Typosquatting Search API

Detect typosquatting and look-alike domains that could be used for phishing, brand impersonation, or other malicious activities.

warning

OEM API requires special partner access. Contact FullHunt sales to enable OEM capabilities on your account.

Search Typosquatting Domains

Search for typosquatting domains based on a target domain.

HTTP Request

POST https://fullhunt.io/api/v1/oem/typosquatting/search

Request Body Parameters

Parameter	Required	Type	Description
query	Yes	string	Base domain to search for active typosquatting domains
query_tags	No	object	Key-value pairs for client-specific tracking

Example Request

curl -X POST "https://fullhunt.io/api/v1/oem/typosquatting/search" \
  -H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "kaspersky.com",
    "query_tags": {
      "client_name": "Kaspersky",
      "workspace": "production"
    }
  }'

Example Response

{
  "base_domain": "kaspersky.com",
  "total": 5,
  "typosquatting_domains": [
    {
      "domain": "kaspserky.com",
      "base_domain": "kaspersky.com",
      "type": "TypoSquatting",
      "dns": {
        "a": ["192.0.2.45"],
        "aaaa": [],
        "mx": ["mail.kaspserky.com"],
        "ns": ["ns1.registrar.com", "ns2.registrar.com"],
        "cname": [],
        "txt": ["v=spf1 include:_spf.google.com ~all"],
        "ptr": []
      },
      "last_seen": 1735747200,
      "date_added": 1704153600
    },
    {
      "domain": "kasperski.com",
      "base_domain": "kaspersky.com",
      "type": "TypoSquatting",
      "dns": {
        "a": ["198.51.100.88"],
        "aaaa": ["2001:db8::2"],
        "mx": [],
        "ns": ["dns1.parking.net", "dns2.parking.net"],
        "cname": [],
        "txt": [],
        "ptr": []
      },
      "last_seen": 1735747200,
      "date_added": 1703548800
    },
    {
      "domain": "kaspersky-support.com",
      "base_domain": "kaspersky.com",
      "type": "TypoSquatting",
      "dns": {
        "a": ["203.0.113.10"],
        "aaaa": [],
        "mx": ["mx.kaspersky-support.com"],
        "ns": ["ns1.cloudflare.com", "ns2.cloudflare.com"],
        "cname": [],
        "txt": ["v=spf1 a mx ~all"],
        "ptr": []
      },
      "last_seen": 1735747200,
      "date_added": 1702339200
    },
    {
      "domain": "caspersky.com",
      "base_domain": "kaspersky.com",
      "type": "TypoSquatting",
      "dns": {
        "a": ["198.18.0.25"],
        "aaaa": [],
        "mx": [],
        "ns": ["park1.domain.com", "park2.domain.com"],
        "cname": [],
        "txt": [],
        "ptr": []
      },
      "last_seen": 1735747200,
      "date_added": 1701734400
    },
    {
      "domain": "kaspersky.co",
      "base_domain": "kaspersky.com",
      "type": "TypoSquatting",
      "dns": {
        "a": ["192.0.2.100"],
        "aaaa": [],
        "mx": [],
        "ns": ["ns1.example.net", "ns2.example.net"],
        "cname": ["redirect.example.com"],
        "txt": [],
        "ptr": []
      },
      "last_seen": 1735747200,
      "date_added": 1700524800
    }
  ]
}

Response Fields

Field	Type	Description
`base_domain`	string	The queried base domain
`total`	integer	Total number of typosquatting domains found
`typosquatting_domains`	array	Array of typosquatting domain objects

Typosquatting Domain Object Fields

Field	Type	Description
`domain`	string	The typosquatting domain discovered
`base_domain`	string	The original/legitimate domain
`type`	string	Type of threat (always "TypoSquatting")
`dns`	object	DNS records for the typosquatting domain
`dns.a`	array	IPv4 addresses
`dns.aaaa`	array	IPv6 addresses
`dns.mx`	array	Mail server records
`dns.ns`	array	Name server records
`dns.cname`	array	Canonical name records
`dns.txt`	array	Text records
`dns.ptr`	array	Pointer records
`last_seen`	integer (Unix timestamp)	Most recent verification timestamp
`date_added`	integer (Unix timestamp)	When domain was first discovered

Common Typosquatting Patterns

The API detects various typosquatting techniques:

Character Swapping: kaspersky.com → kaspserky.com
Character Substitution: kaspersky.com → caspersky.com (k→c), kasperski.com (y→i)
TLD Variations: kaspersky.com → kaspersky.co, kaspersky.net
Word Addition: kaspersky.com → kaspersky-support.com
Homoglyph Attacks: Using similar-looking characters from different alphabets
Keyboard Proximity: Characters close on keyboard layout

Use Cases

Brand Protection

Monitor for domains similar to your brand
Detect potential phishing sites
Track domain squatting attempts
Identify brand impersonation early

Threat Intelligence

Identify impersonation domains targeting your organization
Correlate typosquatting with phishing campaigns
Assess brand abuse risk
Track threat actor infrastructure

Partner Integration

Integrate brand monitoring into security platforms
Provide domain monitoring services to clients
Build comprehensive brand protection solutions
Offer typosquatting detection as a service

DNS Records Analysis

The API provides complete DNS records for each typosquatting domain, enabling:

Infrastructure Analysis: Identify hosting providers and IP addresses
Email Server Detection: Check if domain has MX records (potential phishing)
Name Server Tracking: Identify domain registrars and DNS providers
TXT Record Analysis: Check for SPF, DKIM, DMARC configurations

Query Tags for Tracking

Use the query_tags parameter to track searches by client or context:

{
  "query_tags": {
    "client_id": "client_123",
    "client_name": "Kaspersky Lab",
    "workspace": "production",
    "user_id": "user456",
    "scan_id": "scan_789"
  }
}

Rate Limiting

OEM Typosquatting Search API has custom rate limits based on your partner agreement:

Negotiated limits based on usage requirements
Burst capacity for high-volume periods
Priority processing for partner requests

Error Handling

The API returns standard HTTP status codes:

Status Code	Description
200	Success
400	Bad Request - Invalid parameters
401	Unauthorized - Invalid API key
403	Forbidden - OEM access not enabled or credit exhausted
429	Rate limit exceeded
500	Internal server error

Example Error Response

{
  "error": "Missing required parameter: 'query'"
}

Security Considerations

All data is transmitted over HTTPS
API keys should be kept secure and rotated regularly
Results contain discovered typosquatting domains that may be malicious
Consider implementing additional validation before taking action on results

Triggering Scans

You can trigger an on-demand scan to discover typosquatting domains:

Use the On-Demand Scan API:

curl -X POST "https://fullhunt.io/api/v1/oem/on-demand-scan" \
  -H "X-API-KEY: xxxx-xxxx-xxxx-xxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "domain",
    "target": "acme.com"
  }'

Best Practices

Trigger Scans First: Use on-demand scan API to ensure fresh data for new domains
Regular Monitoring: Query your critical domains regularly (daily/weekly)
Automated Alerts: Set up notifications when new typosquatting domains are discovered
Takedown Process: Establish procedures for reporting/taking down malicious domains
Historical Tracking: Use date_added and last_seen to track domain lifecycle
DNS Analysis: Review DNS records to assess threat level and hosting infrastructure

Search Typosquatting Domains​

Common Typosquatting Patterns​

Use Cases​

Brand Protection​

Threat Intelligence​

Partner Integration​

DNS Records Analysis​

Query Tags for Tracking​

Rate Limiting​

Error Handling​

Security Considerations​

Triggering Scans​

Best Practices​