This chapter covers two closely related but distinct attacks on domain names: typosquatting (also called URL hijacking) and domain hijacking. Both target the Domain Name System (DNS) to redirect users to attacker-controlled sites, but they operate through different mechanisms. Understanding these threats is essential for the SY0-701 exam under Objective 2.2 (Threats, Vulnerabilities, and Mitigations), as they represent common social engineering and technical attacks that can lead to credential theft, malware delivery, and brand damage.
Jump to a section
Imagine a bustling shopping district where a popular coffee shop called "Brew Haven" has a distinctive green awning with a white cup logo. A fraudster rents a storefront two doors down, paints its awning the same shade of green, uses a nearly identical logo (the cup is slightly tilted), and names it "Brew Haven" (with one 'v' instead of 'w'). A hurried customer, glancing at the sign, walks into the fake shop, orders a latte, and pays with a credit card. The fraudster captures the card details and later uses them online. This is typosquatting in the physical world: exploiting a minor visual or spelling difference to deceive. Now imagine the fraudster doesn't just rent a nearby store; they somehow convince the city to reassign the original shop's address to their own building. Customers who type the exact address into their GPS end up at the fake store. That is domain hijacking: taking control of the legitimate name or address itself.
What Are Typosquatting and Domain Hijacking?
Typosquatting (also known as URL hijacking, cybersquatting, or domain spoofing) is the practice of registering domain names that are deliberate misspellings or variations of popular legitimate domains. The attacker relies on users making typographical errors when typing a URL into a browser. For example, a user intending to visit www.google.com might accidentally type www.gooogle.com (extra 'o') or www.gogle.com (missing 'o'), landing on a malicious site that mimics the real Google page to steal login credentials or serve malware.
Domain hijacking, in contrast, involves gaining unauthorized control over a legitimate domain name by compromising the domain registrar account, exploiting vulnerabilities in the domain registration process, or using social engineering to transfer the domain to a different registrar. Once the attacker controls the domain, they can modify DNS records to point traffic to their own servers, intercept email, or hold the domain for ransom.
How Typosquatting Works Mechanically
Registration: The attacker identifies a high-traffic domain (e.g., facebook.com). They use automated tools to generate a list of common typos: missing characters (facebok.com), swapped characters (facbeook.com), extra characters (faceboook.com), homoglyphs (using Unicode characters that look like ASCII, e.g., using Cyrillic 'а' instead of Latin 'a'), or different top-level domains (TLDs) like faceboook.net.
Hosting: The attacker registers these domains with a cheap registrar and sets up a web server. The server often hosts a replica of the legitimate site's login page, crafted using HTML/CSS that visually matches the original. The page may also include drive-by download scripts that exploit browser vulnerabilities.
Traffic Capture: When a user makes a typo, their browser sends a DNS query for the misspelled domain. The DNS resolves to the attacker's server IP. The user sees a page that looks identical to the real site. If they enter credentials, the attacker captures them and then redirects the user to the real site to avoid suspicion.
Monetization: Attackers can also use typosquatted domains for pay-per-click advertising, displaying ads that generate revenue when users mistype. Some typosquatters sell the domain back to the legitimate owner at an inflated price.
How Domain Hijacking Works Mechanically
Domain hijacking typically follows one of these paths:
Account Compromise: The attacker gains access to the domain owner's registrar account (e.g., GoDaddy, Namecheap) via phishing, credential stuffing, or weak passwords. Once inside, they can change DNS nameservers, transfer the domain to another registrar, or lock the owner out.
Social Engineering: The attacker contacts the registrar's support team, pretending to be the domain owner, and convinces them to reset the account password or initiate a transfer. This is often aided by publicly available WHOIS data (though GDPR has reduced this).
Exploiting Registrar Vulnerabilities: Some registrars have had security flaws that allow unauthorized domain transfers. For example, a 2020 vulnerability in a major registrar allowed attackers to hijack domains by exploiting an insecure API.
Expired Domain Re-registration: If the legitimate owner fails to renew a domain before the grace period ends, the domain becomes available for anyone to register. Attackers monitor expiry lists and snap up valuable domains.
Once the attacker controls the domain, they can:
Change the DNS 'A' record to point to a malicious server.
Set up MX records to intercept email for the domain.
Deface the website or redirect visitors to phishing pages.
Hold the domain for ransom (a form of extortion).
Key Components and Variants
Typosquatting Variants:
- Homograph Attacks: Using characters from different scripts that look identical (e.g., Latin 'o' vs. Cyrillic 'о'). These are often called IDN (Internationalized Domain Name) homograph attacks. For example, www.paypal.com where the 'a' is replaced with a Cyrillic 'а' (U+0430).
- Combosquatting: Adding or removing common words (e.g., www.google-login.com, www.facebooks.com).
- Bitsquatting: Registering domains that differ by a single bit in the domain name's binary representation, exploiting memory errors in hardware.
- Soundalike Domains: Domains that sound similar when spoken (e.g., www.texas.com vs. www.texass.com).
Domain Hijacking Variants: - DNS Poisoning: Not technically hijacking but can achieve similar results by corrupting DNS caches. - Domain Transfer Theft: The attacker initiates a transfer to another registrar, often using social engineering to bypass authorization checks. - Registrar Lock Bypass: Domains can be locked to prevent unauthorized transfers. Attackers sometimes trick support into removing the lock.
Mitigations
Against Typosquatting:
- Defensive Registration: Companies register common misspellings of their own domains and redirect them to the legitimate site. For example, Google owns www.gooogle.com.
- Domain Monitoring: Use services that monitor for newly registered domains similar to your own.
- User Awareness: Train users to check the URL carefully, use bookmarks, and avoid clicking links in emails.
- Browser Features: Modern browsers warn users when they visit lookalike domains (e.g., Chrome's 'Navigation to a lookalike URL' warning).
- DNSSEC: While primarily for integrity, DNSSEC can help prevent DNS spoofing that might be combined with typosquatting.
Against Domain Hijacking: - Registrar Lock: Enable the registrar lock (also called transfer lock) on all domains. This prevents unauthorized transfers without manual unlocking. - Two-Factor Authentication (2FA): Enable 2FA on the registrar account. - WHOIS Privacy: Use WHOIS privacy to hide personal contact information, reducing social engineering risk. - Domain Monitoring: Set up alerts for any changes to domain registration or DNS records. - Strong Passwords: Use unique, complex passwords for registrar accounts. - Regular Audits: Periodically review domain settings and authorized users. - Use Reputable Registrars: Choose registrars with strong security practices and responsive support.
Real Command/Tool Examples
Checking Domain Registration (WHOIS):
whois example.comThis returns registrar, creation/expiry dates, nameservers, and contact info (if not private).
Checking DNS Records:
nslookup example.com
nslookup -type=any example.comOr using dig:
dig example.com ANYMonitoring for Typosquatting (using DNSTwist):
dnstwist example.comThis generates a list of potential typosquatted domains and checks if they resolve.
Checking for Homograph Attacks (using Python):
import idna
print(idna.encode('www.paypal.com')) # will show punycode if non-ASCIIHomograph domains are often registered in Punycode (e.g., xn--paypal-3ve.com).
Preventing Transfer (using registrar API): Most registrars provide a 'lock' command. For example, with Namecheap API:
curl -X POST "https://api.namecheap.com/xml.response?ApiUser=...&ApiKey=...&Command=namecheap.domains.setLock&DomainName=example.com&LockAction=ENABLE"Identify High-Value Target Domain
The attacker first selects a domain with high traffic, such as a major social media platform, bank, or e-commerce site. They use tools like SimilarWeb or Alexa rankings (though deprecated) to find popular domains. They also consider domains with common misspellings or those that are hard to type (e.g., 'schwaab.com' for 'Schwab'). The goal is to maximize the number of potential victims who will make typographical errors.
Generate Typosquatting Candidates
Using automated scripts, the attacker generates a list of potential misspellings. Common algorithms include: missing character (e.g., 'facebok.com'), repeated character ('faceboook.com'), swapped adjacent characters ('facbeook.com'), wrong TLD ('facebook.net'), and homoglyph substitution (e.g., replacing 'a' with Cyrillic 'а'). Tools like DNSTwist or URLCrazy automate this. The attacker may also include combosquatting variations like 'facebook-login.com'.
Register and Host Malicious Domains
The attacker registers the candidate domains with a cheap or privacy-friendly registrar, often using prepaid credit cards or cryptocurrency to avoid detection. They then set up a web server (e.g., using Nginx on a VPS) hosting a replica of the target site's login page. They may also configure the server to log all submitted form data. For domain hijacking, the attacker would instead compromise the registrar account of the legitimate domain.
Drive Traffic to Malicious Sites
For typosquatting, traffic arrives naturally as users mistype URLs. The attacker may also boost traffic by: buying ads on search engines for the misspelled domain, sending phishing emails with links to the typosquatted domain, or using social media posts. For domain hijacking, the attacker changes DNS records to redirect all traffic from the legitimate domain to their server, so no extra effort is needed.
Capture Credentials and Exploit
When a victim visits the fake site and enters their username and password, the attacker's server captures the credentials (often stored in a text file or database). The attacker then redirects the victim to the real site to avoid suspicion. They may also install malware via drive-by download. With stolen credentials, the attacker can access the victim's account on the real site, perform fraud, or sell the credentials on the dark web.
Scenario 1: Enterprise SOC Detects Typosquatting of Corporate Domain
A security analyst at a large financial institution notices multiple failed login attempts from IP addresses not associated with employees. Reviewing proxy logs, the analyst sees that some employees are visiting www.bankofamerica-secure.com (a typosquatted domain). The analyst uses a tool like DNSTwist to generate a list of potential typosquatted domains and checks if any are active. They find three active lookalike domains hosted on the same IP range. The analyst reports to the incident response team, who then work with the legal department to send cease-and-desist letters to the hosting provider. The analyst also blocks the malicious domains on the corporate proxy and sends an awareness email to all employees about verifying URLs. A common mistake in this scenario is that the analyst only blocks the specific domain reported, missing other related typosquatted domains. The correct response is to proactively monitor for all variations and implement a domain monitoring service.
Scenario 2: Domain Hijacking of a Small Business
A small e-commerce company receives an email from their registrar stating that a domain transfer request has been initiated. The owner did not authorize this. They quickly log in to the registrar account and see that the transfer lock was disabled and the domain is pending transfer. The attacker had used a phishing email to trick the owner into revealing credentials, then logged in and disabled the lock. The owner contacts the registrar's support immediately and reverts the transfer. They enable 2FA and change the password. The attacker's attempt fails because the domain was still in the 5-day transfer pending period. A common mistake is that the owner ignores the email thinking it's spam, or delays action until after the transfer completes, making recovery much harder.
Scenario 3: Homograph Attack on a Cryptocurrency Exchange
A user receives a phishing email claiming their cryptocurrency exchange account is compromised and they need to verify their identity. The email contains a link to xn--coinbase-3ve.com (Punycode for a Cyrillic homograph of 'coinbase'). The user clicks and enters their credentials. The attacker immediately uses those credentials to log in to the real Coinbase and transfer funds. The exchange's security team detects the unusual login from a new device and locks the account, but the funds are already gone. The correct response for the exchange would have been to implement multi-factor authentication (MFA) and monitor for such homograph domains proactively. The user's mistake was not checking the URL carefully; modern browsers display the Punycode in the address bar, which can be a red flag.
What SY0-701 Tests
The exam focuses on distinguishing between typosquatting and domain hijacking, understanding the attack vectors, and identifying appropriate mitigations. Key sub-objectives under 2.2 include: social engineering attacks (typosquatting is a form of impersonation), application/service attacks (domain hijacking), and cryptographic attacks (homograph attacks are considered a type of obfuscation). You need to know that typosquatting relies on user error, while domain hijacking relies on compromising the domain registration process.
Common Wrong Answers and Why Candidates Choose Them
Phishing vs. Typosquatting: Many candidates confuse typosquatting with phishing. While typosquatting is often used in phishing attacks, they are not the same. Phishing is a broader category that includes deceptive emails, while typosquatting specifically refers to registering lookalike domains. On the exam, if the scenario describes a user mistyping a URL, the answer is typosquatting, not phishing.
DNS Poisoning vs. Domain Hijacking: Both can redirect traffic, but DNS poisoning corrupts DNS cache entries (temporary), while domain hijacking takes control of the domain registration (permanent until fixed). Candidates often pick DNS poisoning when the scenario involves a domain being transferred or locked.
Man-in-the-Middle (MitM) vs. Typosquatting: MitM intercepts traffic between the user and the real server, while typosquatting sends the user to a different server entirely. If the scenario mentions the user typing the correct URL but being redirected, it might be DNS poisoning or MitM, not typosquatting.
Specific Terms and Values
Punycode: The encoding used for internationalized domain names (IDNs). The prefix xn-- indicates a Punycode domain. Homograph attacks often use Punycode domains.
Registrar Lock / Transfer Lock: A security feature that prevents unauthorized domain transfers.
WHOIS: A protocol for querying domain registration information. Privacy services hide this data.
DNSSEC: DNS Security Extensions that ensure DNS responses are authentic. Not a direct mitigation for typosquatting but can prevent DNS spoofing.
Common TLDs: .com, .net, .org, .info, .biz are often used in typosquatting.
Trick Questions
A scenario might describe a user clicking a link in an email that leads to a site with a misspelled domain. The question asks: "What type of attack is this?" The answer is typosquatting, not phishing, because the attack vector is the domain name itself, not the email. However, the email is the delivery mechanism for the typosquatted link.
Another scenario: "An attacker gains access to a domain registrar account and changes the nameservers." This is domain hijacking, not DNS poisoning.
Decision Rule for Scenario Questions
Ask: "Is the attacker relying on the user making a typo?" If yes, it's typosquatting. If the attacker directly compromises the domain registration (via account takeover, social engineering, or expiry), it's domain hijacking. If the attacker corrupts DNS caches, it's DNS poisoning. If the attacker sets up a fake Wi-Fi access point to intercept traffic, it's an evil twin (related but distinct).
Typosquatting (URL hijacking) involves registering misspelled domains that rely on user typos; domain hijacking involves unauthorized control of a legitimate domain.
Homograph attacks use Unicode characters that look like ASCII (e.g., Cyrillic 'а') and are encoded as Punycode (xn-- prefix).
Registrar lock (transfer lock) prevents unauthorized domain transfers; it must be enabled on all domains.
Two-factor authentication (2FA) on registrar accounts is a critical defense against domain hijacking.
DNSTwist and URLCrazy are tools used to generate potential typosquatted domains for monitoring.
WHOIS privacy reduces but does not eliminate social engineering risk for domain hijacking.
Domain hijacking often has a transfer pending period (e.g., 5 days) during which the original owner can cancel the transfer.
Defensive registration of common misspellings is a proactive mitigation for typosquatting.
These come up on the exam all the time. Here's how to tell them apart.
Typosquatting
Relies on user typographical errors
Attacker registers new, similar domains
Legitimate domain remains under owner's control
Mitigated by defensive registration and user awareness
Example: `gogle.com` instead of `google.com`
Domain Hijacking
Relies on compromising the domain registration
Attacker takes control of the existing legitimate domain
Legitimate domain is transferred or altered
Mitigated by registrar lock, 2FA, and monitoring
Example: Attacker steals registrar credentials and transfers `google.com`
DNS Poisoning
Corrupts DNS cache entries (temporary)
Does not require access to domain registration
Affects all users of the poisoned DNS server
Mitigated by DNSSEC and secure DNS configurations
Example: Attacker injects fake DNS records into a recursive resolver
Domain Hijacking
Takes control of domain registration (permanent until reversed)
Requires access to registrar account or social engineering
Affects all traffic to the domain globally
Mitigated by registrar lock, 2FA, and transfer alerts
Example: Attacker changes nameservers for `example.com`
Mistake
Typosquatting and domain hijacking are the same thing.
Correct
They are different. Typosquatting involves registering lookalike domains that rely on user typos. Domain hijacking involves taking control of the legitimate domain itself through credential theft, social engineering, or registrar vulnerabilities.
Mistake
Only large companies are targets of typosquatting.
Correct
Any domain with traffic can be targeted. Small businesses, nonprofits, and even individuals can be victims. Attackers often target domains with common misspellings or those that are easy to mistype.
Mistake
Enabling WHOIS privacy completely prevents domain hijacking.
Correct
WHOIS privacy hides contact information from public queries, reducing social engineering risk, but it does not prevent account compromise via phishing or weak passwords. Registrar lock and 2FA are more critical.
Mistake
Typosquatting is only about visual similarity.
Correct
Typosquatting includes visual similarity (homographs), phonetic similarity (soundalikes), and typographical errors (missing/extra characters). Homograph attacks use Unicode characters to create visually identical domains.
Mistake
Domain hijacking always results in immediate loss of control.
Correct
Many registrars have a transfer pending period (usually 5-7 days) during which the original owner can cancel the transfer. Quick action can often revert a hijacking attempt.
Typosquatting is registering domain names that are deliberate misspellings of popular domains, relying on users making typing errors. The legitimate domain remains under the owner's control. Domain hijacking is gaining unauthorized control of the legitimate domain itself, often by compromising the registrar account or exploiting vulnerabilities. The key difference: typosquatting creates new, similar domains; domain hijacking steals the existing domain.
The best defense is defensive registration: register common misspellings of your domain and redirect them to your main site. Use domain monitoring services (like DNSTwist) to detect new lookalike domains. Educate employees to check URLs carefully and use bookmarks. Implement browser policies that warn users about lookalike domains. Also, use DNSSEC to prevent DNS spoofing that could be combined with typosquatting.
A homograph attack is a type of typosquatting where the attacker uses characters from different scripts that look identical to ASCII letters, such as replacing the Latin 'a' with a Cyrillic 'а' (U+0430). These domains are encoded in Punycode (e.g., `xn--paypal-3ve.com`). Users see a visually identical domain but are directed to a different site. Modern browsers often display the Punycode in the address bar, which can alert users.
Yes, but it depends on timing. Most registrars have a transfer pending period (usually 5-7 days) during which the original owner can cancel the transfer. If the hijacking is detected during this window, contact the registrar immediately. After the transfer completes, recovery is more difficult and may require legal action or ICANN dispute resolution. Enabling registrar lock and 2FA can prevent hijacking in the first place.
Common tools include DNSTwist (Python-based, generates and checks typosquatted domains), URLCrazy (generates similar domains), and commercial services like DomainTools or Cisco Umbrella. For homograph detection, you can use Python's `idna` library to convert domains to Punycode and look for non-ASCII characters. WHOIS lookups can also reveal recently registered similar domains.
Typosquatting can be illegal under the Anticybersquatting Consumer Protection Act (ACPA) in the US and similar laws in other countries, especially if done with bad faith intent to profit from a trademark. However, enforcement can be challenging. Many companies rely on ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) to reclaim typosquatted domains.
DNSSEC (DNS Security Extensions) does not directly prevent domain hijacking. It ensures that DNS responses are authenticated and have not been tampered with, which protects against DNS spoofing and cache poisoning. However, if an attacker hijacks a domain and changes the DNS records, DNSSEC would not stop that because the attacker controls the authoritative DNS server and can sign records with the private key. DNSSEC is more relevant for preventing man-in-the-middle attacks on DNS queries.
You've just covered Typosquatting and Domain Hijacking — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?