Typosquatting: how attackers register your-bank-typ0.com
Your customer types amazom.com instead of amazon.com. Or
googel.com. Or paypa1.com with a digit one for the L.
Attackers register these typo'd domains, mint a TLS cert, copy the visual identity of
the legitimate site, and harvest credentials from the visitor flow.
Typosquatting is one of the oldest internet attacks. It's also one of the most reliable. Brand-protection vendors charge five-figure annual contracts to monitor it. Below is the full attack surface and a free monitoring approach.
The 6 mutation strategies
| Strategy | Example (target: example.com) |
|---|---|
| Omission | exmple.com, exampl.com |
| Duplication | exaample.com, examplle.com |
| QWERTY typo | wxample.com (q→w), exqmple.com (a→q) |
| Transposition | exmaple.com, exampel.com |
| Homoglyph | exarnple.com (m→rn), examp1e.com (l→1) |
| TLD swap | example.co, example.org, example.com.co |
A combinatorial expansion: example.com generates ~150 candidate
typosquats per strategy when you include compounds (omit + transpose, etc.). Most are
never registered. Some are.
Detection at scale
UnveilScan's typosquat checker generates the candidate list and resolves DNS for each:
- Generate ~50 high-likelihood candidates per apex (we don't try every permutation; we focus on the strategies above with a depth-1 cap).
- Resolve A/AAAA for each. If it returns an IP, the domain is registered.
- For each registered candidate, enrich with MaxMind ASN + country to spot suspicious geographies.
- Cross-check against CT logs to find candidates that have a TLS cert (most weaponised typos do).
Findings emitted as INFO (registered but unknown owner) or LOW (registered + has cert + suspicious ASN/country). Severity scales — we don't escalate higher because the legal ownership of a typosquat domain is ambiguous; the user has to investigate.
What to do when you find one
- Visit the site (carefully — use a sandboxed browser). If it's an ad parking page from a domainer, low priority. If it's a clone of your login, P0.
- UDRP / URS dispute with ICANN if the domain is "registered in bad faith and confusingly similar". Resolution time ~6-8 weeks via WIPO. Cost ~$1500-3000 USD.
- Report to registrar if abuse is clear. Some registrars (Namecheap, Tucows) suspend within hours on a credible complaint.
- Notify Google Safe Browsing + Microsoft Smartscreen. Once flagged, Chrome and Edge show a big red warning to anyone visiting.
- File with your bank's fraud team if it's a phishing variant of your branded domain — they can blacklist at the SMS-link level.
Prevention: pre-register the obvious typos
For widely targeted brands, the cheapest defence is to register the high-likelihood typos yourself and redirect them to the legit domain:
# Examples worth $20/year each for a "Bank XYZ"
bank-xyz.com bankxyz.com xyzbank.com
bank-xyz.net bank-xyz.org bank-xyz.co
bankxyz.online bank-xyz.app banksxyz.comThis is what large companies do — Google owns thousands of typo domains and redirects them. For mid-market brands, pre-registering 10-20 candidates costs ~$200/year and eliminates the most common typos.
The IDN homograph variant
Punycode-encoded Unicode characters that visually mimic ASCII —
аррle.com (Cyrillic а + Latin pple) renders
almost identically to apple.com in Latin-script displays. Modern browsers
now show punycode (xn--ple-43d4a.com) when the script mixes, but custom
software (Slack, email clients) often doesn't.
Our checker also probes a small set of common homograph candidates per apex. Coverage is partial but catches the most common attempts.
The continuous angle
A typo registered today doesn't matter if you catch it tomorrow. Schedule a monthly Extended scan. New typosquat findings trigger an alert via email/webhook/Slack. By the time the attacker spins up phishing infrastructure, you've already filed UDRP.
Detect typos targeting your brand
Extended scan generates the candidate list and probes DNS + CT for each.
See pricing