Typosquatting Unmasked : Exposing the Threats of Misplaced Keystrokes

Published On : 2023-06-22
Share :
Typosquatting Unmasked : Exposing the Threats of Misplaced Keystrokes


At Cyfirma, our mission is to keep you informed about the latest and common prevailing threats and techniques employed by malicious actors to exploit organizations and individuals. In this report, we will delve into the insidious technique known as typosquatting. Although seemingly simple and commonplace, this technique harbours significant risks that can profoundly affect both individuals and organizations. This report provides an in-depth analysis of typosquatting techniques, a deceptive practice used by attackers to exploit users’ typing errors and redirect them to malicious websites.

The consequences of victims falling to typosquatting attacks can be severe, ranging from financial loss to identity theft. Moreover, organizations that are targeted by typosquatters may suffer reputational damage, due to the association of fraudulent activities with their brand. To mitigate the risks associated with typosquatting, the report recommends several preventive measures also.


Typosquatting, also known as URL hijacking or domain mimicry, exploits the typing errors made by internet users when entering website URLs, aiming to redirect them to malicious websites. Attackers register domain names that closely resemble popular or legitimate websites, capitalizing on common misspellings or slight variations. These fraudulent sites deceive users by mimicking the appearance and functionality of legitimate sites, leading them to unknowingly engage in malicious activities.

By luring unsuspecting users to typosquatted websites, threat actors can execute various malicious actions, including phishing scams, malware distribution, and unauthorized data collection. Users may be prompted to disclose sensitive information, such as login credentials or financial details, under the false pretence of interacting with a genuine website. This exposes individuals to identity theft, financial loss, and other security breaches, while organizations targeted by typosquatting attacks face reputational damage as users associate fraudulent activities with their brands.


  • Typosquatting is a malicious tactic where threat actors register domain names that closely resemble popular websites or brands, exploiting common typing errors or misspellings.
  • The objective of typosquatting is to deceive users and potentially engage in fraudulent activities, such as phishing, malware distribution, or stealing sensitive information.
  • Common techniques used in typosquatting include registering domains with slight variations in spelling, such as swapping letters, adding or omitting characters, or using alternative top-level domains.
  • Typosquatters often create fake websites that closely mimic the appearance and functionality of the legitimate sites they are imitating, making it difficult for users to discern the deception.
  • Typosquatting can have significant consequences, including financial losses, compromised user data, damage to brand reputation, and disruption of online services.
  • Organizations can take proactive measures to protect themselves and their users from typosquatting. This includes registering variations of their domain names, monitoring their brand usage across different domains, implementing SSL certificates for website security, and educating stakeholders about the risks of typosquatting.
  • Continuous monitoring, threat intelligence analysis, and proactive response strategies are essential in staying ahead of evolving typosquatting techniques and protecting online users and digital assets.


Typosquatting is a prevalent cybercrime technique, where hackers register misspelled or variation domain names to deceive visitors and redirect them to alternative, often malicious, websites. Users may land on these sites through mistyped URLs or phishing attacks. The impact of typosquatting extends beyond individual users, affecting business owners as well. Every visitor stolen by these malicious sites represents a potential lost customer for legitimate companies.

Here’s a detailed explanation of how typosquatting works, along with additional technical details:

Purchase of Misspelled or Impersonated Domains: Cybercriminals acquire domain names that are intentionally misspelled versions of popular websites. They may even purchase multiple variations of the misspelled domain to increase the chances of capturing unsuspecting visitors. For instance, instead of purchasing “flipkart.com,” the typosquatter might buy “fllipkart.com” or “fliipkart.com or flipcart.com”.

User Engagement: Typosquatting domains become dangerous when real users visit them. This can occur in two ways:

  • Typing Errors: Users may mistakenly enter the typosquatting domain in their web browser, due to typographical errors or rushing through the typing process. For example, typing “gogle.com” instead of “google.com.”
  • Phishing Scams: Cybercriminals often employ phishing tactics, such as sending deceptive emails containing links to typosquatted websites. Users who fall for these scams may click on the provided link and land on the malicious site.

Mimicking Legitimate Websites: To deceive users further, typosquatted websites are designed to mimic the appearance and functionality of the legitimate counterparts. This includes using the real organization’s logos, design elements, and content. Unsuspecting users may not realize they are on a fake website, making them vulnerable to providing sensitive information.

Data Theft and Account Compromise: Typosquatted sites are frequently used in phishing attacks to trick users into divulging their personal information. Users who enter their personal information, such as usernames, passwords, or financial details, on typosquatted sites unknowingly provide access to cybercriminals. If victims reuse the same credentials across multiple platforms, their other online accounts become vulnerable to compromise.

Other Malicious Activities and Threats:

  • Malware Distribution: Typosquatted websites can serve as conduits for malware distribution. When users visit these sites, malicious scripts or downloads may be initiated. either without user’s knowledge or by clicking any advertisement or link on the web page. This can result in the installation of keyloggers, ransomware, spyware, or other forms of malware onto their machines, compromising the security of their systems and data.
  • Adware and Unwanted Software: Typosquatted websites may also host adware or unwanted software that generates revenue for the attackers. Users may be exposed to aggressive or intrusive advertisements, unauthorized browser toolbars, or unwanted software installations. These can degrade the user experience, compromise privacy, and negatively impact system performance.
  • Content Spoofing and Social Engineering: Typosquatted websites can engage in content spoofing, where they replicate the content of the legitimate site but modify it to deceive users. This can include displaying fake messages, notifications, or offers to trick users into taking actions that benefit the attackers. Moreover, social engineering techniques may be employed, such as manipulating emotions or creating a sense of urgency, to persuade users into disclosing confidential information or performing certain actions.
  • Reputation Damage: For organizations that fall victim to typosquatting attacks, the malicious sites can cause significant reputational damage. Users may associate the fraudulent activities carried out on typosquatted websites with the legitimate organization, leading to a loss of trust, customer dissatisfaction, and potential financial implications.

The Role of Confusion and Human Error in Typosquatting Techniques:

Typos: Typosquatting capitalizes on common typing errors made by users, often due to rushing or relying heavily on autocorrect. Attackers register domains with common mistyped versions, such as cyfirmaaonline.com instead of Cyfirmaonline.com. These subtle alterations aim to capitalize on users’ typographical errors.

Spelling Errors: Typosquatters are aware that users may not know the correct spelling of a brand name. They register misspelled variants to redirect users to their legitimate homepage, ensuring they capture potential visitors who make spelling errors. For instance, they might use “advertisment.com” instead of “advertisement.com.”

Alternative Spellings: Different spelling conventions between regions or variations in language can confuse internet users. Typosquatters take advantage of this by registering domains with alternative spellings, leading users to unintentionally visit the wrong URL.

For instance, consider the word “counsellor.” In American English, it is spelled “counselor,” while in British English, it is spelled “councellor.” Typosquatters may register domains with these alternative spellings aiming to intercept users who unintentionally mistype the URL.

Hyphenated Domains: Adding or omitting hyphens in domain names can create confusion. Typosquatters manipulate domain names by inserting additional hyphens to deceive users. For example, they may use “my-online-shop.com” instead of “my-onlineshop.com” to exploit unsuspecting visitors.

Manipulation of URL Structure: Typosquatters add periods to the URL, altering the structure to deceive users. For instance, they might use online.cyber.security.com instead of online.cybersecurity.com, where the added period misleads users into visiting a fraudulent site.

Combination of Related Words: Cybercriminals create typosquatted domains by combining related words relevant to the target domain. An example could be online- cybersecurity-tutorial.com instead of online-cybersecurity.com, where the combination enhances the likelihood of users falling into the trap.

Similar-Looking Domain Endings: The availability of various domain endings (TLDs) for different countries and organizations provides further opportunities for typosquatting. Typosquatters often target similar-looking TLDs, such as using “.co” instead of “.com,” to trick users into visiting their malicious websites.

Exploiting Different Top-Level Domains: Typosquatters capitalize on the availability of different top-level domains (TLDs) to execute their deceptive tactics. By registering similar domains with different TLDs, they can trick unsuspecting users into visiting their malicious websites.

For example, consider a legitimate website with a “.com” domain like example.com. A typosquatter may register a domain with a similar name but a different TLD, such as example.org. Users who mistakenly type the incorrect TLD or are unaware of the specific TLD associated with the website may unknowingly end up on the typosquatted domain. The similarity in the domain name combined with a different TLD can create a false sense of legitimacy, leading users to believe they are accessing the genuine website.

Similar-Looking Letters: By utilizing characters that closely resemble the original letters, typosquatters create deceptive domains. For instance, they might register onlineattack.com instead of onlineattack.com, where “a” is different in both domains but the visual similarity masks the false nature of the domain.

Here attackers utilize non-Latin characters, like Cyrillic, to replace Latin characters in domain names. For instance, they may substitute the Cyrillic character “а” for the English lowercase “a.” Although visually similar, computers can distinguish between them, leading users to unintended destinations. This attack specifically called as homograph attack.

Common Uses of Typosquatting:

Typosquatting is utilized by cybercriminals to exploit user errors and deceive them for various malicious purposes. The most prevalent uses of typosquatted domains include:

Bait and Switch: Fake websites lure users by offering products or services similar to those found on the authentic site. However, once the purchase is made, users either receive substandard goods or nothing at all, while still being charged.

Affiliate Links: Typosquatted websites redirect visitors back to the genuine brand’s site through affiliate links. In doing so, they earn commissions from any purchases made through the brand’s legitimate affiliate program.

Imitators: Scam websites masquerade as legitimate platforms, mimicking the appearance, logos, color schemes, and page layouts of well-known brands or organizations. These imitator sites aim to conduct phishing scams, tricking users into disclosing their login credentials and personal information.

Malware Installation: Malicious websites take advantage of unsuspecting visitors by infecting their devices with malware or adware. This can lead to data breaches, compromised systems, and unauthorized access to sensitive information.

Traffic Diversion and Financial Gains: Another method employed by typosquatters is the diversion of traffic intended for genuine websites to their own competitors. Through this technique, they redirect users to rival businesses or similar platforms. In doing so, they capitalize on this redirected traffic by charging their competitors on a cost-per-click basis. This unscrupulous approach allows typosquatters to exploit the popularity and reputation of legitimate websites to generate financial gains.

Monetize Traffic: Fraudulent website owners generate revenue by hosting advertisements or pop-ups on their typosquatted pages, profiting from the visitors’ engagement with these ads.

Deceptive Data Collection: In this technique, fraudulent websites pose as platforms conducting customer surveys or presenting enticing giveaways. However, their underlying objective is to deceive users into divulging sensitive information or data, ultimately leading to identity theft. By preying on users’ trust and desire for rewards, these deceptive websites exploit their personal information for nefarious purposes, highlighting the importance of caution and scepticism when engaging with online surveys and giveaways.

Typosquatting in Open-Source Libraries: Exploiting Software Supply Chains

The emergence of a new type of typosquatting poses a significant threat to open-source libraries, targeting software supply chains. Malicious actors are creating fake packages that closely resemble legitimate ones and uploading them to popular repositories like NPM.

Exploiting Lack of Familiarity: Attackers capitalize on developers’ lack of familiarity with specific frameworks by creating clones of legitimate open-source components with slight variations in the package names. For instance, a clone named “setenv” can mimic the original “set-env” component used to set the operating environment. By embedding malicious code within these counterfeit packages, attackers exploit software misconfigurations and rely on unsuspecting developers to include their malicious component in their projects.

Crafting Deceptive Packages: To make their malicious packages appear legitimate, attackers meticulously research commonly used software packages. They employ evasive tactics such as obfuscating their code. This strategy helps them remain undetected as they infiltrate mainstream package management repositories.

Real-World Examples exploiting software supply chains:

  • Feb 2023: Researchers revealed over 450 malicious PyPI python packages that install harmful browser extensions, targeting browser-based crypto wallets and websites. This campaign, which began with just 27 packages in November 2022, has rapidly expanded through a typosquatting strategy. Attackers impersonate popular packages with slight variations, tricking unsuspecting developers into downloading the malicious counterparts instead of the genuine ones.

    Popular packages like bitcoinlib, ccxt, cryptocompare, cryptofeed, freqtrade, selenium, solana, vyper, websockets, yfinance, pandas, matplotlib, aiohttp, beautifulsoup, tensorflow, selenium, scrapy, colorama, scikit-learn, pytorch, pygame, and pyinstaller are being targeted in this typosquatting campaign. The threat actors have created numerous variations, ranging from 13 to 38, for each of these packages, aiming to capitalize on potential typing mistakes and trick users into downloading the malicious versions. To avoid detection, the attackers have introduced a new obfuscation technique not seen in the previous wave from November 2022.

  • July 2022: In a supply-chain attack discovered in July 2022 and active since December 2021, malicious NPM modules were used to compromise numerous desktop apps and websites. The threat actors, known as IconBurst, employed typosquatting by creating similar-named packages, such as umbrellajs and ionic.io, to deceive developers. When developers unknowingly added these malicious packages to their applications or websites, data from embedded forms, including sign-in forms, were stolen. The campaign’s success was attributed to the use of typo-squatting, where attackers offer packages with names closely resembling legitimate ones in public repositories.


From an external threat landscape management perspective, typosquatting poses a significant risk to organizations and individuals. Typosquatting attacks can result in various security breaches, financial losses, and reputational damage.

OSINT Investigation:

During our OSINT research, we have discovered numerous instances of typosquatted domains that are specifically aimed at legitimate websites. One notable example is OpenAI’s ChatGPT, which has gained significant popularity worldwide, attracting a large user base. Exploiting this widespread usage, threat actors can capitalize on the opportunity by sending phishing emails containing URLs that closely resemble OpenAI’s legitimate domain.

In our investigation, we have identified approximately 5000 typosquatted domains associated with the legitimate domain “openai.com”. These malicious domains have been crafted in a way that deceives unsuspecting users into believing they are accessing the genuine OpenAI website. Here is the screenshot of such similar or typosquatted domains that we were able to find:

In a similar vein, Popular organizations like Amazon, known for its online retail and streaming services, are prime targets for typosquatters.
Our investigation revealed approximately 6000 typosquatted domains resembling “amazon.com”. These deceptive domains exploit common typing errors to trick users into thinking they are on the legitimate Amazon website. Fraudulent online stores hosted on these domains pose risks such as receiving counterfeit products or compromising payment information. Here is the screenshot of typosquatted domains associated with “amazon.com”:

Note: In order to safeguard their brand reputation and to protect users from the risks of typosquatting, major organizations and brands take proactive measures by registering defensive domains that closely resemble their official domains. These defensive registrations act as a crucial preventive measure, mitigating the potential for malicious actors to exploit minor variations or typographical errors, in an attempt to deceive unsuspecting users.

Furthermore, as evidenced below, the typosquatted domain “amazonpime.shop,” designed to mimic the legitimate Amazon Prime Video service, serves as a phishing site. The typosquatted domain “amazonpime.shop” is tagged as a phishing site by OSINT research tools.

This deceptive website bears a striking resemblance to the original platform and poses a threat to unsuspecting users. It can be utilized for nefarious activities such as stealing user credentials or distributing malicious software onto the victim’s system.

Following is the screenshot from a threat actor’s telegram group, where he is selling amazon’s phishing site hosted on such typosquatted domain on demand, and also provides a video demonstration of that.

Typosquatted domains, even if currently inactive, still pose a potential threat and can be utilized for future attacks. This technique targets not only specific domains like “openai.com” and “amazon.com” but any reputable website.

Proactive measures, such as monitoring domain registrations and conducting scans, are essential for managing the threat landscape.


Typosquatting is a prevalent technique that exploits users’ typing errors to redirect them to malicious websites, enabling various malicious activities such as phishing scams and identity theft. Our research also reveals the alarming reality of typosquatting in open-source supply chain attacks, emphasizing the need for heightened awareness and proactive measures in the open-source ecosystem.

By impersonating well-known brands, typosquatters deceive unsuspecting users and manipulate their online experiences for illicit gains. The significant number of typosquatted domains associated with popular organizations underscores the widespread nature of this threat.

To mitigate the risks of typosquatting, individuals and businesses must remain vigilant, exercise caution while browsing, and implement measures like domain monitoring and user education.


Recommendations for organizations:

  • Proactive Domain Registration Strategy: Proactively register typo-domains and variations of your domain name to prevent typosquatters from deceiving users. Additionally, consider registering country extensions, alternate spellings, and variants with and without hyphens. By securing these domains, you can prevent typosquatters from deceiving users. Redirect these domains to your main website.
  • Establish Website Trust with SSL Certificates: Implement SSL certificates on your website to establish trust and security, reducing the risk of users falling for typosquatted sites.
  • Alert Relevant Parties: Promptly inform customers, staff, and relevant parties if you discover someone impersonating your organization. Raise awareness about suspicious emails and phishing websites.
  • Reporting and Removing Suspicious Websites: Take action to have typosquatted websites shut down by following ICANN’s Uniform Domain Name Dispute Resolution policy.
  • Monitor Brand Usage with ICANN: Monitor your brand usage across different domains using ICANN’s (Internet Corporation for Assigned Names and Numbers) Trademark Clearing House to identify potential instances of typosquatting.

    By utilizing ICANN’s monitoring service, organizations can keep track of how their brand name is being used across different domains. It allows brand owners to receive notifications and alerts when new domain registrations include their trademarked names or similar variations.

  • Implement Robust Phishing Awareness and Training: Conduct regular phishing awareness and training programs for employees, educating them on identifying and reporting typosquatting threats.
  • Strengthen Legal Protections: Consult with legal professionals to understand legal measures, such as trademark registration and domain name disputes.

Recommendations for Individuals to protect themselves against typosquatting:

  • Double-check URLs: Double-check website URLs for spelling accuracy before entering sensitive information or making transactions.
  • Be cautious of suspicious emails: Exercise caution when receiving emails from well- known organizations, looking for signs of impersonation.
  • Bookmark trusted websites: Bookmark trusted websites directly in your browser instead of relying on search engine results.
  • Enable two-factor authentication (2FA): Enable two-factor authentication (2FA) for added account security. This can help protect your accounts, even if you inadvertently visit a typosquatted site and provide your login credentials.
  • Keep software and devices up to date: Keep software and devices up to date with the latest security patches.
  • Educate yourself about typosquatting: Stay informed about the latest typosquatting techniques and scams. Be aware of the potential risks and learn how to identify suspicious websites or emails.
  • Report suspicious websites: Stay informed about typosquatting techniques and scams to better identify suspicious websites or emails. Report suspicious websites to local law enforcement or the Anti-Phishing Working Group (APWG).

Remember, vigilance and awareness are key to protecting yourself from typosquatting attempts.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.