← All posts

Branded typosquat domains — detection and takedown

yourcompany.com is registered to you. yourcompamy.com (with an m instead of n) is registered to someone you have never heard of. yourcompany-support.com is also taken. So is your-company.help and yourcornpany.com (an r and n look-alike for the m).

This is typosquatting. The squatter's plan is one of three:

  1. Phishing. Spin up a clone of your login page, send emails to your customers, harvest credentials.
  2. Malware distribution. Send invoices that look real, deliver malware-laden attachments, hope an employee clicks.
  3. Resale. Register the domain, wait for you to notice, demand $10,000 to release it.

All three are illegal in most jurisdictions. Catching them early is the difference between a 30-minute takedown and a six-month lawsuit.

How squatters generate variations

The reliable patterns:

  • Single-character substitutionsmrn, 0O, 1l, 5S, 8B.
  • Cyrillic look-alikesа (U+0430) for a, е (U+0435) for e, о (U+043E) for o. Identical in most fonts.
  • Hyphen insertionsyour-company.com, yourcompany-support.com.
  • TLD swaps.co, .net, .org, .help, .support, country codes.
  • Word additionsyourcompany-careers.com, yourcompanyhq.com.
  • Missing lettersyourcomany.com (no p).

A modest brand surface (one main domain, two products) typically has 400–1,200 plausible squatted variants.

How to find them

Manual: open whois for each candidate. Slow. Misses Unicode look-alikes.

Better: use a domain-monitoring tool to check Certificate Transparency (CT) logs daily. Every newly issued certificate for any of your variants surfaces in CT within minutes. Combined with a homoglyph generator (the patterns above), you can monitor every plausible variant for under $10/month.

Best: automate the entire pipeline — generate variants, watch CT logs, fingerprint each landing page, alert when one resembles your brand.

What evidence you need for takedown

Squatters do not voluntarily release domains. You need a takedown request. It needs:

  1. Proof of trademark ownership. A USPTO/EUIPO trademark certificate. (If you do not have one, file now — it takes 6–12 months.)
  2. Evidence of confusion. Screenshot the squatter's site, especially if it mimics your branding, copies your logo, or uses your trademark in the page title.
  3. Evidence of bad faith. Most squatters are not subtle — they slap your logo on the page, ask for credentials, redirect to malware. Save the HTML, save the screenshot.

The takedown channels

In rough order of speed:

  1. Hosting / CDN abuse desk. If the site is on Cloudflare, AWS, GoDaddy, etc., file an abuse complaint. Most takedowns happen within 24–72 hours if the abuse is clear. Cost: free.
  2. Domain registrar. File a complaint with the registrar (visible in WHOIS). Some registrars (Namecheap, Cloudflare Registrar, Google Domains) act quickly. Cost: free.
  3. UDRP (Uniform Domain-Name Dispute-Resolution Policy). The formal ICANN process. WIPO arbitrates. Takes 60–90 days. Cost: $1,500–$3,500.
  4. URS (Uniform Rapid Suspension). Faster, cheaper version of UDRP for clear-cut cases. Cost: ~$375–$500.
  5. Trademark lawsuit. Last resort. Cost: $25,000–$200,000+.

What we automate

NoDowntimeShield's brand-protection module:

  • Generates 400–1,200 squat variants of your domain (including Cyrillic homoglyphs and rn↔m swaps).
  • Checks each one against CT logs, WHOIS, and live HTTP every 24 hours.
  • Surfaces "available for $X" findings with one-click affiliate links to register them yourself before squatters do.
  • Surfaces "live and impersonating" findings with screenshots, ready-to-send takedown templates, and the abuse-desk contact for the host.

If your brand matters enough to register a trademark, it matters enough to monitor. Start free at /check.