Typosquatting

A form of cybersquatting that relies on mistakes such as typographical errors made by Internet users when inputting a website address.

Detailed Definition

Typosquatting, also known as URL hijacking or fake URL, is a form of brand impersonation and cybersquatting targeting users who incorrectly type a website address into their web browser. Attackers register domains that look remarkably similar to popular, legitimate domains, betting that users will make common typos (e.g., example.com vs eaxmple.com).

Why It Matters

Typosquatting is highly dangerous as it forms the foundation for many credential harvesting and phishing attacks. By tricking users into believing they are on a legitimate site, attackers can steal login credentials, distribute malware, or solicit fraudulent payments while bypassing traditional security filters.

Real-World Examples of Typosquatting

An attacker registers 'microsoft-Iogin.com' (using a capital 'i' instead of a lowercase 'L'). They send an email to a company's employees stating their Office 365 password has expired. If an employee clicks the link, they are taken to a fake login page hosted on the typosquatted domain, where their credentials are stolen.

1. The .co vs .com Mistake

An attacker registers example.co and waits for users intending to go to example.com to accidentally miss the 'm'. The .co site is a perfect clone of the real site, designed to harvest login credentials.

2. The Key-proximity Typosquat

A threat actor registers 'gmeil.com' knowing that 'e' is adjacent to 'a' on a QWERTY keyboard. Users typing quickly will land on an ad-filled or malicious page.

Typosquatting Attack Lifecycle

Registration
Attacker buys typo domain

Registration

Attacker registers a domain name that is visually similar to the target (e.g., go0gle.com). Defensively registering cousin domains mitigates the risk of them being weaponized.

Hosting
Set up fake site/MX

Hosting

The attacker hosts a cloned login page or configures MX records to send emails from the squatted domain. Monitoring domain registrations helps spot lookalike domains before they are actively used.

Lure
Send phishing email

Lure

The attacker distributes phishing links referencing the typo domain or waits for users to misspell the URL organically. Email gateways can flag unregistered or newly created domains to block these lures.

Deception
User clicks link

Deception

The victim lands on the malicious site, failing to notice the slight misspelling in the URL bar. Security awareness training reinforces the habit of inspecting sender addresses and links.

Harvest
Credentials stolen

Harvest

The victim inputs their legitimate credentials into the fake site, granting the attacker account access. Using FIDO2 hardware tokens makes intercepted passwords useless to the attacker.

Best Practices

  • 1Register common misspellings of your organization's primary domain to prevent attackers from using them.
  • 2Implement DMARC enforcement to prevent these spoofed domains from passing authentication if they try to send emails.
  • 3Use web content filtering and DNS security to block access to known typosquatting domains.
  • 4Train employees to carefully inspect URLs before entering credentials, utilizing password managers that auto-fill only on verified domains.

Frequently Asked Questions

How does typosquatting differ from domain spoofing?
While domain spoofing tries to fake the exact legitimate domain (often in an email's 'From' address without authorization), typosquatting uses a genuinely registered but slightly altered domain name that looks like the legitimate one (e.g., goog1e.com).
Can typosquatting be used for email attacks?
Yes, attackers often set up MX records for typosquatted domains and send phishing emails from them. Because the domain is technically legitimate (they own it), these emails can easily pass SPF and DKIM checks, making them look authentic to email gateways.

Related Terms

IMAP (Internet Message Access Protocol)

A security control or mechanism known as IMAP (Internet Message Access Protocol) engineered to protect digital assets.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

A security control or mechanism known as S/MIME (Secure/Multipurpose Internet Mail Extensions) engineered to protect digital assets.

MIME (Multipurpose Internet Mail Extensions)

A standardized set of rules known as MIME (Multipurpose Internet Mail Extensions) that dictate how data is formatted and transmitted.