Typosquatting
& lookalike finder.

Typosquatting is the practice of registering domain names that are visually or typographically close to a target — a brand, a popular service, a well-known login page — so that users who mistype the real name end up somewhere else. The classic case is a transposed letter (payapl.com) or a missing letter (paypl.com); the modern version usually includes the brand name itself plus an extra word (paypal-login.com, secure-paypal.com) — that variant is called combosquatting.

The most dangerous variant is the homograph attack: replacing one or more characters with visually identical glyphs from another writing system. Cyrillic а, е, о, and р are pixel-perfect duplicates of Latin a, e, o, and p; a domain like pаypаl.com renders identically to paypal.com in most fonts. The DNS sees a completely different name (the IDN form, encoded as xn--…), but the user only sees the visible letters. Browsers handle this inconsistently — some show Punycode for mixed-script domains, some don't.

This tool produces the standard set of permutations the security tool dnstwist popularised — one-character omissions, insertions, repetitions, replacements, transpositions, single-bit flips (bitsquats), hyphen insertions, common TLD swaps, homoglyph substitutions, and a handful of common combosquatting suffixes / prefixes. Each generated name is checked against live DNS over HTTPS, and the ones that actually resolve are surfaced first — those are the ones a defender or a brand-protection team needs to look at.

Phishing. Almost every credential-phishing campaign starts with a lookalike domain — usually a homograph or a combosquat plus a Let's Encrypt certificate, then a copy of the real login page. The mail or SMS that delivers the link benefits hugely from a URL that looks like the brand at first glance. Defenders fight this with a mix of takedown requests, DNSBLs and registry-level blocks — finding the lookalikes early is what makes any of that possible.

Brand protection. Big brands defensively register the obvious typos themselves so attackers can't. The scan here gives you a rough first-pass list of which lookalikes are already taken (registered) versus available — the available ones are worth grabbing for a few dollars before someone else does. Pair with WHOIS for ownership and Certificate Transparency for monitoring newly-issued certificates.

Software supply-chain. Typosquatted package names on npm, PyPI, RubyGems — colour-picker vs color-picker, requets vs requests — are an ongoing source of malicious-dependency incidents. The same permutation patterns this tool generates for domains are the patterns attackers run against package registries.

What is a homograph attack?

A homograph attack replaces ASCII letters with visually identical characters from another Unicode script — most commonly Cyrillic (the Cyrillic а is a pixel-perfect duplicate of Latin a). The visible string and the registered name look identical to a human but are completely different domains. Modern browsers sometimes show the Punycode form (xn--…) for mixed-script domains as a defence, but support is inconsistent. This tool generates the high-risk Cyrillic and look-alike permutations and shows both the Unicode form and its xn-- Punycode form so you can see what's actually registered.

How do I protect my brand from typosquatting?

Defensively register the highest-risk lookalikes — the obvious typos, the common TLD swaps (.net, .org, .co, .io), and the highest-traffic combosquats (brand-login, brand-secure). For homograph variants, register the IDN forms of your brand in the writing systems your customers use. Monitor newly-registered lookalikes — CT logs are excellent for this — and file a UDRP or URS for any that are clearly infringing. The cost of holding twenty defensive domains is rounding error compared to one successful phishing campaign against your customers.

Does “not resolving” mean the lookalike is safe?

No. A domain can be registered but have no DNS records published — it's still owned by someone and can be activated at any time. “Not resolving” means “not actively serving traffic right now”; it does not prove the name is available to buy. For a real ownership check use WHOIS or RDAP — this tool surfaces the WHOIS link inline on every result so you can pivot.

What is the difference between typosquatting and combosquatting?

Typosquatting registers misspellings of the target name (paypl.com, payapl.com). Combosquatting registers the full target name plus an extra word that adds false legitimacy — paypal-login.com, secure-paypal.com, paypal-support.com. Combosquatting is harder to defend against because the brand name is intact — the attack relies on the added word convincing the victim the domain is a legitimate sub-property of the brand. Both categories appear in this tool's results, labelled by technique.