The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection

Typosquatting is a deceptive technique in which threat actors register misspelled or look-alike domains of legitimate organizations to trick users into visiting fraudulent sites. It remains one of the most effective and underestimated attack vectors in the modern cyber threat landscape. 

What appears to be a misspelled domain often conceals sophisticated campaigns designed to phish company employees or customers, harvest credentials, deliver malware, and damage organizational reputation. Recent observations by CrowdStrike Counter Adversary Operations  reveal that threat actors have refined their typosquatting techniques to a concerning degree of sophistication, making detection increasingly challenging for security teams.

Adversaries’ ability to easily establish seemingly legitimate infrastructure poses significant risks to organizations of all sizes. One typosquatted domain can serve multiple malicious purposes while appearing benign to casual observers. In this blog, we examine key typosquatting tactics to help organizations understand and defend against brand impersonation and credential harvesting attacks.

The Foundation: Exploiting Domain Registration Weaknesses

The domain registration process presents numerous opportunities for threat actors to establish seemingly credible infrastructure. Most domain registrars require minimal verification, allowing adversaries to populate WHOIS records with fabricated but convincing company information mirroring that of legitimate organizations.

While the Internet Cooperation for Assigned Names and Numbers (ICANN) 2013 Registrar Accreditation Agreement requires registrars to validate and verify certain WHOIS fields — often just enough to ensure the registrant’s provided contact details are operational — threat actors can still register credible-looking infrastructure using disposable email addresses and scraped business details.

Threat actors commonly register domains using slight variations of target company names, replacing characters with visually similar alternatives, adding common prefixes or suffixes, or exploiting common typing errors. For example, a threat actor targeting examplecorp[.]com might register examp1ecorp[.]com, example-corp[.]com, or examplecorp-support[.]com.

A registered domain’s WHOIS information plays a critical role in the deception. Adversaries often populate these records with information that appears legitimate at first glance: seemingly real company names, professional email addresses, and valid phone numbers. Some sophisticated actors even register domains using publicly available corporate information — including legitimate business addresses and contact details harvested from the target organization’s public filings — to increase their appearance of authenticity.

Technique 1: Strategic HTTP Redirects for Dual-Purpose Domains

One particularly insidious technique involves configuring typosquatted domains to serve dual purposes through strategic HTTP redirects. In this technique, threat actors implement 301 or 302 HTTP code redirects that automatically forward web browsers visiting the typosquatted domain to the legitimate website of the typosquatted company. This creates the illusion that the typosquatted domain is harmless, and possibly even owned by the legitimate organization.

However, while the web interface redirects users to safety, the threat actor retains the domain’s mail exchanger (MX) records, allowing them to send phishing emails from addresses using the typosquatted domain (e.g., support@examp1ecorp.com), thereby increasing the emails’ perceived legitimacy. Recipients who type the domain into their browsers will be redirected to the legitimate company site, potentially reinforcing their belief in the email’s legitimacy.

This technique is particularly effective because many email security solutions focus on reputation-based filtering, and a domain that redirects to a legitimate site may not immediately raise suspicions. Meanwhile, the threat actor maintains full control over email communications from the typosquatted domain, enabling sophisticated spear-phishing campaigns and credential harvesting operations.

Technique 2: Geo-Targeted Content Delivery

Advanced threat actors employ geo-based IP filtering to tailor content to the visitor’s geographic location or IP address reputation. This technique allows adversaries to display legitimate-looking content to security researchers, automated scanning tools, or visitors based in specific regions while displaying malicious content to their intended targets.

The implementation typically involves server-side logic that checks the visitor’s IP address against geolocation databases or threat intelligence feeds. To visitors from certain countries, IP ranges associated with security companies, or addresses flagged as belonging to security researchers, these websites might display a benign redirect or a generic “under construction” page. Meanwhile, to users located in targeted geographic regions, the websites may display phishing pages, malware delivery mechanisms, or credential harvesting forms.

This geographic filtering helps the typosquatted domain evade detection by automated security scanning tools or by security researchers, and ensures that the domain serves malicious content only to intended victims. Some threat actors even implement time-based restrictions, serving malicious content only during specific periods to coincide with the targeted region’s business hours.

Technique 3: Domain Sale Page Camouflage

In this devious obfuscation technique, threat actors host seemingly legitimate pages advertising a typosquatted domain for sale. These pages typically feature professional templates complete with contact forms, price negotiations, and legitimate-looking domain broker information. To casual observers (including security researchers and automated scanning tools), the domain appears as a legitimate business page rather than malicious infrastructure. However, beneath this facade, the domain’s MX records remain configured for malicious email operations.

This technique enables threat actors to use the domain for phishing campaigns while maintaining plausible deniability. If questioned, they can claim they purchased the domain for legitimate business purposes and point to the sale page (Figure 4) as evidence of their intent to transfer ownership. Numerous large language models (LLMs) enable threat actors to easily generate fake domain sale webpages with a simple prompt. 

These sale pages often include functional contact forms, and some threat actors even respond to inquiries from potential buyers, further enhancing their credibility. Sophisticated threat actors can maintain these facades for months, using the domains intermittently for phishing campaigns while keeping the sale page active as cover for the malicious activity.

The Broader Implications for Organizational Security

These techniques demonstrate typosquatting’s evolution from simple domain parking (i.e., registering a domain name without actively using it) to sophisticated, multilayered campaigns designed to evade detection while maximizing impact. The combination of seemingly legitimate domain registration information, strategic redirects, geographic filtering, and credible cover stories together form a convincing deception that challenges traditional security measures.

Organizations must recognize that typosquatting attacks often begin long before their employees receive phishing emails associated with a typosquatted page. Threat actors invest time in establishing credible infrastructure, understanding their targets, and crafting campaigns that exploit both technical vulnerabilities and human psychology.

Stop Typosquatting Attacks with CrowdStrike Falcon Adversary Intelligence

Effective defense against these sophisticated techniques requires a multi-layered approach that extends beyond traditional perimeter security by identifying and disrupting threats during their reconnaissance and infrastructure development phases. Organizations must continuously monitor domain registrations, take proactive brand-protection measures, and educate employees about the evolving threat landscape.

CrowdStrike Falcon® Adversary Intelligence’s Recon capability provides the visibility and automation capabilities organizations need to detect and disrupt sophisticated typosquatting campaigns. By monitoring domain registrations, analyzing underground forum activity, and providing automated response capabilities, Recon enables security teams to identify threats before they impact the organization.

Additional Resources

• Visit the Counter Adversary Operations webpage to learn about CrowdStrike’s threat intelligence solutions.
• Read more about typosquatting in the CrowdStrike Tech Hub.
• Read the CrowdStrike Global Threat Report for additional insights into the latest threat actor tactics, techniques, and procedures.
• Explore Falcon Adversary Intelligence + CSC Managed Domain Takedowns (BETA) for automated end-to-end takedown services that rapidly disrupt malicious domains detected by Falcon Adversary Intelligence Recon, leveraging CSC’s expertise as a leading enterprise domain registrar trusted by more than 20,000 customers worldwide.