Note: A special thanks to Ed Gibbs, WhoisXML API’s Advanced Threat Researcher & Technical Account Manager, for his help compiling the data used in this post.

Typosquatting can enable a variety of cyber threats that include but are not limited to phishing, malware-enabled attacks, and vulnerability exploitation. In a nutshell, the attackers can rely on the technique to mimic legitimate solution and service providers’ domains to trick users into thinking they are getting update notifications from their vendors, for example, when they are actually not.

Now, typosquatting is not a new practice, which leads to the questions of “How prevalent is it nowadays?” and “What do related domain registrations may look like in practice?”

To help answer these questions, we obtained recent lists of bulk-registered domains with varying sizes that are potentially typosquatting on the legitimate web properties of 11 brands, namely:

• Amazon (Fortune 500’s top 2 company)
• Aldi (a discount supermarket chain with more than 10,000 stores in 20 countries)
• Adidas (Fortune All-Star’s top 40 company)
• Apple (Fortune 500’s top 4 company)
• AT&T (Fortune 500’s top 11 company)
• Audi (a subsidiary of Volkswagen, Fortune Most Admired Companies top 6)
• Baoyu (a sewing machine manufacturer in China)
• Happy Planet (an organic juice and smoothie company in Canada)
• Kids’ Choice Awards (Nickelodeon’s annual awards ceremony show)
• Flipkart (an e-commerce company in India)
• Tata (one of the biggest and oldest industrial group of companies in India)

Analysis of the Potential Typosquatting Domains

Our sample comprises 921 bulk-registered look-alike domains.

The company or brand with the highest number of potential typosquatting domains was surprisingly Happy Planet, which is probably not the most popular globally in the list. The following chart shows how many look-alike domains were bulk-registered for each company or brand in our sample.

The companies mentioned in Chart 1 may find it useful to look more closely at these possible typosquatting registrations as part of brand protection efforts.

Interestingly, the use of a letter followed by a number and a hyphen before the brand or company name (e.g., a7-amazon[.]work, b1-aldi[.]top, c2-adidas[.]top, a1-flipkart[.]work, and d1-tata[.]top) was observed among 294 domains. The exact numbers of such domain names per brand or company are shown in the chart below.

But that was not the most popular domain format it seems, as we obtained more than 400 .top domains comprising 10 letters beginning with “g” that do not necessarily form comprehensible names (e.g., ghrsivnesh[.]top, gprsivnese[.]top, and gnrsivnesad[.]top). Note that some attackers are known for using seemingly machine-generated domain names with random letters and numbers for their campaigns. Also, many of these domains could not be publicly attributed to legitimate organizations based on closer looks at their WHOIS records.

A comparison of the top-level domain (TLD) extensions the domain names used, meanwhile, revealed that a majority 333 (36%) used .com. This was followed by .work that was used by 161 domains (17%) and .online (126 domains or 14%). The rest were distributed across eight other TLDs—.top, .site, .date, .buzz, .xyz, .info, .shop, and .best. Take a look at the chart below for more details.

Based on the results shown in Chart 3, it would seem that based on our sample more potential typosquatting domains (583 or 63%) use new generic TLDs (gTLDs) (e.g., .work, .online, and .top) as opposed to the more traditional ones (i.e., .com and .info). That said, companies would also do well to pay special attention to traffic coming from and going to sites that use domains with new gTLDs.

If you are interested in replicating the analysis in this post to keep threats out of your own network or just wish to gather and analyze the same kind of typosquatting data for research, feel free to apply to the Typosquatting Community Feed.