Typosquatting: How Fake Domains Steal Your Credentials

Learn how typosquatting attacks steal employee credentials through fake domains and how to detect them before damage is done.

One wrong keystroke. That’s all it takes. An employee types ‘ofice.com’ instead of ‘office.com’ and lands on a perfect replica of the login page. They enter their credentials. Attackers now own their account.

Zscaler ThreatLabz analyzed over 30,000 lookalike domains in six months and found more than 10,000 were malicious. These weren’t sophisticated zero-days. They were simple typos exploited by attackers who registered domains that look almost identical to legitimate ones.

Typosquatting is embarrassingly effective. It bypasses email security, endpoint protection, and user training because it exploits human error, not technical vulnerabilities. Your employees are one mistyped URL away from handing over their credentials.

What Is Typosquatting?

The internet runs on trust. You type a URL, hit enter, and expect to land where you intended. Typosquatters exploit that trust.

The attack works because humans make predictable mistakes. We transpose letters. We miss keystrokes. We confuse similar-looking characters. Attackers know this and register domains that capture these errors.

How Do Typosquatting Attacks Work?

The attack lifecycle is deceptively simple. An attacker identifies a high-value target domain, generates hundreds of typo variations, registers the most promising ones, and drives victims to them through phishing emails, malicious ads, or social engineering.

Step 1: Target Selection

Attackers focus on domains with high traffic and valuable credentials. Banking sites, email providers, corporate portals, and e-commerce platforms top the list. Zscaler’s 2024 research found Google targeted in 28.8% of typosquatting attempts, Microsoft in 23.6%, and Amazon in 22.3%. These three brands account for nearly 75% of all typosquatting activity.

Step 2: Domain Generation

Tools like dnstwist generate thousands of domain permutations automatically. For a single target domain, these tools create variations using character substitution, transposition, missing letters, extra letters, and wrong TLDs. Dnstwist generates thousands of permutations for a typical corporate domain.

Step 3: Infrastructure Setup

Attackers register the most convincing domains and obtain SSL certificates to display the padlock icon that users associate with security. Nearly half of phishing domains use free Let’s Encrypt certificates, according to Zscaler’s analysis.

Step 4: Credential Harvesting

The fake site replicates the legitimate login page pixel-for-pixel. When users enter credentials, the site either captures them and displays an error message, or passes them through to the real site while logging them. Either way, attackers now have valid credentials.

This entire process costs attackers almost nothing but yields high-value credentials that sell for premium prices on dark web markets.

What Are the Common Types of Typosquatting?

Attackers use several techniques to create convincing fake domains. Understanding these patterns helps security teams identify and block threats proactively.

Character Substitution

This technique replaces letters with visually similar characters. The classic example is substituting ‘rn’ for ’m’ because they look nearly identical in most fonts. ‘rnicrosoft.com’ looks like ‘microsoft.com’ at a glance. Other substitutions include ‘1’ for ’l’, ‘0’ for ‘o’, and ‘vv’ for ‘w’.

Missing or Added Characters

Attackers remove or add single characters that users might miss. ‘gogle.com’ (missing ‘o’), ‘googgle.com’ (extra ‘g’), and ‘microsft.com’ (missing ‘o’) all exploit common typing errors. These domains catch users who type quickly without proofreading.

Transposed Characters

Swapping adjacent letters creates domains like ‘googel.com’ or ‘amazno.com’. These target the specific muscle memory errors people make when typing familiar URLs quickly.

Wrong TLD Variations

Users often default to ‘.com’ even when the legitimate site uses a different extension. Attackers register ‘amazon.co’ or ‘google.net’ to capture this traffic. Country-code TLDs like ‘.cm’ (Cameroon) are popular because they look like typos of ‘.com’.

Hyphenation Tricks

Adding or removing hyphens creates plausible-looking domains like ‘face-book.com’ or combining brand names with common words like ‘amazon-deals.com’. This technique, called combosquatting, extends typosquatting into brand impersonation territory.

Each technique targets different user behaviors, so attackers often register multiple variations to maximize their catch rate.

What Are Real-World Typosquatting Examples?

Here’s what these attacks actually look like when they hit real companies.

The Microsoft Impersonation Campaign

The domain ‘rnicrosoft.com’ targeted Microsoft 365 users by replacing ’m’ with ‘rn’. The swap was nearly invisible in most fonts, and even harder to spot on mobile where the address bar cuts off the full URL. The phishing emails mirrored Microsoft’s official logo, layout, and tone. Victims who entered credentials handed them directly to attackers.

Facebook’s $2.8 Million Lawsuit

Facebook successfully sued domain squatters who registered hundreds of variations of ‘facebook.com’. The court awarded $2.8 million in damages under ACPA, establishing precedent for aggressive legal action against typosquatters. This remains one of the largest public judgments in a typosquatting case.

Election Interference Domains

During the 2020 US presidential election, researchers identified over 500 typosquatted domains targeting candidate websites. Some hosted disinformation. Others harvested donor credentials. Several redirected visitors to malicious Chrome extensions. Typosquatting scales to target any high-profile event.

Financial Sector Targeting

Recorded Future analyzed a major US financial institution and found 226 possible typosquatted domains, with 91 actively registered. Of those, 52 had associated mail servers capable of receiving email, suggesting business email compromise preparation. Eight different malware families were linked to the hosting infrastructure.

These examples show typosquatting isn’t theoretical. It’s an active, profitable attack vector. And you’re a target.

What Are the Goals Behind Typosquatting Attacks?

Attackers invest in typosquatting because it works. Here’s what they’re after.

Credential Harvesting

The primary goal is stealing usernames and passwords. Fake login pages capture credentials that attackers use directly or sell on dark web forums. Corporate credentials are especially valuable because they provide access to internal systems, email, and sensitive data. These stolen credentials often appear in combo lists.

Malware Distribution

Typosquatted domains serve as malware infrastructure. In 2024, Unit 42 discovered a Linux variant of the Bifrost RAT using ‘vmfare.com’ as its command-and-control server. The typosquatted domain helped the malware blend in with legitimate VMware traffic.

Phishing Campaign Infrastructure

Typosquatted domains provide convincing infrastructure for spear phishing campaigns. Email links to ‘amaz0n.com’ or ‘paypal.co’ look legitimate enough to bypass casual inspection. The domains add credibility to social engineering attacks.

Ad Fraud and Traffic Monetization

Some typosquatters simply monetize mistyped traffic through advertising. Users who land on parking pages covered in ads generate revenue for the domain owner. It’s less harmful than credential theft, but the domain still infringes on the brand’s trademark.

Competitive Disruption

Occasionally, typosquatting targets competitors. A company might register a lookalike of a competitor’s domain to redirect their traffic or display negative content. It’s rare compared to credential theft, but it happens.

How Can You Detect Typosquatting Domains?

Detection requires proactive monitoring because attackers register new domains all the time. Waiting for users to report suspicious sites means waiting until after their credentials are compromised.

Domain Permutation Monitoring

Tools like dnstwist generate possible typosquatted versions of your domain. Periodically run the script to find which domain permeations have been registered and resolve to an IP address. Security teams should monitor not just exact typos but also combosquatting variations that combine your brand name with common words.

Certificate Transparency Logs

Every SSL certificate issued gets logged publicly. Monitoring these logs for certificates matching your brand name catches typosquatters when they set up their infrastructure. Services like crt.sh provide free certificate transparency searches.

DNS Query Analysis

Analyzing DNS queries from your network to find employees visiting typosquatted domains. Spikes in queries to suspicious lookalike domains indicate active attacks or successful phishing campaigns.

Dark Web Credential Monitoring

When typosquatting attacks succeed, stolen credentials eventually appear on criminal marketplaces and forums. Dark web monitoring detects your organization’s credentials before attackers exploit them, providing a second line of defense when prevention fails.

User Reports and Security Awareness

Train your employees to verify URLs before entering credentials and report anything suspicious. When they flag a fake login page, you get early warning. CISA’s phishing guidance is a good starting point.

How Can Businesses Defend Against Typosquatting?

When it comes to stopping typosquatting attacks, there’s no silver bullet. You need layers.

Defensive Domain Registration

Register common misspellings, character substitutions, and TLD variations of your primary domains. This prevents attackers from registering them instead. Focus on high-value variations that users are most likely to mistype. Remember, the cost of defensive registrations is far lower than the cost of a successful attack.

Technical Controls

DNS Filtering: Block access to known typosquatted domains at the network level. Free options like Quad9 or Cloudflare’s 1.1.1.1 for Families provide basic protection. For enterprise coverage, services like Cisco Umbrella and Cloudflare Gateway offer more comprehensive blocklists.

Email Security: Configure email gateways to scan URLs and block messages containing links to known typosquatted domains. Most enterprise email security products include this capability.

Browser Protection: Chrome, Firefox, and Safari use Google Safe Browsing to warn users about phishing sites. Microsoft Edge has Website Typo Protection specifically for typosquatted domains. Encourage employees to keep browser protections enabled.

DMARC/DKIM/SPF: Implement email authentication to prevent attackers from spoofing your domain in phishing campaigns that direct victims to typosquatted sites.

Monitoring and Intelligence

Continuous monitoring catches new typosquatted domains before they’re used in attacks. External attack surface management finds phishing domains impersonating your brand as well.

When credentials do get stolen, compromised credential monitoring detects them on dark web marketplaces. This enables password resets before attackers use the stolen credentials.

User Education

Train employees to bookmark frequently used sites instead of typing URLs. Teach them to verify the address bar before entering credentials. Phishing simulations that include typosquatted domains test whether training is effective.

Users make mistakes. That’s why technical controls are your first line of defense. Training helps, but don’t rely on it alone.

How Do You Respond to a Typosquatting Attack?

Finding a typosquatted domain targeting your organization requires immediate action. Speed matters because every hour the domain stays active means more potential victims.

Document Everything

Screenshot the typosquatted site and record the domain registration details using WHOIS lookup. Note the registrar, creation date, and nameservers. This evidence supports legal action and takedown requests.

Check for Credential Compromise

Search your breach monitoring tools for any credentials associated with the typosquatted domain. If employees visited the site and entered credentials, initiate password resets immediately. Check login logs for suspicious authentication attempts from unusual locations.

Block the Domain

Add the typosquatted domain to your DNS blocklist, web proxy blocklist, and email security blocklist. This prevents additional employees from falling victim while you work on the takedown.

File Takedown Requests

Report the domain to the registrar’s abuse contact. Most registrars have policies against phishing and will suspend obviously malicious domains. For trademark-infringing domains, file a UDRP complaint through ICANN or pursue legal action under ACPA.

Monitor for Related Domains

Attackers rarely register just one domain. Search for other variations that might be part of the same campaign. Check certificate transparency logs for certificates issued to similar domains around the same time.

Alert Affected Users

If customers or partners might have visited the typosquatted site, notify them immediately. Provide clear instructions for checking whether their credentials were compromised and how to protect themselves.

Taking these steps quickly limits damage and establishes a process for handling future incidents.

Conclusion

Typosquatting works because humans are predictable. Users type URLs from memory, make the same mistakes, and trust familiar-looking login pages. Attackers capitalize on every one of these tendencies. And they do it at scale.

Over 10,000 malicious lookalike domains discovered in six months. Three brands accounting for 75% of all impersonation attempts. Nearly half of phishing sites using free SSL certificates to appear legitimate.

So how do you fight back? Prevention and detection. Register defensive domains to block attackers from acquiring them. Implement DNS filtering and email security to catch typosquatted links. Train users to verify URLs before entering credentials.

But prevention isn’t enough. When attacks succeed, you need to know immediately. Dark web monitoring detects stolen credentials, giving you time to reset passwords and limit the damage.

Your employees are one typo away from credential theft right now. Check your organization’s dark web exposure to see what credentials are already circulating on criminal marketplaces.