- TechRadar investigation found five VPNs impacted by typosquatting
- Around 14% of the 980+ domains are malicious
- Serves as a reminder to always double check the URL
Cybercriminals employ a range of tactics to distribute malware and harvest data, but few are as simple as the misuse of fraudulent web domains. While often associated with targeting online shoppers, a new TechRadar investigation has found that even users of the world’s most secure VPN providers are not immune to these attacks.
The technique – known as typosquatting – involves threat actors registering domain names that are near-identical to popular websites, relying on intentional misspellings or subtle character swaps. The goal is to catch users who make a minor slip at the keyboard, redirecting them to a dangerous landing page before they realize the mistake.
TechRadar’s Lead Security Reviewer, Mike Williams, identified over 980 of these lookalike domains targeting major VPN companies, including NordVPN, Proton VPN, Surfshark, ExpressVPN, and Private Internet Access (PIA).
While many of these sites were parked or inactive, approximately 14% were found to contain active threats, ranging from phishing and malicious advertisements to direct malware distribution.
Typosquatting popular VPN domains
Williams described typosquatting as a "simple but dangerous attack," noting that many users fail to spot the threat even under close inspection. "Some misspelled domain names are so similar to the original that they're really difficult to spot, even when you look closely," he explains.
To quantify the risk to those seeking privacy tools, Williams used a detection service to analyze the volume of fraudulent domains mimicking five of TechRadar’s top-rated VPN apps.
This research generated an extensive list of typosquatted domains, which Williams then investigated using NordVPN Threat Protection Pro. By running the domains through this security suite, he was able to identify exactly how many were flagged as active threats.
VPN service | URLs tested | Threats found | Malware | Phishing | Dangerous ads | Trackers | Misc. security issues | Copycat sites |
ExpressVPN | 302 | 34 (11.3%) | 5 | 4 | 9 | 2 | N/A | 14 |
NordVPN | 256 | 21 (8.2%) | 10 | 1 | 1 | 1 | 5 | 3 |
Surfshark | 204 | 49 (24%) | 32 | 1 | N/A | 1 | 6 | 9 |
Private Internet Access (PIA) | 112 | 4 (3.6%) | 2 | N/A | N/A | N/A | 1 | 1 |
Proton VPN | 110 | 32 (29.1%) | 3 | 7 | 1 | N/A | 6 | 15 |
While ExpressVPN, NordVPN, and Surfshark emerged as the primary targets for typosquatters, Proton VPN faced the most aggressive threat landscape, with 29% of its associated fake domains flagged as malicious.
Conversely, PIA appeared to be the least targeted – of the 112 lookalike domains identified, only four were found to be potentially dangerous.
Encouragingly, some providers are taking proactive steps to combat the issue by registering and redirecting common misspellings back to their legitimate sites. ExpressVPN led on this front, securing at least 22 such domains to protect its users from keyboard slips.
As Williams explains, attackers rely on the difficulty of spotting a deceptive URL. "If the dodgy domain points to a fake site dressed up to look like the website you expect, there may not be any reason to look closely. You might just assume you're in the right place," he said.
While it is difficult to quantify the exact risk these sites pose to everyday users, landing on a site infested with malware and invasive trackers can jeopardize the security of your device and data privacy – precisely what you are trying to avoid by signing up for a virtual private network (VPN) service.
Beyond the threat of infection, TechRadar found at least 42 typosquatted domains redirecting to fraudulent copycat storefronts. These sites are designed to trick users into making a purchase, effectively handing over sensitive banking details to cybercriminals.
Web browsing isn't the only vector for these attacks, either. Williams notes that these fraudulent URLs are frequently used as bait in phishing emails and social media posts. Attackers deploy them in the hope that a user will see a URL that looks "about right" and trust that it is safe to click.
VPN companies respond
When approached by TechRadar, all five VPN providers confirmed they are actively monitoring typosquatting campaigns.
"Brand trust is important in the cybersecurity industry, and when you combine that with high brand visibility, it creates an appealing opportunity for bad actors looking to exploit user confidence through brandjacking and typosquatting," said a NordVPN spokesperson.
ExpressVPN noted that the global, open nature of domain registration makes this a difficult trend to curb. "Anyone can register a domain at any time and publish impersonation or misleading content without authorization," the company said.
While it isn’t a company's legal responsibility to police the entire internet for fraudulent URLs, all the brands we spoke to have established mitigation strategies.
Paulius Dauknys, Head of Risk Management at Surfshark, described the situation as an ongoing "cat and mouse" dynamic. "New domains often appear shortly after others are taken down," he warned.
The process typically begins with automated web monitoring to flag suspicious or near-identical URLs. These domains are then analyzed for risk before the providers coordinate with hosting companies and registrars to have the fraudulent sites removed.
However, even with these systems in place, the process remains slow. "The domain dispute process can still take a considerable amount of time," noted David Peterson, General Manager of Proton VPN.
How to stay safe
The findings of this investigation serve as a stark reminder that even routine browsing can jeopardize your digital security. It only takes a single slip on the keyboard to land on a compromised page.
As Mike Williams notes, there is no single, silver bullet solution to the problem. "Chrome first added basic URL checking in 2019, but it missed the vast majority of dangerous domains in our tests," he said.
However, there are some easy-to-follow steps to mitigate the chances of falling victim to typosquatting:
- Scrutinize the URL: Remember, even one letter can land you on some dangerous websites. When in doubt, run the URL through a link checker tool to check for safety.
- Look for commonly switched characters or missing characters: Domains like 'n0rdvpn.com' or 'norvpn.com' are very common as they are more difficult to spot. You should also be wary of URLs that just add common words like 'login', 'support', or 'store' to a domain name.
- Bookmark the originals: Once you have verified a provider's legitimate homepage, save it to your bookmarks. Using a trusted bookmark is the most reliable way to avoid the risks of manual typing or clicking suspicious links.
- Download your VPN app from official sites: Whenever possible, it's advisable to download your application from official app stores.
- Verify before you click: Treat ads and unsolicited emails with caution. If you are unsure about a link, manually type the known URL into your browser or use a link-checker tool to verify its safety.
- Use a malware and ad-blocker: Use a dedicated malware and ad-blocker. These tools are specifically designed to intercept phishing attempts and malicious scripts, providing a final safety net even if you accidentally click a "dodgy" link.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.