Concept and nature of typosquatting
Typosquatting is a digital fraud technique that exploits typos made by users when accessing internet addresses, with the aim of redirecting them to malicious websites. It is a low-cost practice for the perpetrator, but with a high potential for impact, especially due to the volume of traffic improperly captured and the associated risks to information security.
How the fraudulent mechanism works
The typosquatting mechanism is simple, yet effective. The fraudster registers domain names that are very similar to legitimate addresses, making small changes that go unnoticed by the average user. These variations may involve replacing or reversing letters, omitting characters, changing the domain extension, or using visually similar spellings.
When a user makes a mistake typing the original address, they end up accessing the fraudulent domain without realizing it, believing they are on the legitimate site. Similarly, when receiving an email containing a link to the malicious domain, the user also does not notice the discrepancy in the address, especially given the visual similarity to the legitimate domain, and is induced to access the fraudulent site under the false impression of authenticity.
Some examples of typosquatting
- Proximity Error (Fat Finger): This consists of substituting letters that are side-by-side on the QWERTY keyboard.
- Example:
gogle.com(the ‘o’ is next to the ‘p’, but omission is also common) oramazpn.com.
- Example:
- TLD Swap: This occurs when the agent registers the exact brand name, but in a different, less monitored extension.
- Example: If your website is
.com.br, the attacker registers the.net,.coor.xyz.
- Example: If your website is
- Homograph Attacks: These involve the use of characters from other alphabets (such as Cyrillic or Greek) that are visually identical to Latin letters, but have different ASCII codes.
- Example: A Cyrillic “a” looks like a Latin “a”, but to the browser, they are completely different addresses.
- Hyphenation and Addition: Insertion of hyphens or common words to give false legitimacy.
- Example:
suamarca-login.comorpagamento-suamarca.com.
- Example:
The myth of HTTPS as an indicator of legitimacy.
It is necessary to demystify the belief that the presence of the HTTPS protocol — represented by the padlock next to the URL — is sufficient to attest to the legitimacy of a website. Currently, free certificate authorities allow malicious actors to obtain SSL certificates with extreme ease.
Thus, a website can be technically protected by encryption and still be fraudulent. The user’s digital education must therefore go beyond simply checking the padlock icon in the browser.
Purposes and impacts of the practice
The objectives of typosquatting vary depending on the profile of the offending agent. In many cases, fraudulent domains are used for phishing campaigns , inducing victims to provide credentials, bank details, or personal information. In other scenarios, they serve to distribute malware , install malicious extensions, or redirect to deceptive advertising schemes.
Legal relevance and digital governance
From a legal and digital governance perspective, typosquatting can constitute unfair competition, trademark infringement, and cyber fraud, depending on the applicable legislation and the intent demonstrated by the perpetrator. In the context of trademark protection, the practice itself constitutes strong evidence of domain name registration in bad faith, as it seeks to improperly capture user traffic and exploit the reputation of third parties.
Mitigation strategies
Previously, the so-called “defensive registration” was recommended, consisting of acquiring multiple variations of the legitimate domain. However, given the proliferation of thousands of new generic top-level domains ( gTLDs ), this strategy has become financially unfeasible and technically impractical.
Today, effectively mitigating the risks associated with typosquatting requires a proactive and ongoing approach. Recommended measures include the use of specialized tools, such as Observster , for daily monitoring of suspicious records, as well as the implementation of email authentication protocols—such as DMARC, SPF, and DKIM—to prevent similar domains from being used to send fraudulent messages on behalf of the organization.
Want to know if your brand is already being used on suspicious domains?
Solutions like Observster allow you to quickly identify potentially fraudulent registrations before they turn into scams or real losses. The first step to protecting your brand starts with observation.
