Home / Industry

What Are the Common Forms of Bulk Domain & Typosquatting Registrations?

Note: A special thanks to Ed Gibbs, WhoisXML API’s Advanced Threat Researcher & Technical Account Manager, for his help compiling the data used in this post.

Typosquatting can enable a variety of cyber threats that include but are not limited to phishing, malware-enabled attacks, and vulnerability exploitation. In a nutshell, the attackers can rely on the technique to mimic legitimate solution and service providers’ domains to trick users into thinking they are getting update notifications from their vendors, for example, when they are actually not.

Now, typosquatting is not a new practice, which leads to the questions of “How prevalent is it nowadays?” and “What do related domain registrations may look like in practice?”

To help answer these questions, we obtained recent lists of bulk-registered domains with varying sizes that are potentially typosquatting on the legitimate web properties of 11 brands, namely:

  • Amazon (Fortune 500’s top 2 company)
  • Aldi (a discount supermarket chain with more than 10,000 stores in 20 countries)
  • Adidas (Fortune All-Star’s top 40 company)
  • Apple (Fortune 500’s top 4 company)
  • AT&T (Fortune 500’s top 11 company)
  • Audi (a subsidiary of Volkswagen, Fortune Most Admired Companies top 6)
  • Baoyu (a sewing machine manufacturer in China)
  • Happy Planet (an organic juice and smoothie company in Canada)
  • Kids’ Choice Awards (Nickelodeon’s annual awards ceremony show)
  • Flipkart (an e-commerce company in India)
  • Tata (one of the biggest and oldest industrial group of companies in India)

Analysis of the Potential Typosquatting Domains

Our sample comprises 921 bulk-registered look-alike domains.

The company or brand with the highest number of potential typosquatting domains was surprisingly Happy Planet, which is probably not the most popular globally in the list. The following chart shows how many look-alike domains were bulk-registered for each company or brand in our sample.

Chart 1: Domain volume distribution by brand or company

The companies mentioned in Chart 1 may find it useful to look more closely at these possible typosquatting registrations as part of brand protection efforts.

Interestingly, the use of a letter followed by a number and a hyphen before the brand or company name (e.g., a7-amazon[.]work, b1-aldi[.]top, c2-adidas[.]top, a1-flipkart[.]work, and d1-tata[.]top) was observed among 294 domains. The exact numbers of such domain names per brand or company are shown in the chart below.

Chart 2: Distribution volume of domains that use the same format

But that was not the most popular domain format it seems, as we obtained more than 400 .top domains comprising 10 letters beginning with “g” that do not necessarily form comprehensible names (e.g., ghrsivnesh[.]top, gprsivnese[.]top, and gnrsivnesad[.]top). Note that some attackers are known for using seemingly machine-generated domain names with random letters and numbers for their campaigns. Also, many of these domains could not be publicly attributed to legitimate organizations based on closer looks at their WHOIS records.

A comparison of the top-level domain (TLD) extensions the domain names used, meanwhile, revealed that a majority 333 (36%) used .com. This was followed by .work that was used by 161 domains (17%) and .online (126 domains or 14%). The rest were distributed across eight other TLDs—.top, .site, .date, .buzz, .xyz, .info, .shop, and .best. Take a look at the chart below for more details.

Chart 3: Domain volume distribution by TLD

Based on the results shown in Chart 3, it would seem that based on our sample more potential typosquatting domains (583 or 63%) use new generic TLDs (gTLDs) (e.g., .work, .online, and .top) as opposed to the more traditional ones (i.e., .com and .info). That said, companies would also do well to pay special attention to traffic coming from and going to sites that use domains with new gTLDs.

If you are interested in replicating the analysis in this post to keep threats out of your own network or just wish to gather and analyze the same kind of typosquatting data for research, feel free to apply to the Typosquatting Community Feed.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign