Typosquatting and lookalike domains: detection and takedown

The economics of the attack are lopsided. A counterfeiter or phisher spends roughly ten dollars and ten minutes registering yourbrand-shop.com; your cheapest legal remedy to take that domain away from them — a UDRP complaint — starts at $1,500 in WIPO filing fees before attorney time. The volume reflects the asymmetry: trademark owners from 133 countries filed 6,168 WIPO domain-dispute cases in 2024, and 2025 set a new record at 6,282. This guide covers what the permutations look like, how to find them before customers do, and which takedown path fits which situation. (Not legal advice — domain disputes have real procedural traps; bring counsel for anything contested.)

What are the permutation classes?

Nearly every lookalike we detect falls into one of six shapes, and the first five are mechanically enumerable:

• Character typos. Omission (brandprotectr.io), repetition (brandprotectorr.io), transposition (brandprotecotr.io), and fat-finger substitution of adjacent keys. The oldest class, still effective on mobile keyboards.
• Homoglyphs. Visually identical characters from other scripts or letter pairs: Cyrillic а for Latin a, rn for m, l/1/I swaps. The canonical demonstration is Xudong Zheng’s 2017 proof of concept: an all-Cyrillic apple.com (punycode xn--80ak6aa92e.com) that rendered indistinguishably from the real thing in major browsers. Browsers have tightened IDN display since, but email clients, chat apps and ad platforms remain soft targets.
• TLD swaps. Your exact name on another ending: .shop, .store, .net, .co, country codes. The 2012 gTLD expansion added over a thousand endings, and counterfeit storefronts cluster heavily on the cheap ones.
• Hyphenation and keyword stuffing. brand-outlet.com, brand-official.shop, buybrand.store. The added word does persuasion work: official, store, sale, us.
• Subdomain spoofing. yourbrand.com.checkout-secure.xyz — your whole domain as a subdomain of junk. Permutation tools miss these; certificate-transparency monitoring catches them, because the full hostname appears in the issued certificate.
• Brand-adjacent coinages.Names that aren’t mechanical permutations but read as your brand family. These need human judgment (and are where AI assistants get fooled too — see our piece on copycats in AI shopping answers).

How do you detect lookalikes before customers report them?

The detection stack is three layers, cheapest first:

1. Enumerate the permutation space. The open-source standard is dnstwist, which generates typo, homoglyph, TLD-swap and hyphenation permutations for a given domain and checks which are registered. A typical brand domain yields several hundred to a few thousand candidates.
2. Split registered from unregistered. Registered permutations get classified now (parked? resolving? MX records configured — i.e., can it receive or send mail for phishing?). Unregistered ones become your watchlist and feed the buy-versus-watch decision.
3. Watch for the go-live moment. Daily DNS re-checks on the watchlist, plus Certificate Transparency log monitoring (crt.sh and equivalents). CT is the early-warning gem: a phishing site needs a TLS certificate to look legitimate, and certificate issuance is publicly logged — often days before the first victim sees the page.

UDRP, registrar abuse, or hosting complaint — which takedown path?

Three mechanisms, different costs, different outcomes. Match the path to the harm:

• Registrar abuse report — free, fast, kills the worst. Every ICANN-accredited registrar must maintain an abuse contact. For active phishing, malware or counterfeit checkout flows, a documented abuse report gets cooperative registrars to suspend within days. The catch: you must find the actual registrar (WHOIS is privacy-masked everywhere now; RDAP lookups resolve the registrar of record reliably, including on newer TLDs), and outcomes vary — some registrars act in 48 hours, a slow tail never replies. You get suspension, not ownership.
• Hosting / CDN complaint — parallel, not instead. The site also lives somewhere. Filing with the hosting provider or CDN in parallel doubles your chance of a fast neutralization; content can come back on new hosting, which is why this pairs with, rather than replaces, the registrar path.
• UDRP — slow, paid, permanent. The Uniform Domain-Name Dispute-Resolution Policy gets the domain transferred to you. You must prove all three elements: the domain is identical or confusingly similar to your mark, the registrant has no rights or legitimate interests, and it was registered and used in bad faith. WIPO’s fee is $1,500 for a single-member panel covering up to five domains ($4,000 for three members), proceedings run roughly two months, and the remedy is transfer or cancellation. For domains on post-2012 gTLDs, URS offers a cheaper alternative (fees from $375) — but it only suspends the domain until expiry, no transfer.

Rule of thumb: report-to-registrar and host for anything actively harming customers today; UDRP for domains with durable traffic value you want to own; URS for clear-cut cases on new gTLDs where suspension is enough. And for the highest-risk handful of permutations, the cheapest takedown is the one you never file — registering the domain yourself costs about $10.26 wholesale for a .com (rising to $10.97 in November 2026).

What evidence should you capture, and when?

At detection time, not filing time — lookalike sites are built to be disposable. The minimum pack: full-page timestamped screenshots; the WHOIS/RDAP record (registrar, registration date, nameservers); DNS records including MX; a saved copy of the page HTML; your trademark registration numbers; and a note of the specific infringing conduct (fake checkout, cloned branding, credential-harvesting form). Abuse desks act fastest on reports where the harm is provable in one attachment, and a UDRP panel will want the registration-date-versus-your-mark timeline laid out cleanly.

How Brand Protector handles this

This pipeline is productized in Brand Protector’s lookalike-domain monitoring: dnstwist-class permutation prediction plus Certificate Transparency watch, a daily DNS check on every dangerous permutation with an alert the moment one goes live, and takedown routing that resolves the actual registrar via WHOIS with RDAP fallback — which is what makes it work on .shop, .top and .xyz, where lookalikes actually live. Notices are pre-addressed to the right abuse desk with the evidence pack attached, and every takedown is triple-validated and approved by you before anything is filed in your name. You also get a risk-ranked defensive-registration plan as a one-page PDF. All of it is in the $199/mo plan, first scan at activation, 7-day trial — or walk through a live workspace first.

Frequently asked questions