Typosquatting, also known as URL hijacking or domain mimicry, weaponizes simple typing errors to redirect users to malicious domains that steal credentials, deliver malware, or damage brand reputation through deceptive look-alike websites. Attackers exploit human typing errors by registering domains that closely resemble legitimate websites.
How Typosquatting Works
The attack succeeds through three core mechanisms: domain registration, traffic capture, and malicious execution.
Attackers identify high-value targets and generate hundreds of potential typo variations using automated scripts. Common variation techniques include:
Character Substitutions: Replacing letters with visually similar characters (goggle.com instead of google.com, paypa1.com instead of paypal.com).
Character Omissions: Removing a letter from the legitimate domain (gogle.com instead of google.com).
Character Additions: Adding extra characters to the domain (amazom.com instead of amazon.com, paypall.com instead of paypal.com).
Transpositions: Swapping adjacent characters (payapl.com instead of paypal.com).
Wrong TLD: Using a different top-level domain extension (.co instead of .com, or .net instead of .org).
Attackers register deceptive domains through various registrars for minimal cost—often just a few dollars per domain—and configure DNS to direct mistyped URLs to attacker-controlled infrastructure.
Attack Payloads
Once visitors land on typosquatted sites, various attack mechanisms execute
Credential Harvesting: Cloned login pages that perfectly mimic legitimate interfaces capture usernames and passwords, often with real-time credential validation to confirm the credentials are valid.
Drive-By Downloads: Malicious code that installs malware on visitor systems without requiring any user interaction.
Advertising Fraud: Typosquatted sites display advertisements, generating revenue from misdirected traffic without necessarily deploying malware.
Brandjacking: Damages brand reputation by associating the legitimate brand with fraudulent or offensive content.
Multi-Factor Authentication Bypass: Sophisticated typosquatting sites capture MFA codes in real time by proxying the authentication process.
Detection and Prevention
Organizations protect against typosquatting through proactive domain monitoring services, registering common misspellings of their own domains, certificate transparency monitoring for fraudulently issued certificates, and email security controls that detect links to look-alike domains.