Brand Abuse, Digital Fraud

Cybersquatting: Why Monitor Registered Domains?

By on

In times of digital transformation (which virtually require your brand to have an active digital presence), the first step in starting a new business venture seems somewhat obvious: create your site. You decide on the name of your company, check a preferred site and discover if that desired address is available. You make the purchase, and from then on you pay a renewal fee, usually a nominal $10 per year for a .com domain.

What many forget is that easy domain registration works in favor of on-duty scammers, who can create domain names similar to yours and carry out scams on unwary Internet users, or even threaten you with extortion. Upon registering a domain that’s similar to the real one (for example, instead of it could be, a cybercriminal can host a phishing site to capture your customers’ data. This practice is what we call cybersquatting.

It refers to the act of dishonestly registering a domain similar to a site with a registered trademark, with the intention of making a profit through scams or by reselling it at an inflated price.


Several ways to deceive

Cybersquatting is a type of fraud that encompasses a series of different techniques for registering similar domains with the intent of harming consumers or the companies themselves. One of the most famous “subgenera” of the practice is typosquatting, which involves registering addresses with intentional typos (, since the “s” key is next to the “a” key), a subtle variation (, or a different top-level domain (,,, and so forth). The possibilities are endless, but we’ve listed below the most commonly used techniques:

  • Homoglyph: uses similar letters or characters to create a domain that is visually similar to the original. For example: (which uses an uppercase “i” instead of a lowercase “l”).
  • Repetition: the use of repeated characters, generally taking advantage of Internet users who write very quickly and hit the same key twice. For example:
  • Transposition: exchanging the location of two or more characters, again targeting Internet users who write very quickly and make typing errors. For example:
  • Substitution: substituting a character for one that is adjacent on the keyboard. For example:
  • Omission: omitting a letter from the original domain. For example:
  • Insertion: inserting a letter into the original domain. For example:
  • Missing dot: removing a dot from the domain to create visual confusion that may fool the user at first glance. For example:
  • Singularization or pluralization: adding or removing a letter to make the domain plural or singular, in contrast to its original form. For example:
  • Changing a vowel: as the name suggests, changing a vowel in the legitimate domain. For example:
  • Incorrect TLD: substituting the top-level domain with a similar one. For example:,, etc.

As you can see, most of these scams prey on the user’s inattention when accessing a legitimate site. Perhaps he misunderstood the site’s name when hearing it at a presentation, then entered it incorrectly. Or, if he frequently visits the page, he might have fallen into the trap by entering the URL hurriedly, without due attention to writing the characters correctly.


Foreign alphabets: the frosting on the cake

But there’s a yet more elaborate technique that cybercriminals are employing with ever-increasing frequency to undermine Internet users and create domains that, upon first glance, look identical to the original: inserting characters from foreign alphabets. Most frequently used is Cyrillic script (used in Slavic languages), but Greek is also commonly found. These alphabets have characters that, visually speaking, are extremely similar to Latin script (ours).

For example, can you tell the difference between “a” and “а”? Though they both look the same, the first is a conventional letter from our Latin alphabet, while the second is derived from the Cyrillic. If you enter exа (with the Cyrillic “а”) into your browser, the URL address bar will probably render it as, which is the way that modern browsers deal with non-Latin characters. It’s what we call punycode.

Despite that fact, until the malicious link is clicked it looks exactly like the original, and that can deceive a lot of distracted people. In addition, some browsers (like Mozilla Firefox) do not use punycode and render foreign characters normally, increasing the danger of possible phishing even more. That’s not to mention the use of this kind of domain for email scams. With this technique, it’s very easy to mimic official support email from large social networks or virtual stores.

This is such a common problem that several researchers and specialists have already issued alerts on the subject. There are about 136,000 Unicode characters, and tons of them are very similar to each other.


(EN)The Hack - Axur Infográfico 7


Domain monitoring: taking care of your digital presence

Obviously, it makes no sense for you to spend hours and hours thinking of every possibility that a cybercriminal could use to defraud your domain, or to spend buckets of money registering all the similar URLs in existence. That’s exactly why it’s so important to invest in domain monitoring.

We’re talking about solutions that check the registry 24 hours a day, seven days a week for addresses similar to that of your company, and that could be used in the future to scam your customers or for corporate extortion.

By knowing ahead of time if a similar domain is registered, you can take appropriate measures—like contact the registrant, warn your customers about future scams or even file a takedown notice if a fake site is on the air. For that you can depend on Axur’s solutions, which monitor millions of existing domain names and search for variations of your company’s brand, issuing alerts as soon as any danger is detected.



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


We are journalists, but we are also hackers - we aim to solving problems by analyzing them in a creative way and by making different manners of using the tools that we have.