Introduction
In April 2017, security researcher Xudong Zheng registered a domain using Cyrillic characters that render identically to Latin letters in most browsers. Chrome and Firefox at the time displayed the address bar showing apple.com with no visual warning. The domain resolved, carried a valid TLS certificate, and was indistinguishable from the real site to anyone reading the URL. The demonstration forced both browser vendors to change how they render internationalized domain names. The registration technique and the attack class it represents remained intact.
Most typosquatting against your domain will not be this technically elegant. An attacker registers yourcompanv.com with a v instead of y, sets up an MX record, and starts a credential harvesting campaign targeting users who mistype your address in a password manager prompt or an email client. The infrastructure takes twenty minutes to configure. Detection without active monitoring typically takes weeks, after users start reporting phishing emails or your support team notices incoming messages from a domain that looks almost right.
This guide walks through every detection method in sequence: generating your permutation space, identifying which ones are registered, analyzing what the registered domains are being used for, and setting up monitoring that catches new registrations before they reach your users.
What you need before you start
You need Python 3 installed to run dnstwist, the primary detection tool for this task. A terminal with curl handles the certificate transparency checks. For continuous monitoring, the optional certstream Python package provides a real-time CT log feed. No DNS changes, no agent installation, and no access to your DNS zone are required. All of these checks run from outside your infrastructure using public data.
Step 1: understand the mutation types dnstwist generates
Before running the tool, understanding what it generates helps you interpret the output without treating every result as a threat. dnstwist produces permutations across eight distinct mutation categories.
-
Mutation type reference — Each category targets a different typing error or deceptive registration pattern. Combosquatting is consistently the highest-risk category in practice: domains like acmecorpsupport.com or secureacmecorp.com survive casual user scrutiny because they look intentional rather than like a mistype. Homograph variants are less common against mid-size targets due to registration complexity, but any domain whose name contains letters shared between Latin and Cyrillic alphabets (a, c, e, o, p, x) is potentially vulnerable.
mutation type example (original: acmecorp.com) ------------------------------------------------------- omission acmecop.com (one character removed) transposition acemcorp.com (e and m swapped) substitution acmec0rp.com (o replaced with zero) insertion aacmecorp.com (character added) repetition acmeecorp.com (character doubled) hyphenation acme-corp.com TLD swap acmecorp.co, acmecorp.net, acmecorp.io combosquatting acmecorpsupport.com, loginacmecorp.com homograph acmecorp.com using Cyrillic character (U+0430)
Step 2: generate your permutation set and check registration status
Install dnstwist, then run it against your root domain with the --registered flag. Without this flag the output includes every generated permutation regardless of registration status, which can be thousands of rows. The registered flag filters to domains that have actually been claimed.
For the threat signals that matter most, add --mxcheck to query MX records for each registered domain. An MX record means the domain is configured to receive email, which is the clearest indicator of active campaign use. The MX column is the most important field in the output. A registered typosquat with no A record and no MX record is likely passive squatting. One with both an A record and an MX record is actively configured and should be triaged immediately regardless of what its current content shows.
-
Install and run dnstwist — The --registered flag filters output to only show domains that have been claimed. The --mxcheck flag queries MX records for each registered result.
pip3 install dnstwist[full] # Basic sweep: registered domains only dnstwist --registered acmecorp.com # Full threat signal check with MX record query dnstwist --registered --mxcheck acmecorp.com -
Sample output interpretation — The fuzzer column shows the mutation type. The dns-mx column is the priority triage field. Any entry with a populated dns-mx value is configured to receive email and represents an active threat.
fuzzer domain dns-a dns-mx ------------ ------------------- ------------- ------------------- omission acmecop.com 203.0.113.5 mail.acmecop.com tld-swap acmecorp.co 198.51.100.2 (none) addition acmecorps.com (legitimate) (none) homoglyph acmecorp.com* 192.0.2.88 mx.hemail.host * homoglyph variant uses Cyrillic character, displayed identically
Step 3: check certificate transparency logs for new lookalike issuances
CT logs record every TLS certificate issued by a public CA before a browser will trust it. An attacker who registers a typosquat and provisions a Let's Encrypt certificate generates a CT log entry before the phishing page goes live. Checking these logs for your domain name surfaces campaigns in the preparation phase.
A certificate issued for acmecorp.co last week combined with a fresh A record and an MX configuration is a campaign in active setup. The issuance timestamp tells you how recently the infrastructure was built.
-
Substring search on crt.sh — Query crt.sh using a broad match that catches domains containing your name as a substring. The grep removes your own legitimate subdomains. What remains are external domains containing your name.
curl -s 'https://crt.sh/?q=%acmecorp.com&output=json' | \ jq -r '.[].name_value' | sort -u | grep -v '\.acmecorp\.com$' # What remains after the filter: # acmecorpsupport.com, loginacmecorp.com, acmecorp.co, etc. -
Punycode search for homograph variants — The xn-- prefix identifies punycode-encoded internationalized domain names. Search for this prefix alongside your name to catch homograph typosquats.
curl -s 'https://crt.sh/?q=xn--&output=json' | \ jq -r '.[].name_value' | grep -i 'acmecorp\|acmecop\|acmec'
Step 4: analyze what registered typosquats are doing
Not every registered permutation represents an active threat. Prioritize investigation based on four indicators in this order.
- MX record present — The domain is configured to receive email. Treat this as confirmed malicious intent until proven otherwise. Password reset emails, support tickets, and anything your users send to a mistyped version of your address is intercepted here.
- SSL certificate recently issued — A cert issued within the past 30 days indicates active preparation, not passive holding. Cross-reference the cert issuance date against the domain registration date. A domain registered and certificated in the same week is not sitting idle.
- A record pointing to known hostile infrastructure — Check the resolved IP against threat intelligence. Bulletproof hosting providers and IPs previously associated with phishing campaigns are a strong confirmation of intent.
-
Page content resembles your site — Load the typosquat in a sandboxed environment. A blank page or a parking page indicates passive holding. A cloned login interface indicates an active credential harvesting setup.
# Fingerprint what each registered typosquat is serving cat registered_typosquats.txt | \ httpx -silent -status-code -title -tech-detect # Pull WHOIS data for registration date and registrar whois acmecop.com | grep -E 'Creation Date|Registrar|Name Server'
Step 5: set up continuous monitoring for new registrations
A one-time dnstwist run is a snapshot. New typosquats get registered constantly, and a campaign can launch within hours of a domain being claimed. Two approaches provide continuous coverage: scheduled dnstwist runs with diff output, and real-time CT log monitoring via certstream.
The cron job catches passive registrations within 24 hours. The certstream listener catches active campaign preparation within minutes of a cert being issued, before the phishing page launches.
-
Scheduled dnstwist with change detection — A daily cron job that runs dnstwist, saves output as CSV, and diffs against the previous day's results. New entries in the diff trigger an email alert.
#!/bin/bash # Cron: 0 7 * * * /opt/typosquat_monitor.sh DOMAIN="acmecorp.com" DATE=$(date +%Y-%m-%d) PREV=$(date -d 'yesterday' +%Y-%m-%d) DIR="/opt/typosquat_monitor" mkdir -p $DIR dnstwist --registered --mxcheck $DOMAIN \ --format csv > $DIR/$DATE.csv if [ -f $DIR/$PREV.csv ]; then NEW=$(comm -13 \ <(sort $DIR/$PREV.csv) \ <(sort $DIR/$DATE.csv)) if [ -n "$NEW" ]; then echo "New typosquat registrations:\n$NEW" | \ mail -s "Typosquat alert: $DOMAIN" security@acmecorp.com fi fi -
Real-time CT log monitoring with certstream — certstream streams every new certificate issuance from public CT logs. A Python listener that checks each new cert's domain name against your permutation patterns catches active campaign setup the moment a certificate is provisioned.
pip3 install certstream # typosquat_certstream.py import certstream, re PATTERNS = [ r'acmecorp\.(co|io|net|org)$', r'acmecop', r'acmec0rp', r'loginacmecorp', r'acmecorpsupport', ] def callback(message, context): if message['message_type'] == 'certificate_update': domains = message['data']['leaf_cert']['all_domains'] for domain in domains: for pattern in PATTERNS: if re.search(pattern, domain): print(f"[ALERT] Suspicious cert issued: {domain}") certstream.listen_for_events(callback)
Common mistakes and how to avoid them
Several patterns consistently reduce the effectiveness of typosquat monitoring programs without teams realizing it.
- Running dnstwist without --mxcheck and missing the critical signal — Registration status tells you a domain exists. The MX record tells you whether it can intercept email from users who mistype your address. Skipping the MX check means missing the most operationally dangerous configuration.
- Treating all registered typosquats as equivalent threats — A domain registered six years ago with a parking page and no MX record is not the same as one registered three days ago with an active MX record and a freshly issued TLS certificate. Triage by the four indicators above before escalating or filing a UDRP complaint.
- Only checking the apex domain and ignoring high-traffic subdomains — Attackers also target specific subdomains. A lookalike of app.acmecorp.com like app.acmecop.com targets direct-navigation users who type the full subdomain. Run dnstwist against your most-visited subdomains in addition to the root domain.
- Assuming DMARC prevents typosquat phishing — DMARC at p=reject prevents spoofing of your exact domain. It does nothing to stop email sent from a registered typosquat domain that has its own valid SPF and DKIM records. An email from security@acmecop.com passes every authentication check at the recipient's mail server.
- Checking only domain registration and missing shared-hosting phishing pages — A phishing page does not require a registered lookalike TLD. URL shorteners, redirect chains, and subdomains on shared hosting providers can all host credential harvesting pages. CT log monitoring and phishing feed subscriptions (Google Safe Browsing, PhishTank) catch these patterns that pure registration monitoring misses.
How to automate and monitor this continuously
Daily cron-based dnstwist runs combined with a certstream listener cover the two primary attack surface signals: new domain registrations and new certificate issuances. The cron job catches passive registrations within 24 hours. The certstream listener catches active campaign preparation within minutes of a cert being issued.
ExternalSight's brand discovery scanner runs on a continuous schedule across all monitored domains. Newly registered lookalike domains surface in the findings feed with registration date, A record, MX record, and SSL certificate status alongside your other attack surface findings, so typosquat signals do not sit in a separate monitoring silo.
Key takeaways
- Run dnstwist with --mxcheck, not just --registered. A typosquat with an MX record is configured to receive email and represents an active threat regardless of what its current web content shows.
- Check certificate transparency logs for your domain name as a substring, not just your exact subdomains. A fresh cert issuance on a lookalike domain is often the earliest detectable signal that a campaign is being prepared.
- Triage registered typosquats by four indicators in order: MX record presence, recent certificate issuance, A record pointing to known hostile infrastructure, and page content mimicking your site.
- DMARC protects your domain from being spoofed. It does not protect against a typosquat domain that registers its own SPF and DKIM records. Both controls are necessary and neither replaces the other.
- Proactively register your highest-risk permutations. Common TLD swaps (.co, .io, .net) and one-character variants of your exact name cost $10-15 per domain annually and permanently close those attack vectors.
Frequently asked questions
- How often should I run typosquat monitoring?
- Daily for registration-based checks via dnstwist. Continuous for CT log monitoring via certstream. The window between a domain being registered and a phishing campaign launching can be as short as a few hours, so weekly monitoring misses real campaigns. If you can only run periodic checks, daily is the minimum cadence that provides meaningful early warning.
- Can I get a typosquat domain taken down?
- Possibly, but slowly. A UDRP complaint filed with ICANN typically takes 45-60 days and requires documented evidence of bad-faith registration. For active phishing pages, a faster path is reporting to the registrar's abuse team and to Google Safe Browsing and PhishTank, which can result in the hosting being deplatformed and the domain blocklisted within 24-48 hours even if the registration itself persists. Registering the domain defensively before an attacker does is almost always faster and cheaper than removal after the fact.
- Does this work for brand names with special characters or hyphens?
- Yes. dnstwist handles hyphenated domains and generates permutations that add, remove, or move hyphens. For brand names with special characters, the tool generates homograph variants using the Unicode lookalike character set. Run dnstwist --list acmecorp.com to see the full permutation set before filtering to registered domains.
- What should I do if I find an active lookalike serving a cloned login page?
- Treat it as an active phishing incident. Report to the registrar's abuse contact found via WHOIS, submit to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish, and submit to PhishTank. Notify your users through official channels that a lookalike site exists. File a UDRP complaint in parallel for longer-term removal. Do not attempt to access or interact with the phishing infrastructure beyond confirming what it serves.
Monitor for lookalike domains across your attack surface
ExternalSight's brand discovery scanner monitors for newly registered lookalike domains across all your monitored domains on each continuous scan cycle. When a new registration appears with an MX record or a fresh SSL certificate, it surfaces in your findings feed the same day, not after a user reports a phishing email.