Every year, millions of people land on fraudulent websites that look exactly like their bank, their email provider, or their employer — because the URL is only one character away from the real thing. This technique is called typosquatting, and it remains one of the most effective social engineering attacks in use today.
The anatomy of a typosquatting attack
Attackers register domains that exploit predictable human errors: common misspellings, swapped adjacent keys, and transposed characters. When a user types paypa1.com instead of paypal.com, or clicks a phishing link to arnazon.com, they land on a page designed to harvest credentials.
The most common variants:
- Character substitution — replacing a letter with a visually similar one:
0foro,1forl,rnform - Addition/omission — inserting or removing a single character:
gooogle.com,facbook.com - Transposition — swapping adjacent characters:
gooogle.com,amzaon.com - Homoglyph attacks — using Unicode characters that look identical to ASCII: Cyrillic
а(U+0430) instead of Latina,ο(Greek omicron) instead ofo - Combosquatting — appending brand names to misleading words:
paypal-secure.com,login-apple-id.com
Homoglyph attacks: the invisible threat
Homoglyph attacks are the hardest for humans to spot. The domain аpple.com (with Cyrillic а) is visually indistinguishable from apple.com in most fonts. Your brain reads it as "apple" — but the DNS resolver sees a completely different string.
Modern browsers mitigate this by showing the punycode form (xn--pple-43d.com) when a domain mixes scripts. But many users never notice the address bar, especially on mobile — which is where homoglyph attacks are most effective.
FoilGuard detects homoglyphs by normalizing the domain through a lookalike character map before computing edit distance. Every а becomes a, every ο becomes o, and the result is compared against the top 1000 domains.
Combosquatting: the most common technique
Studies consistently find combosquatting — adding brand keywords to an unrelated domain — is more prevalent than typosquatting. paypal-update.com, amazon-verification.net, and microsoft-support-center.com are the templates phishing kits use out of the box.
FoilGuard scores combosquatting by checking if the domain's base label contains a brand name from its top-1000 list but the registrable domain doesn't exactly match. A domain like paypal-secure.io will score +40 for brand match combined with a suspicious surrounding pattern.
How FoilGuard's scoring engine works
Every domain you visit is scored synchronously before the page loads, using a layered signal system:
- Edit distance — Levenshtein distance ≤ 3 from a known brand: +30
- Homoglyph normalization — After normalizing lookalike chars, edit distance ≤ 3: +40
- Combosquatting — Brand name embedded in a different domain: +40
- Phishing keywords — Domain contains words like "secure", "update", "verify": +15
- Suspicious TLD — .zip, .download, .loan, .work, etc.: +25
- New domain — Registered under 30 days ago (via RDAP): +25
- Suspicious path — /login, /verify, /account on a non-zero-score domain: +10
- History trust — 5+ visits in 6 months: −30
- Safe Browsing — Google confirmed threat: +60
If the total reaches the configured threshold (default: 65), navigation is intercepted and the warning page shown.
False positives and the trust model
Any heuristic engine will produce false positives. FoilGuard handles this through several mechanisms:
- Visit history — if you've visited a domain 5+ times in 6 months, it's de-scored automatically
- Personal allowlist — one-click trust from the warning page or popup
- False positive reports — the warning page links to a pre-filled GitHub issue, feeding signal back to improve the detection list
- Rescan — re-run detection including fresh RDAP data without navigating away
What's next
FoilGuard 0.4 added real-time Safe Browsing API integration (optional, requires free API key), redirect chain detection, and a daily block counter. The next major addition is a live threat feed from Phishtank and URLhaus — moving from pure heuristics to confirmed IOCs.
FoilGuard is MIT licensed on GitHub. Load it from dist/ after running npm run build.