Home / Blogs

Typosquatting Continues to Pose Dangers to Enterprises, Consumers

While typosquatting is not a new phenomenon, recent research highlights that it is being used to collect sensitive corporate information from employees and lure consumers to interact with dubious websites.

Typosquatting, as many of you might already be familiar with, is a type of cybersquatting where cybercriminals register a domain name that closely resembles a well-known site or brand, often taking advantage of common typos people make while typing in URLs. Once a user unknowingly types in a typosquatted domain or uses a typosquatted domain in an email address, unintended events begin to happen.

Security consultancy Godai Group recently uncovered the use of a specific type of typosquat—a “doppelganger domain”—to collect sensitive enterprise information via email-based attacks. A doppelganger domain is one that is not misspelled, but instead is missing a dot between the subdomain and domain. An example would be “mailyahoo.com,” which targets Yahoo!‘s popular mail service “mail.yahoo.com.” The researchers found that 30% of the Fortune 500 (or 151 corporations) were susceptible to doppelganger domain-based attacks.

To demonstrate just how vulnerable companies are, the researchers bought 30 doppelganger domains relating to Fortune 500 companies. Over six months, over 120,000 individual emails (and 20 gigabytes of data) were captured by these domains along with sensitive information, such as trade secrets, business invoices, employee login credentials, network diagrams, etc. The information was collected through a passive attack, where the cybercriminal configures an email server to catch all email addressed to the typosquatted domain.

Godai Group also described another type of attack—a Man-in-the-Mailbox attack—which could leverage two doppelganger domains to intercept email communications between two companies. This type of attack would succeed if both email sender and recipient were unaware of the mistyped email domains.

Other recent findings by M86 Security and OpenDNS highlight attacks targeting consumers by leveraging typosquatted domains based on popular websites. M86 Security, for example, discovered at least 15 typosquatted domains targeting YouTube. OpenDNS came across a typosquatted domain targeting Twitter (which was still up at the time of this blog posting). If consumers mistakenly type in one of these typosquatted domains, they would enter either an online survey or dating website carrying the branding—as well as the trust—of the official site. The goal of these sites is to entice users to take a quick survey and provide their credentials in exchange for a prize. In the end, however, consumers often walk away with their credentials stolen, signing up for unwanted services, and possibly even malware on their computer.

So how can brands protect their employees and customers? Here’s a short list of recommendations:

Proactively register defensive domains: if brands own doppelganger domains and other common misspelled domain names, the risk of these types of attacks is greatly reduced.

Monitor for typosquatting abuse: brands should continuously monitor newly registered domain names for typo/cybersquatted names targeting their brands. Early detection allows brands to take action before significant damage is done.

Take quick action: as typosquatted domain names (including doppelganger domains) are confusingly similar to trademarks, brands have good success in recovering these domains, either through cease-and-desist letters or UDRP.

Educate employees and customers: if both audiences are made aware of these types of attacks which involve sophisticated social engineering techniques, then they will be less susceptible to them. Sending alerts while current attacks are live will help mitigate the impact as well.

Modify DNS and Email Server configurations: corporations can either configure their internal DNS to not resolve any doppelganger domains or their mail servers to prevent any outbound emails from reaching doppelganger domains.

By Mary Roach, Director of Product Marketing, MarkMonitor

Mary Roach also contributes to the MarkMonitor weblog located here.

Visit Page

Filed Under


shrug, some of it is standard phishing and a lot more is a set of overblown threats Suresh Ramasubramanian  –  Sep 26, 2011 11:11 AM

I do wish copyright infringement registrations werent confused with security.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign