Cyber Threats #typosquatting#phishing#domain spoofing

Typosquatting Attacks: How Hackers Exploit Misspellings

Learn how typosquatting attacks work, real-world examples from npm to phishing domains, and how to protect yourself and your organization from URL spoofing.

7 min read

You type “gogle.com” instead of “google.com” and hit enter. Within milliseconds, you could be landing on a phishing page, downloading malware, or having your credentials harvested — all because of a single mistyped letter. This is typosquatting: the practice of registering domain names that closely resemble legitimate ones, designed to catch users who make common typing errors.

In 2026, typosquatting has expanded far beyond mistyped URLs. The same technique now targets software package registries (npm, PyPI), mobile app stores, and even keyboard autocorrect suggestions. It’s one of the most cost-effective attacks in a cybercriminal’s toolkit — a domain costs $10/year and can generate thousands of victims.

Types of Typosquatting

Character transposition: Swapping adjacent letters (amzaon.com instead of amazon.com). This is the most common type, exploiting the tendency to swap characters when typing quickly.

Missing or extra characters: faceboook.com (extra ‘o’), gihub.com (missing ‘t’ from github.com).

Character substitution: Replacing a letter with an adjacent key: goofle.com (f next to g), or a visually similar character: rn looks like m in many fonts, making payrnl.com convincing at a glance.

Homograph attacks (IDN homographs): Using Unicode characters that are visually identical to ASCII letters. The Cyrillic ‘а’ (U+0430) is indistinguishable from the Latin ‘a’ (U+0061) in most browsers. раура1.com with Cyrillic letters looks identical to paypal.com. Modern browsers display the Punycode encoding (xn--pypl-thd.com) for suspicious domains, but many email clients don’t.

TLD variations: Using alternative top-level domains — microsoft.net, apple.co, google.io. Legitimate companies often register many TLDs, but cannot register all of them.

Combosquatting: Adding legitimate-looking words around a brand: microsoft-support.com, paypal-security.com, apple-id-verify.com. This is particularly common in phishing campaigns because the domain contains the real brand name.

Real-World Examples

npm typosquatting attacks: Package managers are fertile ground for typosquatting because developers type package names constantly and install them with a single command. Notable incidents:

  • cross-env (legitimate, 40M+ weekly downloads) vs crossenv (malicious). The malicious package was downloaded 700 times before detection and contained cryptocurrency-stealing code.
  • event-stream (2018): Not typosquatting but a related supply chain technique — an attacker convinced a legitimate maintainer to transfer ownership, then added malicious code targeting a specific Bitcoin wallet app.
  • coloursss, colorss, colours — all registered to catch mistyped versions of the legitimate colours package.

Domain-based phishing: A 2023 campaign targeting banking customers registered 1,000+ typosquat domains of major US banks — wellsfargoo.com, bankofamerica1.com, chasebank-login.com. Victims were driven to these domains via SMS phishing messages.

App store typosquatting: Malicious apps on third-party Android app stores use names like “Whatsap Messenger,” “Faceboook,” and “lnstagram” (lowercase L instead of capital I) to fool users who aren’t paying careful attention.

How Attackers Monetize Typosquatted Domains

Credential phishing: The primary use case. The fake site looks identical to the real one, collects login credentials, then redirects the victim to the real site (they think they mistyped their password).

Malware distribution: Visiting the site triggers a drive-by download, or the page prompts for a “security update” or “browser plugin.”

Advertising revenue: Some typosquatters simply display ads, earning revenue from every accidental visit. This is legal in most jurisdictions but ethically questionable.

Package poisoning: Malicious npm/PyPI packages often include credential-stealing scripts that run on npm install, before anyone has even used the package. The code targets CI/CD environment variables where API keys and credentials are often stored.

Parked domain resale: Register a valuable typosquat, then sell it to the legitimate company for a profit — sometimes called “cybersquatting” when it’s against a trademarked brand name.

Protecting Yourself

Use browser bookmarks. For sites you visit regularly — banking, email, work tools — use bookmarks instead of typing URLs. A bookmark can’t be typosquatted.

Enable browser typo correction. Modern browsers warn when a known typosquat is detected. Chrome and Firefox maintain lists of known phishing and typosquat domains. Keep browsers updated.

Use a password manager. A password manager only fills credentials when the domain exactly matches the saved entry. If you land on amaz0n.com, your password manager won’t autofill — an immediate signal something is wrong.

For developers — verify package names carefully. Before npm install, pip install, or any package installation, verify the exact spelling on the official registry. Use lock files (package-lock.json, Pipfile.lock) to pin exact versions and prevent accidental typosquat resolution.

Use a DNS filter. Pi-hole, NextDNS, or your router’s parental controls with known-bad domain lists block many typosquat domains before they even resolve. Cloudflare’s 1.1.1.2 (malware-blocking DNS) and Quad9 both maintain lists of malicious domains including common typosquats.

For organizations — monitor for brand typosquats. Tools like dnstwist enumerate thousands of possible typosquats of your domain:

pip install dnstwist
dnstwist --registered yourcompany.com

This shows which variants are actually registered — potential phishing infrastructure targeting your employees or customers. Register the most convincing variants preemptively, and submit confirmed phishing domains to abuse contacts and Google Safe Browsing.

The Package Manager Problem

For developers and security teams, typosquatting in package registries is a growing supply chain threat. Mitigations:

  • Use a private registry (Artifactory, Nexus) that proxies only approved packages from npm/PyPI
  • Enable 2FA on your npm account — prevents account takeover that can turn legitimate packages into attack vectors
  • Use Dependabot or Snyk to scan dependencies for known malicious packages
  • Audit package.json and requirements.txt changes in code review — adding a typosquat package looks identical to adding a legitimate one

Typosquatting is fundamentally a human error attack, which makes it persistently effective regardless of how sophisticated defenses become. The best mitigation is reducing the opportunity for human error through tooling, bookmarks, and automation.

#cybersecurity #npm #supply chain #domain spoofing #phishing #typosquatting

// related articles

cyber-threats Browser-in-the-Browser Phishing: Fake SSO Popups 7 min read cyber-threats Magecart Web Skimming Attacks Explained 7 min read cyber-threats Threat Hunting Basics: Find Hidden Attackers 8 min read