How Typosquatting Works — and How FoilGuard Catches It

Every year, millions of people land on fraudulent websites that look exactly like their bank, their email provider, or their employer — because the URL is only one character away from the real thing. This technique is called typosquatting, and it remains one of the most effective social engineering attacks in use today.

The anatomy of a typosquatting attack

Attackers register domains that exploit predictable human errors: common misspellings, swapped adjacent keys, and transposed characters. When a user types paypa1.com instead of paypal.com, or clicks a phishing link to arnazon.com, they land on a page designed to harvest credentials.

The most common variants:

  • Character substitution — replacing a letter with a visually similar one: 0 for o, 1 for l, rn for m
  • Addition/omission — inserting or removing a single character: gooogle.com, facbook.com
  • Transposition — swapping adjacent characters: gooogle.com, amzaon.com
  • Homoglyph attacks — using Unicode characters that look identical to ASCII: Cyrillic а (U+0430) instead of Latin a, ο (Greek omicron) instead of o
  • Combosquatting — appending brand names to misleading words: paypal-secure.com, login-apple-id.com

Homoglyph attacks: the invisible threat

Homoglyph attacks are the hardest for humans to spot. The domain аpple.com (with Cyrillic а) is visually indistinguishable from apple.com in most fonts. Your brain reads it as "apple" — but the DNS resolver sees a completely different string.

Modern browsers mitigate this by showing the punycode form (xn--pple-43d.com) when a domain mixes scripts. But many users never notice the address bar, especially on mobile — which is where homoglyph attacks are most effective.

FoilGuard detects homoglyphs by normalizing the domain through a lookalike character map before computing edit distance. Every а becomes a, every ο becomes o, and the result is compared against the top 1000 domains.

Combosquatting: the most common technique

Studies consistently find combosquatting — adding brand keywords to an unrelated domain — is more prevalent than typosquatting. paypal-update.com, amazon-verification.net, and microsoft-support-center.com are the templates phishing kits use out of the box.

FoilGuard scores combosquatting by checking if the domain's base label contains a brand name from its top-1000 list but the registrable domain doesn't exactly match. A domain like paypal-secure.io will score +40 for brand match combined with a suspicious surrounding pattern.

How FoilGuard's scoring engine works

Every domain you visit is scored synchronously before the page loads, using a layered signal system:

  1. Edit distance — Levenshtein distance ≤ 3 from a known brand: +30
  2. Homoglyph normalization — After normalizing lookalike chars, edit distance ≤ 3: +40
  3. Combosquatting — Brand name embedded in a different domain: +40
  4. Phishing keywords — Domain contains words like "secure", "update", "verify": +15
  5. Suspicious TLD — .zip, .download, .loan, .work, etc.: +25
  6. New domain — Registered under 30 days ago (via RDAP): +25
  7. Suspicious path — /login, /verify, /account on a non-zero-score domain: +10
  8. History trust — 5+ visits in 6 months: −30
  9. Safe Browsing — Google confirmed threat: +60

If the total reaches the configured threshold (default: 65), navigation is intercepted and the warning page shown.

False positives and the trust model

Any heuristic engine will produce false positives. FoilGuard handles this through several mechanisms:

  • Visit history — if you've visited a domain 5+ times in 6 months, it's de-scored automatically
  • Personal allowlist — one-click trust from the warning page or popup
  • False positive reports — the warning page links to a pre-filled GitHub issue, feeding signal back to improve the detection list
  • Rescan — re-run detection including fresh RDAP data without navigating away

What's next

FoilGuard 0.4 added real-time Safe Browsing API integration (optional, requires free API key), redirect chain detection, and a daily block counter. The next major addition is a live threat feed from Phishtank and URLhaus — moving from pure heuristics to confirmed IOCs.

FoilGuard is MIT licensed on GitHub. Load it from dist/ after running npm run build.

← all posts