What is cybersquatting?
Cybersquatting is the practice of registering domain names that closely resemble legitimate brand names, trademarks, or popular websites with the intent to profit or cause harm. Attackers often register these domains before a company establishes its online presence or create variations after a brand becomes well-known.
The basic mechanics involve an attacker registering a domain that looks similar to a legitimate one. They may engage in opportunistic squatting, where they hold the domain to sell it back to the trademark owner at a high price. Alternatively, they may pursue malicious squatting, using the domain to launch attacks against the company's employees or customers.
Cybersquatting has evolved from a simple brand exploitation issue into a sophisticated attack infrastructure. Squatted domains now serve as launching points for phishing campaigns, malware distribution, and credential theft, with phishing volumes numbering in the millions annually according to industry threat intelligence reporting.
This shift matters for security teams because external domain threats can quickly become internal security incidents. When employees or systems interact with malicious domains, attackers can bypass perimeter defenses. Understanding the types of cybersquatting, legal frameworks, and detection methods is essential for maintaining a strong security posture.
Actionable Incident Response Plan Template
A quickstart guide to creating a powerful incident response plan - designed specifically for organizations with cloud-based deployments.
How cybersquatting enables modern attack vectors
Attackers have shifted from passively parking domains to actively exploiting them for security breaches. Squatted domains often bypass traditional perimeter security because they appear legitimate to both users and automated security tools.
One of the most common uses for these domains is phishing infrastructure. Attackers host credential harvesting pages that mimic cloud login portals for services like AWS, Azure, or Google Cloud, with Microsoft being impersonated in 25% of phishing attacks. When users mistakenly enter their information, attackers steal cloud credentials to gain unauthorized credential access to the environment.
Supply chain attacks: Attackers publish packages with typosquatted names to repositories like npm or PyPI, tricking developers into installing malicious dependencies.
Subdomain takeover: If you abandon a cloud resource but leave the DNS record active, attackers can claim that resource and control a legitimate subdomain.
API impersonation: Squatted domains can mimic API endpoints to trick misconfigured clients into sending requests to the wrong host (for example, via mistyped base URLs in configuration files). Security teams should enforce strict TLS hostname verification, implement mutual TLS (mTLS) for service-to-service calls, and maintain outbound domain allowlists to prevent token and API key leakage.
Once credentials are stolen via squatted domains, attackers gain persistence within the cloud environment. Because they are using valid credentials, their activity blends in with normal traffic patterns. This makes detection difficult for teams relying solely on signature-based tools.
Types of cybersquatting attacks
Typosquatting
Typosquatting involves registering domains with common misspellings of legitimate brands. Examples include "gooogle.com" instead of "google.com" or "micr0soft.com" using a zero instead of the letter "o". Attackers also use keyboard proximity attacks, swapping adjacent keys to create domains like "amazom.com".
Attackers often use automation to register thousands of typo variations instantly. In developer workflows, typosquatted package names in dependency managers can introduce malicious code into software builds, as demonstrated by 60 malicious npm packages that exfiltrated host and network data before removal. For cloud security, these domains pose a risk when users mistype URLs for cloud consoles and land on a credential harvesting site.
Combosquatting
Combosquatting occurs when attackers add common words or prefixes to legitimate brand names. Examples include "secure-paypal.com," "login-microsoft.com," or "aws-portal.com." These domains often appear more legitimate than typos because the added words suggest security or authentication functions.
Attackers frequently use combosquatted domains in phishing campaigns targeting cloud services. They may also optimize these domains for search engines so they appear in results when users search for support or login pages.
Homograph attacks
Homograph attacks use characters from different alphabets that look identical to Latin characters. Attackers exploit internationalized domain names (IDNs) and punycode to create these deceptive URLs. For instance, using the Cyrillic "а" instead of the Latin "a" creates a domain that looks exactly like "apple.com" but resolves to a different server.
Modern browsers conditionally display Unicode or punycode based on script-mixing detection and top-level domain (TLD) policies. For example, Chrome and Firefox show punycode when a domain mixes Latin and Cyrillic characters, but users often don't notice subtle visual differences in the address bar.
Brand jacking and name jacking
Brand jacking involves registering domains that incorporate a company's full brand name, such as "brandname-support.com." Name jacking targets the personal names of executives or public figures, like "ceo-firstname-lastname.com."
Attackers use these domains for social engineering, sending emails that appear to come from legitimate company leadership or support teams. In a cloud context, brand-jacked domains often send phishing emails mimicking notifications from cloud service providers to steal login tokens.
Reverse cybersquatting
Reverse domain name hijacking (RDNH) happens when a complainant abuses trademark dispute policies such as UDRP or ACPA to force a legitimate domain owner to surrender their domain through false or bad-faith claims of trademark infringement.
See Wiz in action
Get an in-depth platform walkthrough with a Wiz expert in our 30 minute live demo.
Get a demo
Legal frameworks and enforcement mechanisms
Cybersquatting is addressed through specific trademark laws and anti-cybersquatting legislation.
In the United States, the Anticybersquatting Consumer Protection Act (ACPA) allows trademark owners to sue alleged squatters. To win, the owner must prove the trademark is distinctive, the domain is identical or confusingly similar, and the squatter acted with bad faith intent. Bad faith factors include an intent to profit from the brand or a pattern of registering multiple trademarked domains.
For international disputes, the Uniform Domain Name Dispute Resolution Policy (UDRP) offers an arbitration process through providers like the World Intellectual Property Organization (WIPO) or the National Arbitration Forum (NAF). A panel reviews the complaint and can order the transfer or cancellation of the domain. UDRP cases typically resolve in 60–90 days and cost $1,500–$5,000, making them faster and less expensive than traditional litigation.
How to take action against cybersquatters:
Gather evidence: Document the squatted domain, screenshots of malicious content, WHOIS records, and examples of brand confusion or phishing
File registrar abuse complaints: Submit abuse reports to the domain registrar (found in WHOIS data) and hosting provider, citing violations of their acceptable use policies
Consider UDRP for clear bad faith: File a UDRP complaint when you can demonstrate trademark rights, confusing similarity, and bad-faith registration or use
Evaluate ACPA for domestic cases: For US-based squatters, consider filing an ACPA lawsuit in federal court if damages exceed UDRP remedies
Engage legal counsel: Consult with intellectual property attorneys experienced in domain disputes for cases involving significant brand harm or ongoing attacks
However, legal remedies have limitations for security teams. These frameworks focus on trademark infringement rather than immediate security threats. Attackers often operate internationally and use disposable infrastructure, making legal action too slow to stop an active attack. Legal tools should complement, not replace, technical detection.
Detection and monitoring strategies for security teams
Detecting cybersquatting is challenging because it requires monitoring external domains you do not own. Relying on user reports is reactive and often too late. Security teams need proactive monitoring to catch malicious domains before they are used in attacks, particularly given that a significant share of phishing domains are newly and maliciously registered rather than compromised legitimate sites, according to threat intelligence providers.
Domain monitoring services: These automated systems track new domain registrations that match your brand patterns using similarity algorithms like Levenshtein distance, Jaro-Winkler, or visual similarity scoring.Outside-in plus inside-out: Attack surface management should validate exploitability and map findings to internal owners and systems for rapid remediation. For example, when a squatted domain is detected, correlate it with your cloud infrastructure to identify which teams own the potentially targeted services, which authentication systems are at risk, and which incident response playbooks to activate. This ownership mapping accelerates mean time to remediation (MTTR) by routing alerts to the right teams instantly.
Certificate transparency logs: Public records of SSL certificate issuance can reveal when attackers create certificates for lookalike domains.
DNS monitoring: Continuously scan for dangling DNS records, specifically CNAME or A records pointing to deprovisioned cloud resources such as Azure App Services, AWS S3 buckets, or GitHub Pages. Automate record cleanup workflows during infrastructure teardown to prevent subdomain takeover attacks.
Threat intelligence: Specialized feeds aggregate known malicious domains and squatting campaigns to help you block threats faster.
Security teams should integrate external domain monitoring into SIEM and SOC workflows using this six-step playbook:
Domain permutation generation: Create variations of your brand using typos, homoglyphs, and combosquatting patterns
Certificate Transparency (CT) log monitoring: Watch for SSL certificates issued for lookalike domains
Newly registered domain (NRD) feeds: Subscribe to daily NRD feeds filtered by your brand keywords
Passive DNS enrichment: Query passive DNS databases to identify hosting infrastructure and resolution history
WHOIS and hosting risk signals: Analyze registration data, registrar reputation, and ASN risk scores
Validation and escalation: Confirm malicious intent through manual review, then escalate to incident response
Operationalize this in your SIEM by creating a normalized event schema for domain findings, implementing a severity model based on similarity score and threat indicators, configuring auto-ticketing for confirmed matches, and tracking key performance indicators (KPIs) such as mean time to detect (MTTD) malicious domains and time-to-block.
Validation is a critical step because not every similar domain is malicious. Teams must enrich domain data with threat intelligence, WHOIS records, and hosting information to distinguish between legitimate sites and threats. Once a malicious domain is confirmed, incident response workflows should trigger immediately.
Threat Detection and Response: Improve Your Cloud Security
Learn the foundations of threat detection and response, best practices, and the tools you need to strengthen your cloud security against emerging threats.
Read more
Prevention and response best practices
Prevention requires a layered defense strategy that includes technical controls, employee awareness, and legal measures.
Defensive domain registration is a proactive step where organizations register common typo variations and related domains. While you cannot register every possibility, securing the most obvious variations reduces the attack surface. Trademark registration is also vital as it establishes the legal standing needed to enforce rights against squatters.
Phishing-resistant authentication: Implement WebAuthn and FIDO2 keys to prevent credential theft, as these protocols will not authenticate on a squatted domain.
Certificate pinning: Use certificate pinning to prevent man-in-the-middle attacks that rely on squatted domains.
DNS filtering: Block access to known malicious domains and newly registered domains at the network level.
Dependency scanning: Scan code for typosquatted packages to prevent malicious dependencies from entering your software supply chain.
Employee training should focus on verifying URLs and recognizing suspicious domains. When a squatted domain is identified, the incident response team should collect evidence for potential takedown requests. You must also file complaints with registrars and hosting providers to remove the malicious content.
To prevent subdomain takeover, implement these service-specific guardrails:
Validate CNAME targets: Routinely verify that CNAME records point to active, owned resources before DNS propagation
Adopt verification mechanisms: Use TXT record verification (for services like Azure App Service) or HTTP challenge verification (for services like AWS CloudFront) before creating DNS records
Automate cleanup on teardown: Configure infrastructure-as-code (IaC) templates to delete DNS records automatically when cloud resources are deprovisioned
Monitor for failure signatures: Set up alerts for NXDOMAIN responses or HTTP 404 errors on your subdomains, which indicate potential takeover conditions
Implement DNS CAA records: Use Certification Authority Authorization (CAA) records to restrict which certificate authorities can issue certificates for your domains
How Wiz connects external domain threats to internal cloud risk
Wiz unifies visibility into your external attack surface with deep context about your internal cloud security. This approach transforms domain monitoring from a brand protection task into a core part of your security operations.
Wiz doesn't offer direct cybersquatting protection, but our comprehensive cloud security platform helps you stay ahead of these risks by securing your cloud infrastructure, detecting malicious domains, and preventing related attacks like phishing and subdomain takeovers. Wiz Attack Surface Management (ASM) gives you full visibility into your attack surface by automatically discovering exposed assets across your environment. The Wiz Security Graph then correlates these external threats with internal resources to reveal potential attack paths.
The platform also detects dangling DNS records and subdomain takeover conditions, for example, CNAME records pointing to deprovisioned Azure App Services, AWS Elastic Beanstalk environments, or GitHub Pages sites, enabling remediation before attackers claim the abandoned resources. Wiz Code scans for typosquatted dependencies in your CI/CD pipelines, securing your supply chain. If credentials are stolen and used, Wiz Defend identifies the post-compromise activity and lateral movement.
By providing unified context across external domains, cloud infrastructure, and runtime environments, Wiz helps you prioritize the risks that matter most.
Request a demo to see how context-driven Attack Surface Management, code-to-cloud visibility, and unified threat detection help you detect squatted domains, validate real exposure, and fix what matters first.
See Wiz in action
Learn what makes Wiz the platform to enable your cloud security operation
