Combosquatting
Detecting domains that combine your brand with common words to appear legitimate and trustworthy.
What is Combosquatting?
Combosquatting is a technique where attackers register domains that combine a legitimate brand name with common prefixes, suffixes, or related words. Unlike typosquatting which relies on typos, combosquatting creates grammatically correct domain names that appear official or legitimate.
These domains are particularly dangerous because they often look more trustworthy than simple typos. Users may believe they're visiting an official subdomain, regional site, or legitimate service portal when they're actually on a phishing site.
Common Combosquatting Patterns
Security-Related Prefixes
Attackers use security-related terms to create urgency and appear official.
Action-Based Suffixes
Common actions added after brand names to mimic legitimate service portals.
Support & Help Combinations
Support-related terms that exploit users seeking help or assistance.
How We Detect Combosquatting
We check if newly registered domains contain your brand name combined with suspicious prefixes or suffixes commonly used in phishing attacks.
- •We monitor for security-related terms (like "secure", "verify", "login") added to your brand
- •Support and help-related combinations are flagged as potential scams
- •Our pattern database is regularly updated based on new attack trends
Unlike typosquatting which exploits mistakes, combosquatting creates intentionally misleading but grammatically correct domains that appear to be official subdomains or services of your brand.
Why Combosquatting Works
- •Perceived legitimacy: Domains like "secure-paypal.com" look official at first glance
- •Creates urgency: Terms like "verify", "urgent", "security" pressure users to act quickly
- •Mimics subdomains: Users expect brands to have multiple subdomains for different services
- •SEO exploitation: Attackers can rank for searches like "paypal login" or "apple support"
Attack Vectors
Combosquatting domains are commonly used in:
Email Phishing
Attackers send emails from domains like support-brand.com that appear legitimate in email clients, directing victims to fake login pages.
Social Engineering
Scammers claim to be from "verify-brand.com" support team, using the domain name as proof of legitimacy when contacting victims.
Credential Harvesting
Fake login portals at brand-login.com capture usernames and passwords, then redirect to the real site so victims don't realize they've been compromised.
Tech Support Scams
Fraudulent support services operate from domains like brand-help.com, charging victims for unnecessary services or installing malware.
Detection in Action
Here's how our system would flag a combosquatting attempt:
Pattern Categories We Analyze
Our system monitors for various categories of suspicious combinations without relying on static lists:
Security-Related Terms
Domains combining your brand with authentication, verification, or security terms designed to create false legitimacy and urgency.
Action-Based Combinations
Brand names paired with action verbs or service-related words to mimic official portals and customer service channels.
Regional & Subdomain Mimicry
Combinations suggesting geographic regions, departments, or subdomains to appear as legitimate divisions of your organization.
Emerging Threat Patterns
Our machine learning models continuously identify new combination strategies used by attackers, staying ahead of evolving threats.
Learn More
Explore our other detection methods to understand how we provide comprehensive brand protection: