters at the very beginning or end of a domain label, where the absence is more visually apparent, and for vowels that are critical to pronunciation (removing the a from apple produces pple, which looks distinctly wrong).
Permutation count and enumeration#
For a domain label of n characters, there are exactly n possible single-character omissions. A 10-character domain produces 10 variants. When the label contains repeated adjacent characters, some omissions yield identical strings (removing either o from google produces the same gogle), so the unique variant count may be slightly lower.
This small, deterministic set contrasts sharply with categories like keyword squatting or combosquatting, where the variant space is effectively unbounded. The bounded nature of omission permutations makes them fully enumerable for any domain and practical to monitor at scale. See typosquatting permutations for how omission fits into the broader permutation landscape.
Risk profile#
Omission variants rank among the highest-risk typosquatting permutations for several reinforcing reasons:
- High base error rate. Skipped-key errors are one of the most frequent character-level mistakes, especially on mobile devices, which now generate the majority of web traffic.
- Strong visual similarity. A single missing character from an otherwise intact domain is difficult to notice, particularly in a browser's address bar or a hyperlink in an email, where users spend fractions of a second on visual verification.
- Pronounceability. Most omission variants remain pronounceable, which makes them effective in phishing campaigns where a lookalike domain must appear credible in both text and speech.
- Direct-navigation capture. Users who type URLs manually and miss a key are delivered directly to the omission domain, with no intermediary (like a search engine) to catch the error.
For high-traffic domains, omission variants can receive thousands of accidental visits per day, making them attractive for ad parking, affiliate fraud, and more targeted attacks like phishing and credential harvesting. Longitudinal measurement studies have found that 95% of the top 500 websites are actively targeted by typosquatters, with omission-based domains among the most commonly registered permutation types. Typosquatters frequently change monetization strategies over time, cycling between parked pages, affiliate redirects, and outright malicious content. Across the top .com sites, researchers have identified hundreds of thousands of active typosquatting domains, with over 80% supported by pay-per-click advertising networks that profit from misdirected traffic.
Omission variants are also effective as brand impersonation infrastructure. Because the domain reads almost identically to the original, it can anchor a convincing phishing page or serve as the sender domain in a spoofed email. Combined with a valid TLS certificate, an omission domain presents a surface that is difficult for both users and automated filters to distinguish from the real thing.
Omission and edit distance#
Every omission variant sits at a Levenshtein distance of exactly 1 from the original domain: one deletion transforms the legitimate label into the squatted one. This minimal edit distance is what makes omission variants so dangerous. Strings at distance 1 are the closest possible neighbors in the space of all domain labels, and human visual perception struggles to distinguish strings that differ by a single character, especially under time pressure.
Large-scale DNS measurement applying eight candidate-generation techniques to popular domain names has found over 2.3 million potential typosquatting names registered and resolving to IP addresses across a corpus of 3.3 billion DNS records. Single-character omission and adjacent-key substitution, both of which produce edit-distance-1 variants, account for a disproportionate share of registered squatting domains relative to techniques that produce higher edit distances.
The edit-distance-1 property also means omission variants are trivially confusable with the original in contexts beyond the browser. Email clients, messaging apps, and document viewers all render domain names in running text, where a single missing character is effectively invisible.
Detection and defense#
The deterministic nature of omission permutations makes them straightforward to monitor. Useful signals include:
- WHOIS and RDAP registration data. New registrations matching known omission variants indicate potential abuse.
- Certificate Transparency logs. An omission domain that obtains a TLS certificate is likely preparing to serve HTTPS content or intercept encrypted traffic.
- Passive DNS resolution data. Active resolution of omission variants can reveal whether they are receiving real traffic.
Because the variant count is small and fully predictable, defensive registration of high-risk omission domains is practical. For a typical domain, the entire omission set fits within a modest registration budget, and the high natural error rate ensures that registered omission domains do in fact capture real user traffic that would otherwise go to an attacker.
Any domain monitoring program should enumerate and continuously check omission variants as a baseline, layering additional permutation categories like transposition, homoglyphs, and TLD squatting on top for broader coverage.
Have I Been Squatted generates omission permutations for every monitored domain and checks them against registration, DNS resolution, and certificate data automatically. The bounded variant set means full coverage requires no sampling or prioritization; every possible omission is checked on every scan cycle alongside bitsquatting, addition, and other lookalike domain categories.
More from Typosquatting
View allIDN homograph attacks
IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.
Typosquatting examples
Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.
Typosquatting permutations
Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.