Typosquatting – When Domain Name Typing Errors Produce Unfortunate Results

Registering common misspellings of popular website domain names is a big business.  A recent study found that 80% of all possible one-character typographical variants of Facebook, Google, and Apple are registered.  Registering close misspellings of domain names is know as “typosquatting.”

Security company Sophos recently analysed all the possible one-letter variations of six popular websites, a whopping 2249 unique site names.  Of the 2249 possibilities, 67% or 1502 domain names were actually registered.  Many of these sites redirected the researchers to other domain names and web sites, so the total number of questionable sites ballooned to 14,495 total sites.

A small percentage were actually legitimate websites owned by people or businesses who had a name that was close to the target domain.  Another group of domains were registered by the main brands, and the misspellings redirected automatically to the correctly spelled web site.

The remainder fell into several categories:

  • 15% of the typosquatting sites were devoted to advertising, either directly on the home page or by spawning pop-up ads.
  • 12% were engaged in domain name parking, where someone purchases a domain speculating that they can resell it for many times more than face value, or touting web site hosting services.
  • 6% were running search related businesses.  Some were designed to replicate the Google search page, and even used the Google search engine under the hood.  These sites make money by offering links to paid advertisers in the search results.
  • 2% were devotes to adult content, pornography, and dating.
  • Interestingly, only 3% were engaged in cyber-crime activities such as phishing, ransomware, and malware distribution.

Other uses included:

  • Brand bait and switch sites that look like the real thing but take you somewhere else.  The Apple domains saw a concentration of fake iTunes sites, for example.
  • Competitions and survey sites.
  • Humor and satire sites.
  • Typosquatting researcher sites.  Along this line, I have registered a few sites myself to use in phishing simulation and training applications

It is inevitable that occasionally we will fat finger a web address, and with the high percentage of registered misspellings (nearly 80%) instead of getting an innocuous 404 page, you end up on an active web site.  Your best bet is to close the tab or push the back button and try again.  Using a good anti-malware product and keeping it up-to-date will protect you from the few malicious sites you may stumble upon.  Using the latest version of your favorite web browser is important, too.  As we reported in an earlier post, Microsoft Edge has a significant advantage in the protection department currently.  Use good judgement, and if a site seems a bit off, check the web address in your browser address box.  If you are on a fake site, get out of there.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.