Typosquatting

Typosquatting relies on character substitution and omission in domain names. Attackers register domains that are homoglyphs (visually similar, e.g., 'rnicrosoft.com' vs 'microsoft.com') or common misspellings (e.g., 'goggle.com') of legitimate sites. When a user mistypes the URL, they are directed to the attacker's site, which may host phishing pages, malware, or adware.

Attackers systematically target predictable user errors. Common techniques include:

• Character Omission: twiter.com (missing 't')
• Character Addition: faceboook.com (extra 'o')
• Character Transposition: gooogle.com (swapped 'l' and 'e')
• Wrong Top-Level Domain (TLD): amazon.net instead of .com
• Homograph Attacks: Using international characters that look identical to Latin letters (e.g., Cyrillic 'а' vs Latin 'a').

The malicious intent behind a typosquatting site defines its payload. Common objectives are:

• Phishing: Stealing login credentials, private keys, or financial information via fake login pages.
• Malware Distribution: Hosting drive-by downloads or tricking users into installing malicious software.
• Ad Revenue Generation: Creating parking pages filled with pay-per-click ads to monetize accidental traffic.
• Brand Damage & Reputation Theft: Impersonating a brand to spread misinformation or erode trust.

In Web3, typosquatting is a critical threat vector, often targeting:

• Decentralized Application (dApp) URLs: Mistyping a dApp front-end address.
• Wallet Drainers: Fake sites that prompt users to connect their wallet and sign malicious transactions, draining assets.
• Token Contracts: Scammers deploy tokens with names similar to popular projects (e.g., SHIBA vs SHIB) to trick buyers.
• Browser Extension Wallets: Fake extensions with names like 'Metamask' or 'Phantom' designed to steal seed phrases.

Mitigation requires vigilance from both users and organizations.

• For Users: Always bookmark official sites, double-check URLs before entering sensitive data, and use browser security extensions.
• For Organizations: Proactively register common typo variants of your domain (defensive registration), implement HTTPS with valid certificates, and use HSTS to enforce secure connections. Domain monitoring services can alert on suspicious registrations.

Typosquatting is part of a broader category of brandjacking and cybersquatting attacks. Related techniques include:

• Combosquatting: Using a legitimate brand name with an added word (e.g., 'apple-support.com').
• Soundsquatting: Exploiting phonetic similarities (e.g., 'niteflix.com').
• Bitsquatting: Relying on bit-flip errors in DNS resolution. Understanding these variants is key to a comprehensive defense strategy.

Typosquatting is a social engineering attack that preys on human error. Attackers create deceptive assets—like a domain opensea.io (with a zero) or a token contract address with a few characters swapped—that closely mimic a trusted target. The goal is to intercept users who make minor spelling mistakes or fail to verify details, tricking them into interacting with a malicious entity. This is a form of homograph attack and phishing.

In blockchain ecosystems, typosquatting manifests in several key areas:

• Domain Names: Fake websites for wallets (e.g., metamask.io), exchanges, or NFT marketplaces.
• Smart Contract Addresses: Sending funds to an address that differs by a few characters from a legitimate project's treasury or token contract.
• Token Names & Symbols: Creating a token with a name like "Shiba Inu" (SHIB) but with a different contract, often listed on DEXs to catch inattentive traders.
• Package Repositories: Publishing malicious libraries with names similar to popular Web3 SDKs (e.g., web3.js vs. web3js) in npm or PyPI.

A catastrophic example was the Parity multi-sig wallet hack in July 2017. An attacker exploited a vulnerability in a specific library contract. Crucially, they deployed a malicious contract with the same name as the legitimate one (WalletLibrary). When a user accidentally initialized their wallet with the malicious contract's address—a form of address typosquatting—it granted the attacker ownership, leading to the theft of over 150,000 ETH (worth ~$30 million at the time).

Mitigating typosquatting requires vigilance and tooling:

• Always Verify Addresses: Use ENS/Name Service domains instead of raw hexadecimal addresses. Copy-paste addresses and verify the first and last few characters.
• Bookmark Official Sites: Never search for sensitive sites; use saved bookmarks.
• Check Contract Verification: On block explorers like Etherscan, look for the "Contract Source Code Verified" checkmark.
• Use Security Extensions: Browser extensions like MetaMask's phishing detection can warn about known malicious domains.
• Developer Vigilance: Developers should use package-lock files and verify checksums for dependencies.

A homograph attack is a sophisticated form of typosquatting that uses visually identical characters from different alphabets (e.g., Latin 'a' vs. Cyrillic 'а'). A domain like etherеum.org (with a Cyrillic 'е') appears identical to ethereum.org. Browsers may show the Punycode representation (e.g., xn--etherum-xxb.org) as a warning. This highlights the critical need to check the actual URL in the address bar.

Wallets and block explorers are frontline defenses. MetaMask, Rabby, and others maintain blocklists of known phishing sites and may warn users. Block explorers like Etherscan label known contracts and tokens, providing a token approval checker to revoke access. Future solutions may include on-chain attestations or reputation systems that cryptographically verify the authenticity of domains and contract addresses, reducing reliance on centralized lists.

Typosquatting is a form of homograph attack where attackers create deceptive assets that mimic legitimate ones. In crypto, this includes:

• Deceptive Domains: Registering binanace.com instead of binance.com.
• Lookalike Addresses: Deploying contracts with addresses where characters like 0 (zero) and O (capital o) or 1 (one) and l (lowercase L) are swapped.
• ENS Name Squatting: Snapping up misspelled versions of popular Ethereum Name Service domains. The goal is to intercept user interactions, such as deposits or contract approvals, and redirect funds.

Attackers exploit predictable human and system errors:

• Fat-Finger Mistakes: Users mistyping a URL in a browser or an address in a wallet.
• Copy-Paste Manipulation: Malware that swaps a legitimate address in the clipboard for a malicious one.
• Similar-Looking Characters: Using Unicode characters from different alphabets that render identically (e.g., Cyrillic 'а' vs. Latin 'a').
• Token Impersonation: Creating a new token with the same name and symbol as a popular one, but on a different contract address.

A critical on-chain variant where attackers deploy malicious contracts with addresses similar to popular DeFi protocols or token contracts. For example, after a major protocol announces its official deployment address, squatters quickly deploy lookalike contracts at addresses with minor character variations. Unsuspecting users who make a typo when interacting directly with the contract irreversibly send funds to the attacker. This bypasses domain-based warnings and highlights the need for address verification.

Mitigation requires both user vigilance and tooling:

• Use Bookmarked Links: Always access sites via saved, verified bookmarks.
• Verify Contract Addresses: Cross-check addresses on multiple official sources (project website, Twitter, Etherscan).
• Employ Wallet Security Features: Use wallets with address book functionality and phishing detection.
• Check for Verification: Look for the blue checkmark on Etherscan for verified contracts.
• Slow Down: Manually review every character in an address before confirming a transaction.

Typosquatting is part of a broader family of impersonation attacks and social engineering threats:

• Phishing: Fraudulent attempts to obtain sensitive information.
• DNS Hijacking: Redirecting domain name resolution to malicious servers.
• Homograph Attack: The technical category for using visually similar characters.
• Rug Pull: A scam where typosquatting might be the initial vector to attract victims to a fraudulent project.

A fundamental defense where users manually save and verify the correct addresses of trusted entities (e.g., DEXes, DeFi protocols, counterparties) in their wallet. This prevents sending funds to lookalike addresses by ensuring transactions are only sent to pre-approved destinations. Key practices include:

• Verifying addresses from multiple official sources before saving.
• Using ENS (Ethereum Name Service) or other blockchain naming services for human-readable addresses.
• Regularly auditing and updating the saved contact list.

Using wallet security tools that simulate a transaction's outcome before signing and flag suspicious interactions. These tools analyze the transaction data, contract code, and recipient address against known threat databases. Key features include:

• Pre-transaction risk scores highlighting potential fraud or typosquatting.
• Clear warnings if a destination address is newly created, has no history, or mimics a popular service.
• Simulation of token approvals to show the exact permissions being granted.

Organizations protect their users by actively monitoring blockchain name services (like ENS) and contract deployments for impersonations. This involves:

• Registering common typo variations of their primary domain or contract name.
• Using automated scanners to detect newly registered lookalike domains or deployed contracts with similar names or bytecode.
• Issuing takedown requests to registrars or reporting malicious contracts to security firms and blocklists.

The most critical layer of defense is training users to recognize and avoid typosquatting attempts. Effective protocols include:

• Always verifying the full address, not just the first/last few characters.
• Using official links from verified social media profiles or GitHub repositories, not search engines.
• Checking for subtle character substitutions (e.g., '0' for 'o', '1' for 'l', Unicode homoglyphs).
• Being wary of unsolicited messages or ads promoting "new" contract addresses for airdrops or migrations.

Emerging standards aim to create a verifiable onchain identity for smart contracts and projects. EIP-7512 proposes a framework for Smart Contract Audits as Onchain Attestations. This allows:

• Auditors to issue a cryptographically signed attestation linked to a specific contract address.
• Wallets and interfaces to display a verified badge if a contract has a valid attestation from a trusted source.
• Users to easily distinguish between the authentic, audited contract and a typosquatted imposter with no verifiable credentials.

Leveraging community-maintained and commercial security tools that maintain real-time blocklists of known malicious addresses and domains. These tools integrate with wallets and browsers to provide active protection:

• Browser extensions (like Wallet Guard, Pocket Universe) that scan sites and transactions.
• RPC providers with integrated phishing detection that can warn or block interactions.
• Public blocklists (e.g., Etherscan's token security labels, Scam Sniffer's database) that are aggregated by security platforms to flag dangerous addresses automatically.

A broader social engineering attack where attackers impersonate legitimate entities to steal sensitive data like private keys or seed phrases. Typosquatting is a common delivery mechanism for phishing, using deceptive domains to host fake wallet interfaces or exchange login pages. Key characteristics include:

• Deceptive Communication: Often initiated via email, SMS, or malicious ads.
• Goal: Credential harvesting or direct asset theft.
• Example: A user clicking a typosquatted URL and entering their MetaMask seed phrase on a counterfeit site.

An attack that compromises the Domain Name System (DNS) to redirect users from a legitimate website to a malicious one, even if the correct URL is entered. Unlike typosquatting, which relies on user error, DNS hijacking occurs at the infrastructure level. It can involve:

• Compromising DNS records at the registrar or resolver level.
• Local network attacks like rogue DHCP servers.
• Result: All traffic to a legitimate domain (e.g., uniswap.org) is redirected to an attacker-controlled IP.

A technique using visually similar characters from different alphabets (e.g., Cyrillic, Greek) to create domain names or wallet addresses that are indistinguishable from legitimate ones. This is a more sophisticated form of impersonation than simple typosquatting.

• Unicode Exploit: Uses characters like the Cyrillic 'а' (U+0430) instead of the Latin 'a' (U+0061).
• Application: Creating fake domains (e.g., etherеum.org) or Ethereum addresses where 0x742... uses a zero-width space.
• Defense: Wallet and browser support for Punycode conversion and address checksums (EIP-55).

A critical defense against code-based impersonation, where malicious contracts mimic legitimate DeFi protocols. Audits involve a systematic review of smart contract code by security experts to identify vulnerabilities, backdoors, and logic errors before deployment.

• Purpose: Verify security and functional correctness.
• Scope: Checks for reentrancy, access control flaws, and malicious logic.
• Preventative Measure: Users should only interact with audited contracts from verified publisher addresses, not just trusted-looking frontends.

A proactive security tool, often built into wallets like Rabby or Blockaid, that simulates the outcome of a transaction before the user signs it. This defends against approval phishing and malicious contract interactions initiated via typosquatted sites.

• Mechanism: The wallet executes a dry-run of the transaction, analyzing state changes.
• Alerts: Warns users if a transaction involves unexpected token approvals, asset transfers to suspicious addresses, or known malicious contracts.
• Prevents: Blind signing of harmful transactions from impersonated dApp interfaces.