What is TLD squatting?

What it is#

TLD squatting is a form of domain abuse where an attacker registers a legitimate brand's second-level domain label under a different top-level domain. If a company owns example.com, a TLD squatter might register example.co, example.cm, or example.shop to intercept traffic from users who mistype or misremember the TLD suffix.

The technique exploits a simple asymmetry in that users tend to remember the brand name but remain imprecise about the TLD. That imprecision has grown more consequential since ICANN's new gTLD program expanded the root zone from roughly 22 legacy TLDs to over 1,500 delegated extensions. TLD squatting falls within the broader lookalike domain taxonomy and overlaps with omission (.com to .co) and keyboard-proximity errors (.com to .cm).

The gTLD explosion#

The root zone originally contained a handful of generic TLDs (.com, .net, .org, .info) alongside roughly 250 country-code TLDs. ICANN's new gTLD program changed that dramatically. Over 1,200 new gTLDs have been delegated, including extensions like .shop, .online, .app, .dev, .ai, and .zip.

The expansion widened the attack surface for TLD squatting in two ways. First, more extensions mean more plausible variants of any given brand label. Second, many new gTLDs launched with low registration fees to attract volume. Interisle Consulting's 2025 Phishing Landscape report found that the 27 TLDs with the highest proportion of abuse all had registration prices at or below $2. New gTLDs held roughly 12% of the global domain market yet accounted for 51% of maliciously registered phishing domains, with nearly 9 in 10 new-gTLD phishing domains classified as maliciously registered rather than compromised.

A second application round is expected, which will add further extensions to the root zone.

Commonly confused TLD pairs#

Certain TLD pairs produce disproportionate misdirected traffic due to keyboard proximity, visual similarity, or habitual assumptions:

Intended	Squatted	Mechanism
`.com`	`.co`	Single-character omission; `.co` is Colombia's ccTLD, also marketed as a generic alternative
`.com`	`.cm`	Adjacent keys on QWERTY; `.cm` is Cameroon's ccTLD
`.com`	`.om`	Missing initial `c`; `.om` is Oman's ccTLD
`.com`	`.net`, `.org`	Users default to `.com` when the actual site uses a different legacy TLD, or vice versa
`.com`	`.zip`	File-extension ambiguity; domains like `report.zip` mimic filenames
`.org`	`.og`	Missing `r`
`.net`	`.ner`	Adjacent-key substitution

The .com-adjacent ccTLDs (.co, .cm, .om) receive the highest volume of accidental traffic. An analysis of seven billion anonymized DNS queries found that 0.2% targeted .cm, .co, or .om domains, translating to more than 7.5 million queries that were almost certainly intended for .com addresses.

ccTLD confusion campaigns#

Three country-code TLDs have attracted particular attention from researchers and attackers.

Cameroon (.cm). The state-operated .cm registry gained notoriety by wildcarding its namespace: every unregistered .cm domain resolved to advertising landing pages, mirroring the approach VeriSign attempted with its SiteFinder service before ICANN intervened. Investigations found cases like espn.cm hosting 1,170 typosquatting domains on a single IP address, redirecting visitors to fake surveys and promotional scams.

Oman (.om). Security researchers identified a coordinated campaign involving over 330 malicious .om domains targeting brands including Netflix, Gmail, PayPal, Amazon, and Citibank. The domains distributed Genieo adware through fake Adobe Flash update prompts, modifying browser settings and injecting unwanted advertisements on both macOS and Windows. Oman's registration process at the time imposed minimal ownership verification, enabling bulk registration by a small group of operators.

Colombia (.co). When .co opened to worldwide registration, trademark holders raised concerns about .com confusion at scale. Major platforms (Google, Amazon, Twitter, Snapchat) pre-emptively secured short .co domains (g.co, a.co, t.co, s.co). Google now treats .co as a generic TLD for search-ranking purposes, acknowledging its international use, but the single-character distance from .com keeps it a persistent source of misdirected traffic.

File-extension TLDs#

Google Registry's 2023 launch of .zip and .mov introduced a novel confusion vector. These extensions collide with ubiquitous file formats, allowing domains like microsoft-office.zip or report2023.zip to appear in contexts where users expect a downloadable file rather than a web address. Netcraft documented early phishing campaigns within weeks of .zip going live, targeting Microsoft, Google, and Okta login flows. The .zip case illustrates how new gTLDs can create confusion channels that did not exist in the legacy namespace.

Why TLD squatting works#

Several factors sustain TLD squatting as a viable attack:

Muscle memory. Frequent typists enter .com by reflex. Mobile keyboards amplify the problem; small touch targets and aggressive autocorrect increase the chance of selecting the wrong suffix.
TLD proliferation. With over 1,500 active TLDs, users cannot reliably recall whether a service lives at .com, .io, .app, or .dev.
Low registration cost. ICANN research found that each dollar reduction in registration fees corresponds to a 49% increase in malicious domain registrations. Bulk-registration APIs accelerate the effect, with some campaigns registering over 17,000 domains in under eight hours.
Address-bar navigation. Users who type URLs directly, rather than relying on bookmarks or search results, are most exposed. This includes automated services, where background processes like NTP time sync and telemetry resolve domain names without human oversight.

Defensive registration#

For TLD squatting specifically, defensive domain registration is more practical than for many other typosquatting categories because the highest-risk TLD variants are a bounded set. Most organizations should consider registering their primary brand label under:

The most popular legacy gTLDs (.net, .org, .co, .io)
The ccTLD for their primary market
Known typo ccTLDs (.cm, .om)
Industry-relevant new gTLDs (.app, .dev, .shop)

Exhaustive registration across all 1,500+ TLDs is impractical and expensive. But covering the commonly confused TLDs addresses the highest-traffic attack surface. The cost is modest relative to the reputational damage from a brand impersonation campaign running on a confusable TLD.

Detection and monitoring#

Beyond defensive registration, TLD squatting detection relies on several complementary signals:

TLD enumeration. Generating the brand label against all active TLDs and checking WHOIS or RDAP registration status surfaces existing squats.
Certificate Transparency logs. A TLS certificate issued to a TLD variant indicates the operator intends to serve HTTPS content, likely for phishing or credential harvesting.
DNS monitoring. Checking whether TLD variants resolve and what content they serve distinguishes parked domains from active threats.
Takedown and UDRP. Domains that infringe trademarks can be challenged through ICANN's Uniform Domain-Name Dispute-Resolution Policy or the faster Uniform Rapid Suspension process, particularly when the squatter operates a phishing page or engages in brand impersonation. Enforcement options are detailed in the brand protection enforcement guide.

Have I Been Squatted includes TLD variants in its permutation set automatically, checking registration, DNS, and certificate status across commonly confused TLDs for every monitored domain. Combined with domain monitoring alerts, this surfaces new TLD squats before they can be weaponized for phishing domain detection or brand abuse.