June 1st 2020
Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.
Registering domain names only takes a few minutes and is inexpensive. While this is something that people and organizations are thankful for, it has paved the way for typosquatting—the deliberate registration of domain names confusingly similar to the ones owned by a brand, company, or person, or is part of a public initiative. Typosquatting has allowed threat actors to impersonate individuals and organizations and execute different types of fraud, such as invoice and phishing scams and setting up malicious copycat websites.
What Are Typo or Typosquatting Domains?
Typosquatting domains are Internet domain names that could confuse the average person about their legitimacy, origin, or purpose. They usually closely resemble other domain names that visitors or email users are familiar with, possibly creating a false sense of security and prompting to share confidential information.
2 Characteristics of Typosquatting Domains
Typosquatting Data Feed provides users with daily data files that capture bulk-registered domains looking highly similar to one another. To appear on the feed, a domain must meet the following two criteria:
Similar with at Least Two Other Domains
A domain can end up on the data feed if there are at least two other similar domains in the group. The domains can thus be mistaken for their lookalikes due to typos or misspellings. Examples from the May 21’s typosquatting file are the three domains below.
Users who misplace the dash (-) can end up on a different website. That is why some organizations register multiple variants of their domains to prevent customers from accessing the wrong site. There are times, though, when threat actors or domain parkers beat them to it.
Registered on the Same Day
Same-day registration may indicate bulk registration—the act of registering multiple domains at once. Examples from the May 21’s typosquatting feed file are 50 domain names (the first 10 of which are shown below) that use the top-level domain (TLD) .cam and variants of the string “emwahjjo.”
3 Lists of Typosquatting Lookalike Domains and Websites
A glaring form of typosquatting is when a domain closely resembles one that belongs to a prominent organization. We saw these Instagram-inspired domain names from the typosquatting files on May 21:
Facebook and Netflix also had their share of typosquatting domains that include:
Some of the domains also mimic one of the most impersonated brands in the world, PayPal: