Typosquatter
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
Typosquatting involves registering domain names that are common typographical variations of legitimate, high-traffic domains (e.g., `goggle.com`, `paypa1.com`) to intercept misdirected users. Attackers use these domains to serve phishing pages, deliver malware, harvest credentials, or simply generate ad revenue from confused visitors. In the software ecosystem, typosquatting also targets package registries (PyPI, npm) with malicious packages named to resemble popular libraries, enabling supply chain attacks.
🔍Indicators
- Domain registered with a name closely resembling a known brand (one character substitution, transposition, or addition)
- WHOIS registrant differs from the legitimate organization's documented ownership
- SSL certificate issued for a typosquatted domain (visible in CT logs)
- HTTP redirects to phishing pages or ad networks
- npm/PyPI package name with 1-2 character difference from a popular package with low download count but recent publish date
- DNS TTL set very low (60-300s) — enabling rapid infrastructure changes
- Hosting on bullet-proof hosting providers or anonymous VPS services
- MX records configured to receive email (for credential harvesting from mistaken logins)
🛡Detection Methods
Enumerate typosquatting variants
# Using dnstwist to generate and resolve typosquatted variants
pip install dnstwist
dnstwist --registered --format csv example.com > typosquats.csv
# Check for registered variants
dnstwist -r example.com
Monitor Certificate Transparency for brand variations
# Detect new certificates for brand-adjacent domains
curl -s "https://crt.sh/?q=%25exampl%25.com&output=json" | \
jq '.[] | select(.name_value != "example.com") | {name: .name_value, issued: .entry_timestamp}'
PyPI / npm package monitoring
# Check for typosquatted packages (pip)
pip install pip-audit
pip-audit # scans installed packages for known vulnerabilities and name confusion
# npm — check for confused packages
npm search requests | grep -v "^requests " # look for near-matches
Snort — detect connection to known typosquatted domains
alert dns any any -> any 53 \
(msg:"DNS query for known typosquatted domain"; \
dns.query; content:"paypa1.com"; nocase; \
classtype:social-engineering; sid:9100022; rev:1;)
✅Mitigation
- Proactively register common typosquatting variants of your own domains (transpositions, missing letters, homoglyphs, common TLD variations like .net, .org, .co).
- Monitor Certificate Transparency logs for newly issued certificates on variants of your brand domain.
- File UDRP (Uniform Domain Name Dispute Resolution Policy) complaints with ICANN to reclaim typosquatted domains used in bad faith.
- Use a brand monitoring service (e.g., MarkMonitor, DomainTools Iris, Cloudflare Radar) to receive alerts on newly registered lookalike domains.
- Educate users to verify the URL bar before entering credentials and to use bookmarks instead of typing URLs.
- Deploy browser-level phishing protection (Google Safe Browsing, Microsoft SmartScreen) and report confirmed phishing URLs.
- For package ecosystems: pin dependency versions with hash verification (
pip install --require-hashes,npm ciwith lockfile) and audit new transitive dependencies before introduction. - Submit abuse reports to the registrar and hosting provider for confirmed typosquatting infrastructure.
📋Real-World Examples
In 2021, a supply chain attack via typosquatted npm packages (ua-parser-js was replaced with a malicious version for approximately 4 hours), affecting millions of downstream installations and injecting a cryptominer and credential-stealing malware. In 2019, researchers found over 550 typosquatted PyPI packages including python-dateutil lookalikes designed to exfiltrate environment variables and SSH keys on installation.