Typosquatting: How Fake Domains Steal Your Credentials

Learn how typosquatting attacks steal employee credentials through fake domains and how to detect them before damage is done.

One wrong keystroke. That’s all it takes. An employee types ‘ofice.com’ instead of ‘office.com’ and lands on a perfect replica of the login page. They enter their credentials. Attackers now own their account.

Zscaler ThreatLabz analyzed over 30,000 lookalike domains in six months and found more than 10,000 were malicious. These weren’t zero-day exploits. They were simple typos exploited by attackers who registered domains that look almost identical to legitimate ones.

Typosquatting is embarrassingly effective. It bypasses email security and endpoint protection because it exploits human error, not technical vulnerabilities. Your employees are one mistyped URL away from handing over their credentials.

What Is Typosquatting?

The internet runs on trust. You type a URL, hit enter, and expect to land where you intended. Typosquatters exploit that trust by registering domains that look like yours to steal credentials from people who mistype the URL.

The attack works because humans make predictable mistakes. We transpose letters. We miss keystrokes. We confuse similar-looking characters. Attackers know this and register domains that capture these errors.

How Do Typosquatting Attacks Work?

The attack lifecycle is deceptively simple. An attacker identifies a high-value target domain, generates hundreds of typo variations, registers the most promising ones, and drives victims to them through phishing emails, malicious ads, or social engineering.

Step 1: Target Selection

Attackers focus on domains with high traffic and high-value credentials. Banking sites, email providers, corporate portals, and e-commerce platforms top the list. Zscaler’s 2024 research found Google targeted in 28.8% of typosquatting attempts, Microsoft in 23.6%, and Amazon in 22.3%. These three brands account for nearly 75% of all typosquatting activity.

Step 2: Domain Generation

Tools like dnstwist generate thousands of domain permutations automatically using character substitution, transposition, and wrong TLDs. A single corporate domain can produce hundreds of registered lookalikes.

Step 3: Infrastructure Setup

Attackers register the most convincing domains and obtain SSL certificates to display the padlock icon that users associate with security. Nearly half of phishing domains use free Let’s Encrypt certificates, according to Zscaler’s analysis.

Step 4: Credential Harvesting

The fake site replicates the legitimate login page pixel-for-pixel. When users enter credentials, the site either captures them and displays an error message, or passes them through to the real site while logging them. Either way, attackers now have valid credentials.

This entire process costs attackers almost nothing but yields high-value credentials that sell for premium prices on dark web markets.

What Are the Common Types of Typosquatting?

Attackers use several techniques to create convincing fake domains. Knowing the patterns helps you spot and block them early.

Character Substitution

This technique replaces letters with visually similar characters. The classic example is substituting ‘rn’ for ’m’ because they look nearly identical in most fonts. ‘rnicrosoft.com’ looks like ‘microsoft.com’ at a glance. Other substitutions include ‘1’ for ’l’, ‘0’ for ‘o’, and ‘vv’ for ‘w’.

Missing or Added Characters

Attackers remove or add single characters that users might miss. ‘gogle.com’ (missing ‘o’) and ‘googgle.com’ (extra ‘g’) exploit common typing errors. These domains catch users who type quickly without proofreading.

Transposed Characters

Swapping adjacent letters creates domains like ‘googel.com’ or ‘amazno.com’. These target the specific muscle memory errors people make when typing familiar URLs quickly.

Wrong TLD Variations

Users often default to ‘.com’ even when the legitimate site uses a different extension. Attackers register ‘amazon.co’ or ‘google.net’ to capture this traffic. Country-code TLDs like ‘.cm’ (Cameroon) are popular because they look like typos of ‘.com’.

Hyphenation and Combosquatting

Adding hyphens or combining brand names with common words creates domains like ‘face-book.com’ or ‘amazon-deals.com’. This technique, called combosquatting, extends domain typosquatting into brand impersonation territory.

IDN Homograph Attacks

Internationalized domain names allow Unicode characters from other alphabets. Some of these characters look identical to Latin letters. Cyrillic ‘а’ looks the same as Latin ‘a’ but is a different character. An attacker can register ‘аpple.com’ using Cyrillic ‘а’ and it looks identical to ‘apple.com’ in most browsers. Modern browsers display these as Punycode (xn–pple-43d.com) to counter this, but older browsers and some mobile apps don’t.

Each technique targets different user behaviors, so attackers often register multiple variations to maximize their catch rate.

Typosquatting vs Cybersquatting

These terms get confused often. Cybersquatting is registering a trademarked domain name (like ‘cocacola.net’) to resell it to the trademark owner for profit. Typosquatting is registering a misspelled version (‘cocaocla.com’) to intercept traffic and steal credentials. Cybersquatters want the brand owner to pay them for the domain. Typosquatters want to steal credentials from people who mistype the URL. Both are illegal under ACPA, but the attack intent and victim are different.

What Are Real-World Typosquatting Examples?

Here’s what these attacks actually look like when they hit real companies.

The Microsoft Impersonation Campaign

The domain ‘rnicrosoft.com’ targeted Microsoft 365 users by replacing ’m’ with ‘rn’. The swap was nearly invisible in most fonts, and even harder to spot on mobile where the address bar cuts off the full URL. The phishing emails mirrored Microsoft’s official logo, layout, and tone. Victims who entered credentials handed them directly to attackers.

Facebook’s $2.8 Million Lawsuit

Facebook successfully sued domain squatters who registered hundreds of variations of ‘facebook.com’. The court awarded $2.8 million in damages under ACPA, setting precedent for aggressive legal action against typosquatters. This remains one of the largest public judgments in a typosquatting case.

Election Interference Domains

During the 2020 US presidential election, researchers identified over 500 typosquatted domains targeting candidate websites. Some hosted disinformation. Others harvested donor credentials. Several redirected visitors to malicious Chrome extensions. Typosquatting scales to target any high-profile event.

Financial Sector Targeting

Recorded Future analyzed a major US financial institution and found 226 possible typosquatted domains, with 91 actively registered. Of those, 52 had associated mail servers capable of receiving email, suggesting business email compromise preparation. Eight different malware families were linked to the hosting infrastructure.

VMware Typosquatting for Malware C2 (2024)

In 2024, Unit 42 discovered a Linux variant of the Bifrost RAT using ‘vmfare.com’ as its command-and-control server. The typosquatted domain helped the malware blend in with legitimate VMware traffic, making it harder for network monitoring to flag.

These aren’t edge cases. Typosquatting is happening right now, and the techniques keep getting more creative.

What Are the Goals Behind Typosquatting Attacks?

Attackers invest in typosquatting because it works. Here’s what they’re after.

Credential Harvesting

The primary goal is stealing usernames and passwords. Fake login pages capture credentials that attackers use directly or sell on dark web forums. Corporate credentials fetch premium prices because they provide access to internal systems and email. These stolen credentials often appear in combo lists.

Malware Distribution

Typosquatted domains serve as malware infrastructure. Users downloading software from lookalike domains install infostealers or RATs instead of legitimate applications. The Bifrost/VMware example above shows how typosquatted domains also serve as C2 servers that blend in with legitimate traffic.

Phishing Campaign Infrastructure

Typosquatted domains provide convincing infrastructure for spear phishing campaigns. Email links to ‘amaz0n.com’ or ‘paypal.co’ look legitimate enough to bypass casual inspection. The domains add credibility to social engineering attacks.

Ad Fraud and Traffic Monetization

Some typosquatters simply monetize mistyped traffic through advertising. Users who land on parking pages covered in ads generate revenue for the domain owner. It’s less harmful than credential theft, but the domain still infringes on the brand’s trademark.

Competitive Disruption

Occasionally, typosquatting targets competitors. A company might register a lookalike of a competitor’s domain to redirect their traffic or display negative content. It’s rare compared to credential theft, but it happens.

How Can You Detect Typosquatting Domains?

Detection requires continuous monitoring because attackers register new domains all the time. Waiting for users to report suspicious sites means waiting until after their credentials are compromised.

Domain Permutation Monitoring

Tools like dnstwist generate possible typosquatted versions of your domain. See our typosquatting checker roundup for tool comparisons. Periodically run scans to find which domain permutations have been registered and resolve to an IP address. Security teams should monitor not just exact typos but also combosquatting variations that combine your brand name with common words.

Certificate Transparency Logs

Every SSL certificate issued gets logged publicly. Monitoring these logs for certificates matching your brand name catches typosquatters when they set up their infrastructure. Services like crt.sh provide free certificate transparency searches.

DNS Query Analysis

Check your DNS logs for employees visiting domains that look like typosquatted versions of sites you use. If multiple people are hitting the same lookalike domain, an attack is probably active.

Dark Web Credential Monitoring

When typosquatting attacks succeed, stolen credentials eventually appear on criminal marketplaces and forums. Dark web monitoring detects your organization’s credentials before attackers exploit them, providing a second line of defense when prevention fails.

User Reports and Security Awareness

Train your employees to verify URLs before entering credentials and report anything suspicious. When they flag a fake login page, you get early warning. CISA’s phishing guidance has training resources you can use.

How Can Businesses Defend Against Typosquatting?

Typosquatting protection requires layers. No single control stops everything.

Defensive Domain Registration

Register common misspellings and TLD variations of your primary domains. This prevents attackers from registering them instead. Focus on high-value variations that users are most likely to mistype. Remember, the cost of defensive registrations is far lower than the cost of a successful attack.

Technical Controls

DNS Filtering: Block access to known typosquatted domains at the network level. Free options like Quad9 or Cloudflare’s 1.1.1.1 for Families provide basic protection. For enterprise coverage, services like Cisco Umbrella and Cloudflare Gateway offer more comprehensive blocklists.

Email Security: Configure email gateways to scan URLs and block messages containing links to known typosquatted domains. Most enterprise email security products include this capability.

Browser Protection: Chrome, Firefox, and Safari use Google Safe Browsing to warn users about phishing sites. Microsoft Edge has Website Typo Protection specifically for typosquatted domains. Encourage employees to keep browser protections enabled.

DMARC/DKIM/SPF: Implement email authentication to prevent attackers from spoofing your domain in phishing campaigns that direct victims to typosquatted sites.

Monitoring and Intelligence

Continuous monitoring catches new typosquatted domains before they’re used in attacks. External attack surface management finds phishing domains impersonating your brand as well.

When credentials do get stolen, compromised credential monitoring detects them on dark web marketplaces. This lets you reset passwords before attackers use the stolen credentials.

User Education

Train employees to bookmark frequently used sites instead of typing URLs. Teach them to verify the address bar before entering credentials. Phishing simulations that include typosquatted domains test whether training is effective.

Users make mistakes. That’s why technical controls are your first line of defense. Training helps, but don’t rely on it alone.

How Do You Respond to a Typosquatting Attack?

Finding a typosquatted domain targeting your organization requires immediate action. Speed matters because every hour the domain stays active means more potential victims.

Document Everything

Screenshot the typosquatted site and record the domain registration details using WHOIS lookup. Note the registrar, creation date, and nameservers. This evidence supports legal action and takedown requests.

Check for Credential Compromise

Search your breach monitoring tools for any credentials associated with the typosquatted domain. If employees visited the site and entered credentials, initiate password resets immediately. Check login logs for suspicious authentication attempts from unusual locations.

Block the Domain

Add the typosquatted domain to your DNS blocklist, web proxy blocklist, and email security blocklist. This prevents additional employees from falling victim while you work on the takedown.

File Takedown Requests

Report the domain to the registrar’s abuse contact. Most registrars have policies against phishing and will suspend obviously malicious domains. For trademark-infringing domains, file a UDRP complaint through ICANN or pursue legal action under ACPA. Brand protection software can automate this process across multiple registrars.

Monitor for Related Domains

Attackers rarely register just one domain. Search for other variations that might be part of the same campaign. Check certificate transparency logs for certificates issued to similar domains around the same time.

Alert Affected Users

If customers or partners might have visited the typosquatted site, notify them immediately. Provide clear instructions for checking whether their credentials were compromised and how to protect themselves.

Moving fast limits the damage. And each incident teaches you what to watch for next time.

Conclusion

Typosquatting works because humans are predictable. Users type URLs from memory, make the same mistakes, and trust familiar-looking login pages. Attackers capitalize on every one of these tendencies. And they do it at scale.

Zscaler found over 10,000 malicious lookalike domains in just six months. Google, Microsoft, and Amazon account for 75% of all impersonation attempts.

So how do you fight back? Prevention and detection. Register defensive domains to block attackers from acquiring them. Implement DNS filtering and email security to catch typosquatted links. Train users to verify URLs before entering credentials.

But prevention isn’t enough. When attacks succeed, you need to know as quickly as possible. Dark web monitoring detects stolen credentials, giving you time to reset passwords and limit the damage.

Your employees are one typo away from credential theft right now. For continuous protection, see how Breachsense detects typosquatting domains targeting your brand. Or check your dark web exposure to see what credentials are already circulating on criminal marketplaces.