What is transposition typosquatting?
Transposition typosquatting registers domains where two adjacent characters are swapped, mimicking one of the most common typing errors. This guide explains why transpositions occur, how they are enumerated, and their role in domain abuse.
7 min read
What it is#
Transposition typosquatting exploits one of the oldest recognized typing mistakes: pressing two adjacent characters in the wrong order. An attacker registers a domain that differs from a legitimate target only by having two neighboring letters swapped, such as googel.com instead of google.com. Because the resulting string contains all the correct characters, just slightly rearranged, the error is difficult to spot at a glance.
Common real-world transposition targets include:
| Original | Transposition | Characters swapped |
|---|---|---|
google.com | googel.com | l and e |
microsoft.com | mircosoft.com | c and r |
facebook.com | faecbook.com | c and e |
wikipedia.org | wikipedai.org | i and a |
example.com | exmaple.com | a and m |
Unlike homoglyph or addition variants, transposition domains use exactly the same character set as the original. The only difference is sequence, making them both natural to produce and hard to catch when scanning a URL bar.
Why transpositions happen#
Transposition errors originate from the temporal overlap between consecutive keystrokes. During fast typing, the brain dispatches motor signals for a sequence of keys in rapid succession. If the timing of two adjacent keystrokes drifts by even a few milliseconds, the second key registers before the first.
This effect is closely tied to rollover typing, a behavior where the next key is pressed before the previous key is fully released. Large-scale keystroke analysis (spanning over 136 million keystrokes from hundreds of thousands of volunteers) shows that rollover typing is surprisingly prevalent and correlates with higher typing speeds. The fastest typist groups exhibit the most rollover behavior, routinely overlapping keystrokes. That overlap is exactly the condition that produces transpositions when timing margins narrow.
Earlier experimental work classified 623 typing errors into two broad categories: spatial errors (striking an adjacent key) and temporal errors (striking the correct keys in the wrong order). Spatial errors were more common overall, but temporal errors, which include transpositions, represented a meaningful share and were associated with sequences typed at higher speed.
A separate keystroke-logging study classified 5,030 typing corrections across 2,103 transcription tasks. Substitution errors (hitting the wrong key entirely) accounted for 59% of corrections, while transpositions accounted for roughly 5%. That percentage is modest in isolation, but the resulting strings are unusually deceptive: every character is correct, only the ordering is wrong. For typosquatting purposes, that deceptiveness matters more than raw frequency.
Several factors increase transposition frequency:
- Typing speed. Higher words-per-minute rates compress the timing gap between keystrokes, increasing the chance that two adjacent signals overlap. The Aalto study found the average participant typed at 52 words per minute, with the fastest exceeding 120 WPM.
- Unfamiliar strings. Domain names that do not correspond to common English words lack the strong motor-memory patterns that prevent sequencing errors in practiced text.
- Mobile keyboards. Touch-screen input depends entirely on tap timing rather than physical key travel, and autocorrect systems may not flag transpositions that produce plausible character sequences.
- Character pairs typed by the same hand. Research indicates that letter pairs typed by different hands or different fingers are less prone to sequencing errors than pairs typed by the same hand, because independent motor pathways reduce timing interference.
Permutation count#
For a domain label of n characters, exactly n - 1 adjacent-character transpositions are possible. A 10-character label like google.com (the google portion has 6 characters) produces 5 variants; microsoft (9 characters) produces 8. This is one of the smallest permutation categories, far fewer variants than omission, addition, or adjacent-key substitution.
The compact permutation space has a practical advantage, namley that the full set of transposition variants for any monitored domain can be enumerated exhaustively and checked against registration data. Have I Been Squatted's twistrs library includes transposition among its permutation algorithms alongside other typosquatting mutation types.
Not every transposition produces a registrable label. Swapping a letter with a hyphen may violate DNS label rules, and swapping identical adjacent characters (oo in google) yields no change. In practice, the usable set is slightly smaller than the theoretical n - 1.
Real-world abuse patterns#
Transposition domains attract traffic in two ways, accidental visits from users who mistype a URL and deliberate use in phishing campaigns where the subtle letter swap helps a fraudulent link pass casual inspection.
Ad parking and traffic monetization. High-traffic domains generate a steady stream of accidental visits from transposition typos alone. Operators register variants like googel.com or faecbook.com and serve advertising, earning revenue from each misdirected visitor. Modern browsers increasingly include built-in typosquatting protection that warns users when a URL resembles a known site, reflecting that typo traffic is substantial enough to warrant client-side mitigation.
Phishing and credential harvesting. In a phishing email, the difference between paypal.com and payapl.com is easy to miss. Transposition domains are effective in brand impersonation because a quick visual scan confirms all the expected characters are present. Attackers pair these domains with cloned login pages and valid TLS certificates obtained through automated certificate authorities.
Combination with other techniques. Transposition is frequently combined with TLD squatting (registering the transposed label under a different extension) or combosquatting (appending a keyword to a transposed brand name). These layered approaches expand the attack surface beyond the base n - 1 set.
Malware distribution. Typo domains that start as parking or light monetization can later host drive-by malware or unwanted software if ownership or intent changes. The goggle.com case followed that arc: the domain sat quiet for years, distributed malware, and was only recovered by Google at auction roughly two decades after its initial registration. Transposition variants of major brands carry the same escalation risk: a domain initially used for ad revenue can be sold or repurposed for malware delivery at any point.
Detection and prioritization#
Because the permutation count is small and the error type maps to a well-understood human behavior, transposition variants belong in the first tier of any domain monitoring program. Any transposition variant that is registered and resolving in DNS deserves prompt attention; these domains are among the most likely to receive genuine accidental traffic from real users.
Several signals help prioritize review:
- WHOIS and RDAP registration data. A newly registered transposition variant for a monitored brand warrants immediate investigation.
- Certificate Transparency logs. A transposition domain that obtains a TLS certificate is preparing to serve HTTPS content, likely a phishing page or redirect.
- Passive DNS resolution. Active DNS resolution for a transposition domain indicates it is receiving traffic, whether from accidental visits or targeted campaigns.
- Levenshtein distance. Every transposition variant sits at an edit distance of exactly 2 from the original (one deletion plus one insertion, or equivalently one swap). Automated scoring can flag these candidates efficiently.
Defensive registration of transposition variants is practical given the small set size. For a 10-character domain, the full transposition set costs less than a single incident response engagement. The calculus is straightforward for high-value brands. When abusive typo labels stay registered to third parties for years, some trademark owners eventually acquire them at auction rather than through litigation, a slower and more expensive path than catching the registration early.
Monitoring with Have I Been Squatted#
Have I Been Squatted generates transposition permutations automatically for every monitored domain, alongside omission, bitsquatting, vowel swap, and other lookalike domain categories. Because the variant count is bounded and deterministic, each transposition can be checked against DNS resolution, WHOIS registration, and certificate issuance data without sampling or heuristics. For broader context on building a defensive program, see typosquatting protection.
More from Typosquatting
View allIDN homograph attacks
IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.
Typosquatting examples
Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.
Typosquatting permutations
Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.