Connect
Updated on November 20, 2025
Typosquatting, also known as URL hijacking or domain mimicry, is a cyberattack that targets users who mistype a website address. An attacker registers a domain name that is a common misspelling of a legitimate, trusted website. For example, they might register gogle.com to exploit users intending to visit google.com.
When a user makes a simple typographical error, or typo, they are unknowingly sent to the fraudulent, malicious site. This tactic is highly effective for phishing, distributing malware, and collecting user credentials. This guide will provide a technical overview of typosquatting for IT and security professionals.
Definition and Core Concepts
Typosquatting is the intentional registration of a misleading domain name designed to capitalize on user error. The fraudulent domain is typically used for malicious purposes, exploiting the trust a user has for the legitimate website. It is both a cybersecurity threat and a form of cyberpiracy that can lead to legal disputes over trademark infringement.
Foundational concepts:
- Typographical Error (Typo): The human mistake that the attack capitalizes on, such as hitting an adjacent key, omitting a letter, or transposing letters.
- Domain Mimicry: Registering domains that are visually or alphabetically similar to the target brand.
- Malicious Redirect: The action of sending an unsuspecting user to a different, often harmful, website.
- Phishing: The primary payload, where the fraudulent site replicates the appearance of the legitimate site to steal a user’s login credentials.
How It Works: Common Squatting Techniques
Attackers use several systematic methods to identify and register effective typosquatted domains. These techniques are designed to predict common user errors when typing a URL.
Omitting Letters
This technique involves registering domains that leave out a letter from the original brand name. For example, an attacker might register micrsoft.com to intercept traffic intended for microsoft.com.
Transposing Letters
Swapping the order of two adjacent letters is another common method. A user intending to visit microsoft.com might accidentally type microsfot.com, leading them to a malicious site.
Adjacent Key Errors (QWERTY Keyboard)
Attackers register domains based on common typing mistakes from a standard QWERTY keyboard layout. A user aiming for amazon.com might accidentally hit an adjacent key and type amzaon.com, which could be a typosquatted domain.
Adding the Wrong Suffix
This method involves using a different, less common Top-Level Domain (TLD) or a country-code TLD (ccTLD). For example, an attacker might register google.co instead of google.com to capture user traffic.
Homograph Attack
A homograph attack is a more advanced technique that uses characters from different alphabets that look visually identical. For instance, an attacker could use the Cyrillic ‘а’, which looks like the Latin ‘a’, to create a visually deceptive domain name.
Key Features and Components
Traffic Harvesting
Attackers can monetize the traffic intended for the legitimate site. This can be done through advertisements, affiliate links, or other revenue-generating schemes.
Low Cost, High Return
Registering a domain is relatively inexpensive. A successful phishing or malware distribution campaign, however, can yield a significant financial return for the attacker.
Reputation Theft
The fraudulent domain damages the reputation of the legitimate brand. It confuses customers and exposes them to security risks, eroding trust in the targeted organization.
Use Cases and Applications (Attacker Perspective)
Typosquatting is a stealthy method for initiating a compromise. Attackers use it for several malicious purposes.
Phishing for Credentials
The most common use case is hosting a fake login page that mimics a legitimate service like a bank, email provider, or cloud platform. When the user enters their username and password, the attacker captures these credentials for later use.
Malware Distribution
A typosquatted domain can be used to deliver malware to a visitor’s machine. This can occur through a drive-by download, which automatically initiates a download without user consent, or by tricking the user into installing a malicious program.
Ad Revenue Generation
Some attackers redirect users to a website filled with pay-per-click advertisements. This generates passive revenue for the attacker without directly compromising the user’s machine.
Domain Parking
In some cases, an attacker will register a misspelled domain and hold it. They may then attempt to sell the domain to the legitimate brand owner for a high price, effectively holding it for ransom.
Advantages and Trade-offs (Defense)
Advantages (Defense)
Brands can proactively monitor for and register common misspellings of their domain names to protect users. Domain monitoring services can also automatically detect newly registered domains that are similar to a company’s brand.
Trade-offs (Defense)
It is practically impossible to register every potential misspelling across all available TLDs. Attackers are constantly developing new variants, including complex homograph attacks, that are difficult to detect with simple text comparison.
Troubleshooting and Considerations (Defense)
Proactive Registration
Organizations should register the most common typographical variants of their domain names. These domains should be configured to immediately redirect all traffic to the correct, legitimate website.
Employee Training
Educate employees and customers to always verify the URL in the browser’s address bar, especially before entering sensitive information like login credentials. Training should cover how to spot common signs of a malicious website.
DNS Monitoring
Continuously monitor the global Domain Name System (DNS) registry for newly created domains that closely match the corporate brand. This allows for early detection and mitigation of potential threats.
Browser Security
Encourage the use of secure DNS settings and browser extensions that can flag potentially malicious or suspicious domain names. These tools can provide an additional layer of protection for users.
Key Terms Appendix
- Phishing: A social engineering attack designed to steal user data, including login credentials and credit card numbers.
- Domain Name System (DNS): The hierarchical and decentralized naming system used to identify computers, services, and other resources connected to the internet.
- TLD (Top-Level Domain): The last segment of a domain name, or the part that follows the final dot (e.g., .com, .org, .net).
- Homograph Attack: A form of visual typosquatting that uses similar-looking characters from different alphabets to create a deceptive domain name.
- Drive-by Download: The unintentional download of a computer program, often malware, without the user’s consent.
