Skip to content
Athenian Tech

Glossary

Cybersquatting: Registering Domains to Exploit Someone Else’s Brand

5 min read1,162 words

Most people assume the internet has a landlord — that if a company is called Acme, then acme.com automatically belongs to Acme. It doesn’t. Domain names are handed out on a first-come, first-served basis, and nothing in the registration process checks whether you actually own the trademark you just typed into the search box. That gap between “who owns the name in the world” and “who registered the name online” is exactly where cybersquatting lives. It’s one of the oldest tricks on the web, and it still catches large brands, small businesses, and individuals off guard every single day.

What Cybersquatting Actually Is

Cybersquatting is registering, trafficking in, or using a domain name in bad faith to profit from the goodwill of a trademark or name that belongs to someone else. The key phrase is bad faith. The registrant isn’t building a site — they’re sitting on the name hoping the rightful owner will pay to get it, or they’re using the resemblance to a known brand to fool visitors.

That “bad faith” qualifier is what separates squatting from a completely legitimate industry: domain investing. Plenty of people buy generic or descriptive domains — bestcoffee.com, traveldeals.net — and resell them at a markup. That’s speculation on ordinary words, and it’s legal. The line gets crossed when the domain’s entire value comes from someone else’s brand equity. Registering notarealcompany-generic-word.com is investing. Registering tesla-motors-official.com to intercept Tesla’s customers is squatting. Courts and arbitration panels look at intent: Did you target a specific trademark? Did you offer to sell it back at an inflated price? Did you try to divert or confuse that brand’s users? Answer yes to those, and “I’m just a domain investor” stops working as a defense.

How the Scheme Works

The mechanics are almost mundane, which is part of why it persists.

  1. Spot a valuable name. A squatter watches for brands that haven’t defensively registered every variation of their name — a new product launch, a startup that just got funded, a company expanding into a new country.
  2. Register the gaps. They grab the misspellings, the alternate top-level domains (TLDs), the hyphenated versions, and country-specific variants the brand overlooked.
  3. Monetize the traffic. The parked domain fills with pay-per-click ads, redirects to a competitor, hosts a phishing page, or simply displays a “this domain is for sale” banner.
  4. Wait for the payout. Either the ad revenue trickles in from mistyped URLs, or the brand eventually notices and negotiates a buyback.

You can see how exposed a brand is with basic tooling. A quick WHOIS lookup shows who registered a lookalike and when:

Shell
whois tesla-motors-official.com
# Look at "Registrant", "Creation Date", and whether privacy protection hides the owner

To find variations that already exist, security teams generate permutations and check which resolve. The open-source tool dnstwist is built for exactly this:

Shell
# Generate typo/variant domains for a brand and report which are registered
dnstwist --registered example.com

That single command produces typosquats (exmaple.com), homoglyph swaps (exampIe.com with a capital i), TLD swaps (example.net), and more — then tells you which ones someone has already claimed. It’s the same reconnaissance an attacker does, run defensively.

The Common Varieties

Cybersquatting isn’t one behavior; it’s a family of them. The most frequent forms:

  • Typosquatting. Registering common misspellings — gogle.com, amazn.com — to catch fat-fingered typists. Often used for ad revenue or malware delivery.
  • Homograph / homoglyph attacks. Using characters that look identical to Latin letters, frequently from other alphabets. The Cyrillic “а” is visually indistinguishable from the Latin “a,” so pаypal.com can look genuine while pointing somewhere hostile. These are especially dangerous in internationalized domain names.
  • TLD and combosquatting. Taking the exact brand name but changing the extension (brand.co instead of brand.com) or bolting on plausible words (brand-support.com, login-brand.net). Combosquatting is a favorite for phishing because the real brand name appears intact.
  • Identity or name squatting. Registering the domains of individuals — celebrities, executives, politicians — to sell back or to impersonate them.
  • Reverse hijacking (the flip side). Worth naming for balance: sometimes a large company falsely accuses a legitimate small registrant of squatting to bully them out of a name they rightfully use. Dispute systems try to catch this too.

Why It’s More Than a Nuisance

At its mildest, cybersquatting is a shakedown for a few thousand dollars. But the same lookalike domains are the raw material for far worse. A convincing typosquat is the perfect launchpad for phishing emails, credential harvesting, and business-email-compromise fraud, because the sending domain passes a glance-test. Malware operators register lookalikes so that a mistyped download link still lands on their payload. And every diverted visitor is a small tax on the real brand’s reputation and revenue. The domain is cheap; the downstream damage is not.

Defending Your Brand

You cannot register every possible permutation of your name — the math defeats you. But a layered defense makes squatting expensive and easy to unwind.

  • Register defensively where it counts. Grab the obvious misspellings, the major TLDs (.com, .net, .org, .co), and the country codes for markets you operate in. You don’t need thousands; you need the handful an attacker would target first.
  • Trademark your brand. Legal protection is the foundation of every dispute remedy below. Without a registered mark, your options shrink dramatically.
  • Monitor continuously. Run something like dnstwist on a schedule, subscribe to a domain-monitoring or brand-protection service, and watch Certificate Transparency logs — every time someone gets an HTTPS certificate for a lookalike domain, it becomes publicly visible.
Shell
# Search Certificate Transparency logs for certs issued on lookalike domains
curl -s "https://crt.sh/?q=%25yourbrand%25&output=json" | \
  python -c "import sys,json; [print(r['name_value']) for r in json.load(sys.stdin)]"
  • Know your dispute options. When you find a squatter, two main remedies exist. The UDRP (Uniform Domain-Name Dispute-Resolution Policy), administered by bodies like WIPO, is a faster, cheaper arbitration process to have a domain transferred or canceled. In the United States, the ACPA (Anticybersquatting Consumer Protection Act) lets you sue in federal court and potentially recover damages. To win either, you generally must show the domain is identical or confusingly similar to your mark, the registrant has no legitimate interest in it, and it was registered and used in bad faith.

The Takeaway

Cybersquatting endures because the domain system rewards speed over rightful ownership, and because a single believable lookalike can be reused for extortion, phishing, and fraud alike. The good news is that the defense is well-understood and doesn’t require perfection. Register the names that matter most, trademark your brand so you have legal standing, and monitor for the lookalikes you didn’t register — using the very same reconnaissance tools an attacker would. Squatting only pays off when the target is asleep. A brand that watches its own name, and knows the difference between a bad-faith impersonator and a legitimate domain investor, turns an easy score into a losing bet.