Typosquatting, also known as URL hijacking or a sting site, is a form of cybersquatting where threat actors register deliberately misspelled versions of popular, high-traffic websites. The practice exploits frequent typing errors made by internet users entering web addresses directly into a browser, routing them to fraudulent or malicious destinations without their knowledge.
The mechanics of typosquatting are straightforward. An attacker identifies a widely visited website, analyzes common spelling mistakes users make when typing its URL, and registers one or more of those misspelled variants as active domains. A user who types "gogle.com" instead of "google.com," or "paypa1.com" instead of "paypal.com," may land on a site that looks nearly identical to the original but is fully controlled by the attacker.
Research indicates that over one-fifth of all .com domain registrations are typo domains, and the number continues to grow. The proliferation of new top-level domains (TLDs) such as .xyz and .coffee has created hundreds of thousands of additional opportunities for typosquatters. In response, major corporations including Apple, Google, Facebook, and Microsoft have registered large portfolios of typographical variants of their own domains or blocked potential registrations through services managed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Typosquatters use several distinct methods to craft deceptive domains, often combining more than one technique at a time.
Character substitution replaces a letter with one adjacent on a standard keyboard. For example, "facebok.com" swaps the double "o" for a single "o." Character omission drops a letter entirely, producing addresses like "gogle.com" or "youtbe.com." Character transposition reverses the order of two adjacent letters, mirroring a common typing error, such as "amazno.com."
Hyphen manipulation adds or removes a hyphen from a legitimate domain name. TLD substitution targets users who mistype the domain suffix, registering ".cm," ".co," or ".net" variants instead of ".com." A more sophisticated variant is the doppelganger domain, which omits the period separating a subdomain from the root, turning "mail.google.com" into "mailgoogle.com." Finally, combosquatting appends plausible-sounding words to a legitimate domain name, such as "amazon-support.com," without any spelling error.
The goals of typosquatters vary. Some register misspelled domains to sell back to the brand owner at a premium. Others monetize diverted traffic through advertising revenue by embedding high-density ad pages on otherwise empty sites. A third group uses affiliate links to redirect traffic back to the legitimate site while collecting referral commissions.
The most harmful operations use typosquatted domains as the foundation for phishing campaigns. These sites replicate the visual design, logos, fonts, and layouts of their targets to deceive users into entering login credentials, financial data, or personal information. Urgency-based language like "Your account has been compromised" pressures visitors to act quickly without verifying the URL.
Typosquatted domains are also used to harvest misdirected email. Carnegie Mellon University research documented that spoofed corporate domains receive significant volumes of misaddressed internal communications annually, giving attackers access to business intelligence and financial data without triggering any security alert.
The scale of typosquatting activity is substantial. Between February and July 2024, Zscaler ThreatLabz analyzed over 30,000 lookalike domains across more than 500 of the most visited websites and found over 10,000 were actively malicious. Google was the most impersonated brand at 28.8% of detected phishing domains, followed by Microsoft at 23.6% and Amazon at 22.3%. Together, these three brands accounted for nearly three-quarters of all typosquatting-based phishing domains identified during that period.
High-profile real-world cases illustrate the range of targets. The domain "goggle.com" was a well-documented typosquatted version of Google that distributed drive-by malware and a rogue antivirus program called SpySheriff. The domain "yuube.com" redirected YouTube users to a page prompting them to install a malicious browser extension. In 2020, "jacqumus.com" was registered to impersonate French fashion brand Jacquemus and serve malware. The brand's legal team successfully reclaimed the domain. Financial institutions including Bank of America have also faced repeated typosquatting campaigns targeting their customers.
The threat extends beyond conventional web browsing. A 2024 peer-reviewed study provided the first large-scale measurement of typosquatting within blockchain-based naming systems, including the Ethereum Name Service, Unstoppable Domains, and ADAHandles. Researchers recorded thousands of cryptocurrency transactions mistakenly sent to squatting addresses, targeting popular domain names and identities tied to social media accounts. In these environments, errors are often irreversible since blockchain transactions cannot be recalled once confirmed.
Typosquatted domains present a specific detection problem for security infrastructure. Traditional URL filtering tools rely on reputation histories to flag malicious domains. A freshly registered typosquatted domain has no history. DNS logs register it as a standard user-initiated query. SSL certificates pass validation checks and display padlock icons in the browser. Nearly half of the phishing domains identified in the 2024 ThreatLabz study used free Let's Encrypt TLS certificates to appear legitimate and suppress browser warnings.
The attack cycle follows a predictable pattern. Attackers use algorithms to generate thousands of typographic variants of high-value domains, register those available, clone the visual identity of the target site, configure mail servers to capture misdirected email, and then wait. The entry barrier is low, and the attack scales easily.
Several legal mechanisms exist to address typosquatting. In the United States, the Anticybersquatting Consumer Protection Act (ACPA) of 1999 contains provisions specifically targeting typosquatting, allowing trademark holders to pursue damages against bad-faith domain registrants. Under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) administered by the World Intellectual Property Organization (WIPO), trademark holders can file a case against a registrant by demonstrating three conditions: that the registered domain is confusingly similar to their trademark, that the registrant has no legitimate interest in it, and that it is being used in bad faith.
Not every use of a typographic domain variant is unlawful. Some domain owners register misspelled versions of their own addresses to redirect users to the correct site. Prior to the 2016 U.S. election, the registrar responsible for the ".vote" TLD created "state.vote" domains that redirected to official state voter registration pages, a defensive registration that was initially mistaken for a malicious operation.
Organizations can take several concrete steps to reduce exposure.
Defensive domain registration involves purchasing likely misspellings and alternate TLD variants of a brand's primary domain before attackers can. Monitoring services and tools such as DNSTwist or threat intelligence feeds from providers like Recorded Future can alert security teams to newly registered lookalike domains in real time. Certificate transparency logs can surface rogue SSL certificates signaling malicious infrastructure is being assembled.
Email authentication protocols, including SPF, DKIM, and DMARC, reduce the risk of typosquatted domains being used to impersonate a company in inbound or outbound email. DNS filtering platforms that perform behavioral analysis and reputation scoring on newly registered domains add a proactive layer of blocking before users encounter a malicious site.
For individual users, the most reliable habit is manually verifying a URL in the address bar before entering any credentials, particularly when arriving via an email link. Bookmarking frequently visited sites, rather than typing addresses each time, eliminates the opportunity for a typing error to redirect to a squatted domain.
.webp)