UpGuard Support Center

How to use the Typosquatting module

This article explains how to use UpGuard's Typosquatting module to manage the risks related to Typosquatting.

UpGuard BreachSight lets you monitor your cyber risks related to Typosquatting. For an introduction to Typosquatting see en.wikipedia.org/wiki/Typosquatting

The Typosquatting module lets you choose the domains you want to monitor, and identify the permutations of those domains that are at risk of a Typosquatting attack. It provides a central place to monitor your Typosquatting risk, including notifications whenever your risk profile changes.

To use the Typosquatting module, follow the steps below:

Choose the domains you want to monitor

By default, your main domain will be monitored when the Typosquatting module is activated. To monitor additional domains use the "Add Domain" button on the main Typosquatting page. It’s recommended that you start with a small number of domains, as reviewing and monitoring the permutations for each domain requires some effort.

Review the registered domains

Select a domain from the list on the main Typosquatting page.

The permutations of that domain that have been registered are listed in the “Registered” tab. Review each one to determine whether they present a risk to your organisation.

If a permutation is already owned by your organisation, appears to be a legitimate website for another organisation with a similar name to yours, or if for some other reason you do not believe it presents any risk to your organisation, mark it as "Ignore". This will move it to the "Ignored" tab, and you will not receive notifications if the status of it changes.

All remaining permutations (that are registered and you do not believe can be ignored) should be reviewed regularly to check for suspcious activity. You will receive a notification whenever the status of one of these domains changes (e.g. if MX records are added or modified).

If there is a website running under the domain, check the site to see whether it is trying to fool visitors into thinking it’s your site. If this is the case, the page is likely to look similar to yours, in which case the “% similar” score will be above 0%.

If there are MX records (which are required to receive email) present, it may indicate that an attacker is using the domain to send email, purporting to be from your company.

If you believe someone is impersonating (or preparing to impersonate) your company, there are several actions you may want to take:

  • Notify your stakeholders: Let your customers, staff, or other relevant parties know to look out for suspicious emails or a phishing website.
  • Get suspicious websites or mail servers taken down: The process for getting a website taken down depends on the geography your company operates in, but a good place to start is the Uniform Domain Name Dispute Resolution Policy (“UDRP”). See https://www.icann.org/resources/pages/help/dndr/udrp-en for details.

Review the unregistered domains

Select a domain from the list on the main Typosquatting page.

The permutations of that domain which have not yet been registered are listed in the "Unregistered" tab. Review each one and decide whether they present a risk to your 0rganisation.

If you do not believe a permutation could be used to impersonate your organisation (for instance by sending email from that domain or setting up a website to trick visitors into thinking they are accessing your website), mark it as "Ignore". This will move the permutation to the "Ignored" tab and you will not receive a notification if it is registered in the future.

If the permutation is similar enough to your domain that it could be used by an attacker to impersonate your company, the easiest way to remove the risk is by registering it. Once you register the domain it will move to the "Registered” tab, at which point you can mark it as “Ignore”, as it no longer presents a risk to your organisation.

If the permutation is similar enough to your domain that it could be used by an attacker to impersonate your company, but you don’t want to register it, you can instead just continue to monitor it. You will be notified when anyone registers it, at which point it will move to the “Registered” tab and you can decide what action to take.

Watch for notifications as new risks emerge

You will receive notifications when events occur that could change the risk profile.

  • Whenever an unregistered domain that you are monitoring is registered, you will receive a notification. The domain will now appear under the “Registered” tab.
  • Whenever a registered domain (that has not been marked as “Ignore”) changes (e.g. MX records change, IP address changes), you will be notified.