Security Experts:

Connect with us

Hi, what are you looking for?



To Err is Human. To Squat is Criminal.

Maliciously Misleading Domain Names are Everywhere Online

Typos are endemic – everyone makes them.  And attackers are betting on that tendency. Who knew that rendering the name of a company’s URL slightly differently would be an effective means to launch a potentially serious chain of events?  

Maliciously Misleading Domain Names are Everywhere Online

Typos are endemic – everyone makes them.  And attackers are betting on that tendency. Who knew that rendering the name of a company’s URL slightly differently would be an effective means to launch a potentially serious chain of events?  

Instead of, imagine someone keyed in and registered it as their own domain?  What would happen is that anyone who made that easy mistake sending an email to the typo’d URL or visiting the squatted website would find their message going somewhere other than where they had intended or, worse, that their browsing session is potentially interrupted by a malicious destination. Any information exchanged, pilfered or just simply tracked could help enable more malicious attacks, the site visitor could become susceptible to misinformation or the spoofed organization could become the easy victim of fraud. 

What if the lookalike domain name was used in a phishing email, masquerading as the link to a legitimate website and encouraging the recipient to click on it?  For example, instead of, the name was rendered as, where the letter ‘o’ was replaced with a zero. How many people would notice the difference?  

That’s not just a theoretical conjecture; it’s an established tactic in the world of cybercrime.  It even has a name: Domain typo-squatting.  And its growth has spawned a lobbying group – The Coalition Against Domain Name Abuse, or CADNA – to advocate for new government regulations.  That’s because the practice of typosquatting is a lot more extensive than most people realize.  According to FairWinds Partners, an internet strategy consulting group, the top five misspellings of ‘’ each receive over three million visitors a year.  

The problem is compounded by the fact that most internet users access web sites through direct navigation – by manually keying in the address – rather than using search engines.  And there are cybersquatters ready and waiting for just about any keyboard error.  In the case of Apple’s iPhone, more than 20,000 registered domain names incorporate the word ‘iPhone’ and nearly 500 more are just a single character away from that name, many of which were registered to locations in China.  

One of the factors that makes misleading Internet users particularly easy for typosquatters is an artifact of the domain name registration process.  Domain names can be registered and dropped, risk-free and cost-free, within a five-day grace period.  That’s long enough to do significant damage.

In an experiment by the GodaiGroup back in 2011, researchers registered domain names similar to those of Fortune 500 companies and then sat back to see what happened.  Over six months, the knockoff addresses received more than 120,000 emails.  They included all sorts of sensitive information – trade secrets, business invoices, personal information of employees, network diagrams, usernames and passwords, as well as service requests.  

The damage created by typosquatting is real both in terms of money, reputation, customer confidence and public safety.  That loss it is difficult to quantify because the reporting to authorities is inconsistent and, because those who have been taken in are reluctant to admit to their error, those official records are also incomplete.  But CADNA estimates that it costs brand owners worldwide in excess of $1 billion a year.  

Sadly, two segments of the population especially prone to those sorts of keyboarding errors are children and senior citizens.  Their innocent misspellings have been a bonanza to sexual predators, counterfeit drug vendors, and anyone wanting to plant malware into a victim’s computer. 

Earlier this year, a domain name gold rush took place following Facebook’s June 18 announcement that it planned to create a new digital currency, the Libra, and a digital wallet companion, the Calibra.  Immediately following the announcement, people scrambled to register a multitude of domain name permutations to help confuse users and to infringe as much as possible on the new trademarks.  The majority of those names are currently parked and without content, although some may never come to hold any because their squatters hope to make a profit from Facebook whenever it tries to buy the name back.  

That said, there are countermeasures available to identify and avoid typosquat scams.  For one thing, it’s become common practice for businesses to preemptively buy up all the relevant domain names, including offensive ones, so that they don’t fall into the wrong hands, and then redirect them to the official website.  

But there is no substitute for vigilance.  Keep an eye out for misspellings in domain names, strange redirects, and odd-looking letters or numbers.  Be skeptical about sharing personal and financial data; always confirm you’re on the website you intend to be on before handing over personal information.  If something seems broken or strange, that may be a red flag.  And finally, if it seems implausible or too good to be true, it probably is.  Stay ahead of the game by avoiding grand claims of easy money.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...