Hi Everyone!
My name is Robert Parker and I'm a Technical Solutions Consultant with Google Cloud Customer Success. I work with our customers in deploying and integrating Google Cloud Solutions, including Google Threat Intelligence.
Within Google Threat Intelligence, we have a module known as Digital Threat Monitoring, which helps users to protect their organization against activity in the Darknet. One of its capabilities, is Domain Protection Monitoring, which helps you to identify when threat actors are registering look-alike, or similar domains to your own organizations. This is often a trick used in phishing campaigns, where threat actors try to trick their victims into visiting a spoofed (fake) copy-cat version of the trusted organization’s website.
While DTM is great at identifying potential matches, or ones that do look similar your own domain, it’s not always immediately clear why it returned some of the results. I often see this when a customer asks me “Why did this domain get returned as similar to ours?” and it's important to understand the various types of Typo-squatting techniques threat actors use. Knowing this information can make it easier to understand why some of the Domain Protection results returned, when they immediately may not have looked related/relevant.
Below is a Table which summarizes Typo-squatting techniques, along with various examples to show them:
Table: Observed Typo-squatting Techniques & Examples
Typo-squatting Technique | Definition | Example |
| Omission | A character is removed from the domain. | example.com becomes exmple.com (missing 'a') |
| Addition | An additional character is inserted into the domain. | example.com becomes exxample.com (extra 'x') |
| Substitution | A character is replaced by another, often visually similar or adjacent on a keyboard. | example.com becomes exampl3.com (3 for e) or exqmple.com (q for a on QWERTY keyboard) |
| Transposition (Character Swap) | Two adjacent characters in the domain name are swapped. | example.com becomes exmaple.com (m and a swapped) |
| Hyphenation | A hyphen is added or removed within the domain name. | example.com becomes ex-ample.com or exam-ple.com |
| Homoglyph | Characters are substituted with visually similar characters, potentially from different character sets. | google.com becomes goog1e.com (digit '1' for lowercase 'l') or gooqle.com (Cyrillic 'q' for Latin 'g') |
| Missing Dot | A dot separating parts of the domain name is removed (e.g., in subdomains). | www.example.com becomes ww.example.com or exam.ple.com becomes example.com. |
| Missing Dashes/Strip Dashes | All or some hyphens within the domain are removed. | my-brand.com becomes mybrand.com |
| Character Omission (general) | Each character in the domain is iteratively omitted. | example.com produces xample.com, eample.com, exmple.com, etc. |
| Adjacent Character Insertion | A character adjacent to an existing one on a keyboard layout (e.g., QWERTY) is inserted. | example.com might become erxample.com (r is adjacent to e on QWERTY) or exqmple.com (q is adjacent to a). |
| Singular/Pluralise | Adding or removing an 's' to make the domain singular or plural. | product.com becomes products.com; brands.com becomes brand.com |
| Character Repeat | A character within the domain is duplicated. | example.com becomes exammple.com (double 'm') |
| Bitsquatting | A single bit error is simulated in the ASCII representation of a character, resulting in a different character. | example.com might become exampie.com (a bit flip in 'l' could result in 'i') |
| Wrong Top Level Domain (TLD) | The domain's Top Level Domain is replaced with another common TLD. | example.com becomes example.org or example.net |
| Wrong Second Level Domain | For multipart TLDs (e.g., ccTLDs), the second level domain is changed. | example.co.uk becomes example.org.uk |
| Wrong Third Level Domain/Subdomain | A dot is inserted into the domain name to create a subdomain, or an existing subdomain is altered. | example.com becomes ex.ample.com or www.example.com becomes ww.example.com |
| Ordinal Number Swap | Numbers in the domain are converted to their word equivalent, or vice versa. | top10.com becomes toptenth.com; firstchoice.com becomes 1stchoice.com |
| Combosquatting (Keywords) | Common keywords related to security, support, login, etc., are appended to the brand name. | paypal.com becomes paypal-security.com or paypal-login.com |
| Addition (general) | Any character is added to the domain name. | example.com could become example-login.com, exampleweb.com, etc. |
| Add Dash | A hyphen is inserted at various positions within the domain name. | example.com becomes e-xample.com, ex-ample.com, exampl-e.com |
| ChangeDotDash | A dot in the domain name (often in subdomains) is replaced with a hyphen. | sub.example.com becomes sub-example.com |
| Replacement (keyboard layout) | Each letter is replaced with letters to the immediate left and right on the keyboard (e.g., QWERTY). | On a QWERTY keyboard, example.com might produce exqmple.com (q adjacent to a), ezaample.com (z adjacent to a), etc. |
| Add TLD | An additional Top Level Domain is inserted before the legitimate TLD. | example.com becomes example.com.it or examle.com.ru |
| Common Misspellings | Words in the domain are replaced with their common misspellings. | calendar.com becomes calender.com |
| Homophones | Words in the domain are replaced with words that sound phonetically similar but have different spellings. | write.com becomes rite.com or right.com |
We hope this table is useful for better understanding the various ways that Threat Actors and other evil tries to trick users into clicking and visiting sites they should not be going to.
Do you have any other Typo-squatting techniques to share? Or other domain examples that you are able to share? If so, leave me a comment and I’m happy to follow up and chat!