Defensive registrations of obvious typos
Demonstrate that the organization has identified, registered, and actively controls typosquatted domain variants of critical organizational domains to prevent their exploitation for phishing, credential harvesting, or brand impersonation attacks.
Description
What this control does
This control requires the organization to proactively register domain names that are common typographical variations (typosquatting variants) of legitimate organizational domains, such as switching adjacent letters, omitting characters, or using alternative top-level domains. These defensive registrations prevent attackers from exploiting user errors to host phishing sites, capture credentials, or distribute malware under domains visually similar to the organization's brand. Implementation typically involves identifying high-risk typo variants through algorithmic analysis or threat intelligence, purchasing those domains, and configuring them to redirect to legitimate sites or display warning messages.
Control objective
What auditing this proves
Demonstrate that the organization has identified, registered, and actively controls typosquatted domain variants of critical organizational domains to prevent their exploitation for phishing, credential harvesting, or brand impersonation attacks.
Associated risks
Risks this control addresses
- Attackers register typosquatted domains to host convincing phishing pages that harvest employee or customer credentials
- Users mistype legitimate URLs and land on attacker-controlled sites that deliver malware or ransomware payloads
- Customers receive fraudulent communications from typosquatted domains, resulting in financial loss and reputational damage to the organization
- Attackers use near-identical domains in business email compromise (BEC) attacks to impersonate executives or vendors
- Search engines index typosquatted domains containing defamatory or misleading content associated with the organization's brand
- Mobile users on small screens click typosquatted domains in SMS or messaging apps due to reduced visibility and validation difficulty
- Lack of defensive registration creates persistent attack surface that competitors or nation-state actors exploit for intelligence gathering or brand erosion
Testing procedure
How an auditor verifies this control
- Obtain the inventory of all primary organizational domains, subdomains used for customer-facing services, and brand-critical URLs from the IT asset register and marketing department.
- Request documentation of the methodology or tooling used to generate typosquatting variants, including algorithms for character transposition, omission, duplication, homoglyph substitution, and alternative TLDs.
- Review the complete list of defensively registered typosquatted domains with their registration dates, registrar information, and renewal status from DNS management records or domain portfolio tools.
- Select a sample of 10-15 high-traffic organizational domains and independently generate expected typo variants using common patterns (e.g., adjacent key swaps, vowel substitutions, common misspellings).
- Perform WHOIS lookups on sampled typo variants to verify organizational ownership and compare against known third-party or unregistered domains that represent coverage gaps.
- Test the resolution behavior of defensively registered domains by visiting them in a browser to confirm they redirect to legitimate sites, display warnings, or return non-exploitable responses rather than hosting malicious content.
- Review evidence of periodic re-assessment processes, including scheduled reviews (quarterly or annual) where new typo variants are identified based on traffic analysis, phishing reports, or brand monitoring services.
- Examine incident response records or security monitoring logs for any reported phishing attempts or brand abuse involving typosquatted domains to assess whether defensive registrations have prevented exploitation.
Where this control is tested