How to Protect Your Brand from Cybersquatting and Typosquatting with a Free Tool

Cybersquatting is the practice of registering an internet domain name that attempts to take advantage of an existing brand, person, or company name. Typosquatting, as the name suggests, are domains registered with intentional typos, acting as "traps" when users make these same mistakes.

Criminals often leverage cybersquatting in phishing scams or fake online stores, as we have already discussed in the past. Monitoring cybersquatting can help uncover incidents where brands and trademarks are used without authorization, whether for fraud or other purposes. By tracking similar domain names, it is possible to gain visibility into malicious activity that would typically go undetected.

Typosquatting can be considered a category of cybersquatting, although it is sometimes called Typo Hijacking. When intentional, typosquatting can be just as harmful as other forms of cybersquatting, if not more so. Several instances of typosquatting have been linked to malware distribution campaigns. 

Nearly 20 years ago, in 2005, Google had to fight over the rights of domain names such as "googkle.com," "ghoogle.com," and "gooigle.com" because an individual allegedly hosted malware in these addresses. Those are clear examples of typosquatting, as all additional letters are near the surrounding letters on a standard QWERTY keyboard. For example, the "K" is close to the "L," which means it is possible to hit it unintentionally when typing the "L" in Google, and that's where "googkle" comes from.

More recently, in 2020, TikTok had the same problem with "tiktoks.com" and several other domains. While it is unlikely that someone would type an "S" after the "K" in TikTok by accident, a user could think (or be tricked into thinking) that "TikToks" is the actual name of the social platform.

Compounding the issue are two recent changes to the domain name system: internationalized domain names (IDNs) and generic top-level domains (gTLDs). 

• IDN — Modern browsers support domains with non-ASCII characters that may look practically identical yet are encoded differently thanks to a technology called Punycode. This is intended to support domains in languages using different character sets, but it creates confusion when multiple characters are mixed. The Cyrillic character set has an "І" that is neither an "L" or an uppercase "i" – it is an entirely different character despite looking very similar in many fonts. Special characters like ü and á, among others, can also be used to create international domains, and users won't always grasp the significance of these slight differences when recognizing a scam or impersonation.
• gTLD — The Internet Corporation for Assigned Names and Numbers (ICANN) allows companies to propose new top-level domains. Each gTLD can allow new registrations, opening up new options for criminals. Our 2023 Threat Landscape Report noted that several of these gTLDs (such as .xyz, .online, .shop) are frequently used in phishing scams.

Given how prevalent malicious activity is on the web and how easy it is for criminals to register domain names, many companies will have their online domains cybersquatted at some point. Popular online stores or platforms can expect to have their services cybersquatted very frequently.

Why do Hackers Use Cybersquatting?

Just as any legitimate business needs a domain name to be found online, cyberattacks often need some kind of infrastructure to reach their victims. 

When criminal domains are not completely random, they are often "inspired" by a legitimate domain name – sometimes because this provides a significant advantage, sometimes because it is required for the type of scam they are trying to perpetrate. Here are some examples:

• Phishing — Criminals use similar domain names in phishing attacks to host fake websites or malicious links.
• Avoiding Detection — When hackers need to use Command & Control (C2) domains for their ransomware or stealer malware campaigns, they may attempt to remain under the radar by using legitimate-looking domains as part of their infrastructure. A security analyst probably won’t trust "ransomc2datastealer [dot] com," but could be tricked into thinking "onmicrosoft-365 [dot] com" is a legitimate domain.
• Online Fraud and Spoofing — Criminals can use cybersquatted domains in online advertisements, social media profiles, and other scams. When illegitimate domains are created to impersonate celebrities, executives (or any real person), this is also called Name Jacking.
• Targeted Attacks and Watering Holes — "Watering hole" is a cyberattack strategy in which an attacker guesses or observes which websites their victims will visit, so typosquatting can be used in conjunction with this tactic to bet on typos that an employee might make. Similar-looking domains can also be used to craft more convincing fake emails, especially in spear phishing scenarios where the message is custom-made for the targeted user or company.
• Business Email Compromise (BEC) — Criminals may attempt to impersonate vendors, coworkers, and other entities by creating similar domain names. This can be used to carry out BEC fraud or other payment fraud where an attacker convinces an organization member to pay an illegitimate invoice.

The Role of MSSPs in Protecting Against Cybersquatting and Typosquatting

Managed Security Service Providers (MSSPs) are essential allies in the fight against cybersquatting and typosquatting. These providers leverage advanced monitoring tools and threat intelligence to continuously track and identify malicious domain registrations that could harm their clients' brands. MSSPs use platforms like Axur to automate the detection of suspicious domains and streamline the response process, ensuring rapid takedown of fraudulent websites. By outsourcing these critical tasks to MSSPs, companies can benefit from specialized expertise and resources, allowing them to focus on core operations while maintaining robust protection against cyber threats.

Finding Similar Domain Names for Free

The Axur Platform continuously monitors domain names to find registered matches that could be used in a cyber attack.

However, we also provide the free Domain Watchdog tool that you can use to search for similar domain names manually.

Using Domain Watchdog, you can:

• Search for typosquatting variations: The tool uses an algorithm to detect potential typos and automatically searches for these variations.
• Filter out less relevant results: A registered domain does not always have an active website, so you can filter out results that are not currently responding to common web ports like 80 and 443. You can also completely filter out domains that don't have an active IP address.
• Homoglyph search: Searches for letters that are visually similar and IDN homoglyphs.
• Find domains in other TLDs: Your search is not limited to common top-level domains like ".com" or ".net." Instead, you can find domains across all top-level domain names.

What Can be Done When a Domain is Cybersquatted?

It is possible to issue takedown requests and take legal action against malicious cybersquatters who have registered domains in bad faith to deceive your customers. This is how companies like TikTok and Google have managed to obtain the rights to domain names that infringed on their trademarks.

Depending on the parties involved and how the domain was used, it may not be too difficult to resolve the incident. When cybersquatting is accidental or the damage is not as obvious, the case can be more complicated.

Nevertheless, the first step is to find the infringing domain and collect all the evidence necessary for an investigation or issuing a takedown. The Axur Platform can help with all these steps and provide continuous monitoring, but you can also use the Domain Watchdog tool to keep an eye on your online presence.