Typosquatting: When Your Domain Is Used Against You

The Big Shift

The numbers have been uncomfortable for a while now. Already in 2023, Fortra’s Domain Impersonation Report showed that an average brand was targeted by nearly 40 lookalike URLs per month in the first half of 2023. By Q2 of 2024, that figure had nearly doubled to 73 lookalike URLs per month.[1] Zscaler ThreatLabz analyzed over 30,000 lookalike domains registered between February and July 2024 and found that more than 10,000 domains were actively malicious.[2] The World Intellectual Property Organization (WIPO) reported a 68% rise in cybersquatting case filings since the pandemic.[3]

According to Microsoft’s Kelly Bissell, Microsoft detected over 91,000 root domains involved in impersonation attacks during all of 2024. Then in March 2025 alone, more than 26,000 domains were identified impersonating companies and government services.[17]

What used to take a full year to accumulate in volume was happening at a rate of tens of thousands per month already in the beginning of 2025.

Today, in 2026, domains are registered at a very alarming speed. 1,627,404 newly registered domains were registered in the first week of June 2026. These high numbers are constant. During May 2026, close to 8 million new domains were registered.[18] 

What Drives This Increase In Typosquatting?  

There are several reasons why domain impersonation has increased dramatically. 

For years, threat actors had to put some actual labor into domain impersonation, especially in order to scale. It took some genuine work and time to identify plausible permutations of target domains, to evaluate which variants would be most convincing, and then to register them across multiple registrars, but also not least, to make sure to create believable landing pages. This process used to be rather time-consuming and would also require some expert knowledge. As you might have guessed, this constraint is now long gone since AI can replace almost all manual labor previously required. 

Domain impersonation campaigns now leverage automation to register thousands of domain variants simultaneously, integrating AI-driven generation to produce and evaluate permutations in just minutes.[7] Tools like dnstwist automate character substitution, homograph attacks using visually similar Unicode characters, wrong TLD swaps, and combosquatting, and high-trust keywords like “secure,” “login,” or “support” are easily appended to a target brand name.[3] 

What About the Cost? 

AI has changed the economics, since with automation comes lower costs. Today, domain registration runs under $15 and TLS certificates from Let’s Encrypt are free. When TLS certificates are used, users see the padlock icon in the URL field, and they associate this with safety. Zscaler found that Let’s Encrypt TLS certificates were used in nearly half of all malicious lookalike domains they analyzed in 2024.[2] 

Then there are the phishing kits. They now automate the deployment of pixel-perfect credential harvesting pages. An attacker can build a convincing brand impersonation infrastructure for under $50 and have it operational within hours. 

The research community has begun to document the AI dimension formally. A 2024 IEEE/IFIP conference paper titled ChatScam specifically examined the rising impact of large language models on domain name abuse, identifying how LLMs are being leveraged to generate contextually plausible, convincing domain variants that evade rule-based detection.[6] The threat is therefore not just automation, but rather intelligent automation capable of producing variants that are genuinely difficult to distinguish from legitimate infrastructure without dedicated tooling.

Weaponizing Domain Impersonation Like Octo Tempest 

No threat actor illustrates the operational maturity of domain impersonation better than Octo Tempest. This financially motivated group has been active since at least early 2022 and has since built domain impersonation into a repeatable, scalable attack methodology that has compromised some of the largest organizations in the world.[8] 

Check Point Research identified over 500 phishing domains registered by the group as pre-attack infrastructure, undoubtedly displaying how they’ve found a way to weaponize typosquatting.[9] ReliaQuest’s analysis of over 600 Octo Tempest-linked domains found that 81% impersonate technology vendors, following systematic naming conventions: “victimname-sso.com”, “victimname-okta.com”, “victimname-helpdesk.com”, “victimname-servicedesk.com”.[10]

Silent Push correlated DNS and content data and developed regex detection signatures specifically for Octo Tempest’s domain patterns since the conventions are so consistent and deliberate.[11] Domain impersonation is part of their planned, reusable pre-attack toolkit, and it has really paid off for this group. 

Let’s have a look at why Octo Tempest does this and why it works.   

The 0ktapus Campaign  

In March 2022, and running through mid-year, Octo Tempest was running a campaign dubbed 0ktapus campaign which compromised over 130 organizations worldwide.[8] The infrastructure was straightforward and devastatingly effective. The group registered domains that closely mimicked their targets’ Okta SSO portals, then delivered SMS phishing messages directing employees to these fake login pages.

The domains incorporated the target brand name alongside keywords like “okta,” “sso,” and “corp”, which were convincing enough for employees to enter their credentials without suspicion. The harvested credentials were then used to access internal systems, with Twilio being one of the most consequential victims. Twilio’s compromise in August 2022 then cascaded into a supply chain attack that ultimately affected Signal, the encrypted messaging application [12], demonstrating how a single impersonated domain can create second- and third-order impact across an entire ecosystem of downstream customers.

The Casino Jackpot 

Another example is the attack against MGM Resorts in September 2023, showcasing how social engineering and domain impersonation work in concert. Octo Tempest members researched MGM employees on LinkedIn, then contacted the IT help desk impersonating those employees to obtain credential resets.[13] Sekoia’s infrastructure investigation uncovered phishing domains targeting MGM that had been registered and active as early as August 2022. Note that this was over a year before the public breach actually took place, confirming that domain impersonation infrastructure is prepared well in advance of execution.[14]

Once initial access was achieved, the group manipulated MGM’s Okta identity provider to register an attacker-controlled secondary IdP, enabling them to impersonate any user in the tenant via SSO. BlackCat/ALPHV ransomware was deployed across more than 100 ESXi hypervisors, and the result was devastating: A 36-hour operational outage, approximately $100 million in financial impact on MGM’s Q3 results, roughly $10 million in one-time cybersecurity consulting fees as well as a class-action settlement of $45 million reached in January 2025.[15] 

Taking It to the Next Level  

By 2025, Octo Tempest had evolved its domain impersonation tradecraft. Rather than relying solely on hyphenated lookalike domains, which security teams had now begun to look for, the group shifted toward subdomain-based impersonation. Subdomain-based impersonation uses structures like “vpn-login.company-support.com” to embed malicious infrastructure within seemingly plausible URL hierarchies.[16]

The group paired this with the Evilginx adversary-in-the-middle framework, which clones legitimate login pages and proxies authentication requests in real time, capturing not just usernames and passwords, but also session cookies and bypassing many common MFA implementations, especially push- or TOTP-based flows that are not phishing-resistant.[10]

The coordinated campaign against major UK retailers in May 2025 is assessed to have used this evolved infrastructure. According to ReliaQuest, 81% of the domains linked to Octo Tempest employ typosquatting tactics, with keywords like “vpn,” “helpdesk,” “okta,” and “sso” consistently appearing in the URLs. [10] 

Who Is The Target 

No sector is immune, but some are prioritized. According to ThreatLabz, internet services, professional services, and online shopping account for over 78% of domain impersonation-related phishing domains.[2] Akamai’s research shows that financial institutions receive more than 36% of all traffic directed to impersonated domains.[5]  

Domain impersonation is not only used in well-known attacks you read about in the news or in relation to major events like the 2026 World Cup. For the World Cup, Chinese-speaking threat actors have registered over 4,300 domains impersonating FIFA’s official web presence since the beginning of August 2025.[19] 

At Truesec, we also observe impersonated domains being part of the attack chain in several Business Email Compromise (BEC) cases. Domain impersonation is then used to deceive recipients into believing that fraudulent emails are legitimate.  

Domain impersonation is really a threat to all organizations. 

What You Can Do About Typosquatting 

• Continuous Domain Monitoring 
  You can only protect what you see. With Truesec Managed Threat Exposure (MTE) service, we support organizations with automated monitoring for domain permutations of your brand, including common misspellings, character substitutions (e.g., rn → m, 0 for o), TLD variants, and combosquatting with high-value keywords. Talk to us at Truesec for more information.  
• Defensive Registration 
  Register your highest-risk domains variants preemptively. Think of the ones an employee would plausibly mistake for a legitimate internal portal, like SSO portals, VPN access pages, and IT helpdesk endpoints. 
• Certificate Transparency (CT) Log Monitoring 
  Attackers obtain TLS certificates before weaponizing domains, and since CT logs are public you can monitor them for certificates issued to domains resembling yours. This gives you a detection window that, when acted on, can identify infrastructure before it goes active. 
• Employee Awareness with Real Examples and Impact 
  “Check the URL” is insufficient advice. Show employees what “victimname-okta.com” looks like versus “okta.victimname.com” versus “victimname.okta-sso.com”. The visual difference is marginal, but the security difference is not. Share the MGM Resort example with employees, help them understand the economic impact and how much a simple domain impersonation attack can generate cost in the end. 
• Treat your Domain Portfolio as an Attack Surface  
  Your expired domains, your subsidiaries, and your acquired brands can all be used as launchpads against your employees and customers. Map them and monitor them. Take takedown action when needed, and understand that the legal process, while necessary, is slow compared to an attacker’s ability to re-register under a new registrar. 

The Bottom Line 

Typosquatting is not a new phenomenon, but with AI as the catalyst, it has become a technique we need to be prepared for.  

The question is not whether someone has registered a typosquatted version of your domain. The data says they probably have it. The question is whether you know about it before your employees start sending credentials there. 

Sources 

[1] Fortra, 2023 Domain Impersonation Report and Q2 2024 update, via ExpressVPN threat analysis, March 2026. https://www.expressvpn.com/blog/what-is-typosquatting/ 

[2] Zscaler ThreatLabz, Phishing, Typosquatting and Brand Impersonation: Trends and Tactics, September 2024. https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-brand-impersonation-trends-and-tactics 

[3]  CybelAngel, Things to Know About Domain Squatting in 2024, via WIPO cybersquatting filing data. https://cybelangel.com/blog/6-things-to-know-about-domain-squatting-in-2024/ 

[4] Patrowl, Typosquatting Detection: Stop Fake Domains Before Phishing Attacks, via APWG 2024 data and ClearSale 2025 survey. https://patrowl.io/en/blog/typosquatting-cybersecurite-menaces  

 [5] Akamai, Financial Services Threat Research (2023–2024) via Finance Magnates analysis. https://www.financemagnates.com/forex/typosquatting-goes-industrial-why-one-broker-registered-over-600-domains/  

[6] Liu M. et al., ChatScam: Unveiling the Rising Impact of ChatGPT on Domain Name Abuse, IEEE/IFIP DSN 2024. https://dl.acm.org/doi/10.1145/3627106.3627111  

[7] Abnormal AI, Typosquatting Glossary Entry, October 2025. https://abnormal.ai/glossary/typosquatting 

[8] Fireblocks, Understanding an 0ktapus Phishing Campaign, July 2024. https://www.fireblocks.com/blog/understanding-an-0ktapus-phishing-campaign  

[9] Check Point Research, Scattered Spider’s Pre-Attack Infrastructure Exposed: 500+ Phishing Domains Mimic Enterprise Logins, July 2025 via Information Security Buzz. https://informationsecuritybuzz.com/scattered-spiders-pre-attack-infrastructure-exposed-500-phishing-domains-mimic-enterprise-logins/  

[10] ReliaQuest, Scattered Spider Cyber Attacks Using Phishing and Social Engineering, June 2025. https://reliaquest.com/blog/scattered-spider-cyber-attacks-using-phishing-social-engineering-2025/  

[11] Silent Push, Eight-legged Phreaks: DNS and Content Scans Discover New Scattered Spider Phishing Infrastructure, November 2024. https://www.silentpush.com/blog/scattered-spider/  

[12] FS-ISAC, Cross-Sector Mitigations: Scattered Spider, https://www.fsisac.com/hubfs/Scattered%20Spider/SectorThreatActorAnalysis-ScatteredSpider.pdf  

[13] Push Security, How Scattered Spider TTPs Are Evolving in 2025, November 2025. https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025  

[14] Sekoia.io, Scattered Spider Laying New Eggs, March 2025. https://blog.sekoia.io/scattered-spider-laying-new-eggs/  

[15] Analyst1, Scattered Spider Threat Actor Profile, February 2026. https://analyst1.com/threat-actors/scattered-spider/  

[16] CyberNews, These Hackers Knocked Marks & Spencer and Harrods Offline -What’s the Secret?, June 2025. https://cybernews.com/security/scattered-spider-hackers-marks-spencer-harrods/  

[17] Kelly Bissell (Corporate VP, Microsoft), interviewed by Sherrod DeGrippo, Stopping Domain Impersonation with AI, Microsoft Threat Intelligence Podcast, Ep. 53, September 24, 2025. https://thecyberwire.com/podcasts/microsoft-threat-intelligence/53/transcript  

[18] Domains Monitor, List of newly registered and removed domains, June 8, 2026. https://domains-monitor.com/update/  

[19] The Record, Chinese-speaking fraud gang could be stealing millions from 2026 World Cup fans, May 28, 2026. https://therecord.media/chinese-speaking-fraud-gang-fifa-world-cup-scam