Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).
The typosquatter's URL will usually be one of five kinds, all similar to the victim site address:
- A common misspelling, or foreign language spelling, of the intended site
- A misspelling based on a typographical error
- A plural of a singular domain name
- A different top-level domain: (.com instead of .org)
- An abuse of the Country Code Top-Level Domain (ccTLD) (.cm instead of .co or .om instead of .com)
- Combosquatting - no misspelling, but appending an arbitrary word that appears legitimate, but that anyone could register.
- Doppelganger domain - omitting a period or inserting an extra period
- Appending terms such as "sucks" or -suckes to a domain name
Once in the typosquatter's site, the user may also be tricked into thinking that they are in fact in the real site, through the use of copied or similar logos, website layouts, or content. Spam emails sometimes make use of typosquatting URLs to trick users into visiting malicious sites that look like a given bank's site, for instance.
There are several different reasons for typosquatters buying a typo domain:
- In order to try to sell the typo domain back to the brand owner
- To monetize the domain through advertising revenues from direct navigation misspellings of the intended domain
- To redirect the typo-traffic to a competitor
- To redirect the typo-traffic back to the brand itself, but through an affiliate link, thus earning commissions from the brand owner's affiliate program.
- As a phishing scheme to mimic the brand's site, while intercepting passwords which the visitor enters unsuspectingly
- To install drive-by malware or revenue generating adware onto the visitors' devices
- To harvest misaddressed e-mail messages mistakenly sent to the typo domain
- To express an opinion that is different from the intended website's opinion
- By legitimate site owners: to block malevolent use of the typo domain by others
Many companies, including Verizon, Lufthansa, and Lego, have garnered reputations for aggressively chasing down typosquatted names. Lego, for example, has spent roughly US$500,000 on taking 309 cases through UDRP proceedings.
Celebrities have also frequently pursued their domain names, from singers to star athletes. Prominent examples include basketball player Dirk Nowitzki's UDRP of DirkSwish.com and actress Eva Longoria's UDRP of EvaLongoria.org.
Since 2006, a typosquatted variant of Google called 'Goggle.com' has existed which was considered a phishing/fraud site; later (ca. 2011–2012) the URL redirected to google.com, a 2018 check revealed it to redirect users to adware pages, and a 2020 attempt to access the site through a private DNS resolver hosted by AdGuard resulted in the page being identified as malware and blocked for the user's security. Another example of corporate typosquatting is yuube.com, targeting YouTube users by having it programmed to redirect to a malicious website or page, that asks users to add a security check extension that is really malware. Similarly, www.airfrance.com has been typosquatted by www.arifrance.com, diverting users to a website peddling discount travel. Other examples are Equifacks.com (Equifax.com), Experianne.com (Experian.com), and TramsOnion.com (TransUnion.com); these three typosquatted sites were registered by comedian John Oliver for his show Last Week Tonight.[better source needed]
Users trying to visit the popular internet-based game Agar.io may misspell the said URL as agor.io. Visiting this site was known to produce a jumpscare or screamer of the popular creepypasta Jeff the Killer, which flashed rapidly and produced a loud noise. The original site was taken down and as of 2017, it has linked to randomly-themed phishing websites.
In United States law
In the United States, the 1999 Anticybersquatting Consumer Protection Act (ACPA) contains a clause (Section 3(a), amending 15 USC 1117 to include sub-section (d)(2)(B)(ii)) aimed at combatting typosquatting.
However, on April 17, 2006, evangelist Jerry Falwell failed to get the U.S. Supreme Court to review a decision allowing Christopher Lamparello to use www.fallwell.com. Relying on a plausible misspelling of Falwell's name, Lamparello's gripe site presents misdirected visitors with scriptural references that are intended to counter the fundamentalist preacher's scathing rebukes against homosexuality. In Lamparello v. Falwell, the high court let stand a 2005 Fourth Circuit finding that "the use of a mark in a domain name for a gripe site criticizing the markholder does not constitute cybersquatting."
WIPO resolution procedure
Under the Uniform Domain-Name Dispute-Resolution Policy (UDRP), trademark holders can file a case at the World Intellectual Property Organization (WIPO) against typosquatters (as with cybersquatters in general). The complainant has to show that the registered domain name is identical or confusingly similar to their trademark, that the registrant has no legitimate interest in the domain name, and that the domain name is being used in bad faith.
- Damerau–Levenshtein distance
- Domain Name System – Hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network (DNS)
- Doppelganger domain – Domain spelled identically to a legitimate domain name but missing the dot between host/subdomain and domain
- IDN homograph attack – Using visually similar characters in domain names to deceive users
- Misdialed call#Toll-free numbers (for similar attacks on vanity toll-free telephone number phonewords)
- Phishing – Act of attempting to acquire sensitive information by posing as a trustworthy entity
- URL shortening – Web technique
- "Example Screenshots of Strider URL Tracer With Typo-Patrol". Microsoft Research. Archived from the original on 21 December 2008.
- Claes, Bell (17 August 2015). "'Typosquatting': How 1 Mistyped Letter Could Lead to ID Theft". Bankrate. Archived from the original on 20 August 2015.
- Allemann, Andrew (1 November 2011). "Has Lego's $500k Spent on URDP Been a Waste?". Domain Name Wire. Archived from the original on 2 November 2011.
- Allemann, Andrew (12 September 2011). "Dallas Mavericks Star Dirk Nowitzki Wins Dispute Over Domain Name". Domain Name Wire. Archived from the original on 27 September 2011.
- Allemann, Andrew (5 May 2011). "Eva Longoria Adds .Org to Her Collection". Domain Name Wire. Archived from the original on 7 May 2011.
- Allemann, Andrew (23 August 2011). "Google Wants to Take Down Goggle.com Web Site". Domain Name Wire. Archived from the original on 25 August 2011.
- Gopalakrishnan, Chandu (5 May 2010). "Your Spelling Errors Can Help Typosquatters Make Big Bucks". The Economic Times. Archived from the original on 12 August 2011.
- Slavitt, Kelly M. (26 March 2008). "Protecting Your Intellectual Property from Domain Name Typosquatters". FindLaw. Archived from the original on 26 July 2013.
- Durkin, J. D. (11 April 2016). "John Oliver Creates Fake Web Sites to Troll Major Three Credit Bureaus". Archived from the original on 14 April 2016.
- "S. 1255 – Trademark Cyberpiracy Prevention Act". Archived from the original on 21 September 2018.
- Metz, Cade (23 October 2008). "Without Typo-squatters, How Far Would Google Fall?". The Register. Archived from the original on 24 October 2008.
- Jim Giles: Typos may earn Google $500m a year New Scientist, 17 February 2010 (reporting research by Ben Edelman and Tyler Moore: Measuring Typosquatting Perpetrators and Funders)
- "The Internet Commerce Association Code of Conduct". InternetCommerce.org. Retrieved 2007-09-13.
The Internet Commerce Association's (ICA) Member Code of Conduct expresses the ICA's recognition of the responsibilities of its members to the intellectual property, domain name, and at large Internet communities and will guide members in conducting their domain name investment and development activities with professionalism, respect and integrity.
- "The Coalition Against Domain Name Abuse to Combat Cybersquatting". ComplianceAndPrivacy.com. Retrieved 2007-09-20.
With growing ease and profitability, sophisticated cybersquatters are exploiting a flaw in the domain name registration process whereby domain names are registered and subsequently dropped, risk free, within an accepted 5-day grace period.
- "TypoSquatting". Retrieved 2013-02-27.
Web tool which shows lots of mistyped registered domains (German).