Typosquatting Protection: Watch Out for Lists of Typo Domains And Lookalike Websites by@WhoisXMLAPI

Typosquatting Protection: Watch Out for Lists of Typo Domains And Lookalike Websites

WhoisXML API HackerNoon profile picture


Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.

Registering domain names only takes a few minutes and is inexpensive. While this is something that people and organizations are thankful for, it has paved the way for typosquatting—the deliberate registration of domain names confusingly similar to the ones owned by a brand, company, or person, or is part of a public initiative. Typosquatting has allowed threat actors to impersonate individuals and organizations and execute different types of fraud, such as invoice and phishing scams and setting up malicious copycat websites.

But how big of a problem is typosquatting really? We conducted a test using our domain intelligence, and Typosquatting Data Feed detects thousands of typosquatting domains every day. On May 21, it identified 11,578 potential typosquatting domains. And the day before that, it spotted 12,985 domains.

With the volume of typosquatting domains registered daily, there’s a high chance that unknowing users may get drawn to questionable websites and possibly fall victim to scams and cyberattacks. This makes typosquatting protection a must. In this post, we illustrate why it’s important to watch out for typo domains and lists of typosquatting sites.

What Are Typo or Typosquatting Domains?

Typosquatting domains are Internet domain names that could confuse the average person about their legitimacy, origin, or purpose. They usually closely resemble other domain names that visitors or email users are familiar with, possibly creating a false sense of security and prompting to share confidential information.

2 Characteristics of Typosquatting Domains

Typosquatting Data Feed provides users with daily data files that capture bulk-registered domains looking highly similar to one another. To appear on the feed, a domain must meet the following two criteria:

Similar with at Least Two Other Domains

A domain can end up on the data feed if there are at least two other similar domains in the group. The domains can thus be mistaken for their lookalikes due to typos or misspellings. Examples from the May 21’s typosquatting file are the three domains below.

IMPORTANT NOTE: We recommend not to visit any of these websites since we cannot guarantee that they are safe. You can use Website Screenshot Lookup to preview them instead.

  • experiencegarage-gang[.]net
  • experience-garage-gang[.]net
  • experiencegarage-gang[.]tech

Users who misplace the dash (-) can end up on a different website. That is why some organizations register multiple variants of their domains to prevent customers from accessing the wrong site. There are times, though, when threat actors or domain parkers beat them to it.

Registered on the Same Day

Same-day registration may indicate bulk registration—the act of registering multiple domains at once. Examples from the May 21’s typosquatting feed file are 50 domain names (the first 10 of which are shown below) that use the top-level domain (TLD) .cam and variants of the string “emwahjjo.”

  • emwahjjoq[.]cam
  • emwahjjoj[.]cam
  • remwahjjoa[.]cam
  • cemwahjjoa[.]cam
  • qemwahjjoa[.]cam
  • hemwahjjoa[.]cam
  • emwahjjox[.]cam
  • eemwahjjoa[.]cam
  • emwahjjoe[.]cam
  • emwahjjof[.]cam

3 Lists of Typosquatting Lookalike Domains and Websites

A glaring form of typosquatting is when a domain closely resembles one that belongs to a prominent organization. We saw these Instagram-inspired domain names from the typosquatting files on May 21:

  • instagram-shop[.]net
  • instagramshops[.]us
  • instagramshop[.]us
  • instagram-shop[.]us
  • instagram-shops[.]net
  • instagram-shops[.]us

Facebook and Netflix also had their share of typosquatting domains that include:

  • facebookshops[.]space
  • facebook-shops[.]us
  • facebookshops[.]us
  • facebookshops[.]biz
  • facebook-shop[.]us
  • facebokshops[.]com
  • facebookshop[.]blog
  • facebookshops[.]top
  • netflix-ce[.]com
  • netflix-cl[.]digital
  • netflix-ca[.]com

Some of the domains also mimic one of the most impersonated brands in the world, PayPal:

  • paypalprozess[.]net
  • paypalprozess[.]com
  • paypalprozess[.]org

Remember that these domains were all registered on a single day. As such, there could be many more of their kind in previous or upcoming days. Typosquatting tools or solutions in the form of a data feed can help organizations protect against threat sources by getting alerted to their presence as soon as they are registered.

Typosquatting is a real problem, especially for famous brands like PayPal, Instagram, Netflix, and Facebook. We have seen several phishing attempts where cybercriminals pretend to be from these companies, financial institutions, and other reputable organizations. Some threat actors also use typosquatting domains to earn money from ads since people tend to mistype domain names. Both Typosquatting Data Feed and the Newly Registered & Just Expired Domains database can help track new domain registrations that could spell trouble.


Signup or Login to Join the Discussion


Related Stories