Understanding Typosquatting
Typosquatting is a form of cybersquatting that targets users who incorrectly type a website address into their browser. This social engineering technique relies on the predictable mistakes people make when manually entering URLs.
Common typosquatting methods include:
- Simple keyboard typos (pressing adjacent keys)
- Character omission (forgetting a letter)
- Character transposition (swapping letters)
- Character replacement (using similar-looking characters)
- Domain hyphenation (adding hyphens between words)
- TLD variation (using
.co,.cminstead of.com)
According to a 2015 research, over one-fifth of all .com domain registrations are now typo domains, with the number growing each year. This isn't just annoying – it's potentially devastating for both individuals and organizations.
Google's googleapis.com Domain
Before getting into the findings, let's understand what makes googleapis.com particularly valuable to attackers.
The googleapis.com domain serves as one of the primary endpoints that developers integrate into their applications. This includes high-volume services like:
- Google Fonts API
- Cloud Storage (e.g. Google's version of S3)
When developers make API calls to these services, they typically use endpoints like https://domains.googleapis.com or other service-specific subdomains. The domain handles billions of API requests daily from applications worldwide.
A simple example for Google Fonts usage:
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Tangerine">A simple example for Google-hosted Bootstrap and JQuery usage:
<script src="https://ajax.googleapis.com/ajax/libs/bootstrap/5.3.3/js/bootstrap.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>Keyboard Proximity Search & WHOIS Data
I began looking into potential typosquatting vectors for googleapis.com using keyboard proximity analysis to identify likely typos. Using a combination of algorithm-generated typo permutations and manual analysis of common developer mistakes, I identified a list of high-risk domain variations.
The next step was querying WHOIS servers to determine registration status, ownership patterns, and potential malicious indicators for these domains.
Here's what I found when analyzing key typosquatting domains:
| domain | registrar | registrant | creation_date | expiration_date | last_updated | name_servers |
|---|---|---|---|---|---|---|
| gogleapis.com | 123-Reg Limited | 2014-09-09T09:48:31 | 2025-09-09T09:48:31 | 2024-09-10T11:26:32 | NS2.HE.NET, NS3.HE.NET, NS4.HE.NET, NS5.HE.NET | |
| googleapis.net | Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn) | 2024-12-18T00:37:42 | 2025-12-18T00:37:42 | 2024-12-18T00:53:02 | ARMFAZH.NS.CLOUDFLARE.COM, STELLA.NS.CLOUDFLARE.COM | |
| googleapk.com | eName Technology Co.,Ltd. | 2010-11-16T14:45:23 | 2025-11-16T14:45:23 | 2024-11-02T02:48:30 | NS3.DNS.COM, NS4.DNS.COM | |
| googleapjs.com | GoDaddy Online Services Cayman Islands Ltd. | 2019-08-31T18:04:30 | 2025-08-31T18:04:30 | 2024-09-01T11:12:19 | NS01.DOMAINCONTROL.COM, NS02.DOMAINCONTROL.COM | |
| gooogleapis.com | GoDaddy.com, LLC | 2020-02-14T20:02:51 | 2026-02-14T20:02:51 | 2025-03-02T18:22:24 | NS43.DOMAINCONTROL.COM, NS44.DOMAINCONTROL.COM | |
| googeapis.com | GRANSY S.R.O D/B/A SUBREG.CZ | NEROSO Inst., s.r.o. | 2022-07-18T12:40:02 | 2025-07-18T12:40:02 | 2024-06-19T13:45:03 | NS.PARKTONS.COM, NS2.PARKTONS.COM |
| googleapi.com | MarkMonitor, Inc. | Google LLC | 2004-04-02T17:56:34 | 2026-04-02T16:56:34 | 2025-03-01T10:21:12 | NS1.GOOGLEDOMAINS.COM, NS2.GOOGLEDOMAINS.COM, NS3.GOOGLEDOMAINS.COM, NS4.GOOGLEDOMAINS.COM |
| googleapis.com | MarkMonitor, Inc. | Google LLC | 2005-01-25T17:52:26 | 2026-01-25T17:52:26 | 2024-12-24T10:14:22 | NS1.GOOGLE.COM, NS2.GOOGLE.COM, NS3.GOOGLE.COM, NS4.GOOGLE.COM |
| googlepis.com | MarkMonitor, Inc. | Google LLC | 2016-07-13T18:37:34 | 2025-07-13T18:37:34 | 2024-06-11T09:51:33 | NS1.GOOGLEDOMAINS.COM, NS2.GOOGLEDOMAINS.COM, NS3.GOOGLEDOMAINS.COM, NS4.GOOGLEDOMAINS.COM |
| googleapp.com | MarkMonitor, Inc. | Google LLC | 2008-05-15T16:50:26 | 2025-05-15T16:50:26 | 2024-04-13T10:12:48 | NS1.GOOGLEDOMAINS.COM, NS2.GOOGLEDOMAINS.COM, NS3.GOOGLEDOMAINS.COM, NS4.GOOGLEDOMAINS.COM |
| googleqpis.com | MarkMonitor, Inc. | Google LLC | 2024-03-13T20:44:37 | 2026-03-13T20:44:37 | 2025-03-14T07:45:54 | NS1.GOOGLEDOMAINS.COM, NS2.GOOGLEDOMAINS.COM, NS3.GOOGLEDOMAINS.COM, NS4.GOOGLEDOMAINS.COM |
| gogleapi.com | NAMECHEAP INC | Privacy service provided by Withheld for Privacy ehf | 2024-03-07T16:00:48 | 2026-03-07T16:00:48 | 2025-02-05T07:56:30 | DNS1.NAMECHEAPHOSTING.COM, DNS2.NAMECHEAPHOSTING.COM |
| googieapis.com | NAMECHEAP INC | Privacy service provided by Withheld for Privacy ehf | 2017-05-13T23:14:13 | 2025-05-13T23:14:13 | 2024-05-03T22:49:43 | HAL.NS.CLOUDFLARE.COM, JADE.NS.CLOUDFLARE.COM |
| gogleapi.com | NAMECHEAP INC | Privacy service provided by Withheld for Privacy ehf | 2024-03-07T16:00:48 | 2026-03-07T16:00:48 | 2025-02-05T07:56:30 | DNS1.NAMECHEAPHOSTING.COM, DNS2.NAMECHEAPHOSTING.COM |
| googlrapis.com | NAMECHEAP INC | Privacy service provided by Withheld for Privacy ehf | 2016-03-07T16:54:46 | 2026-03-07T16:54:46 | 2025-02-05T07:53:36 | DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM |
| googapis.com | NAMECHEAP INC | Privacy service provided by Withheld for Privacy ehf | 2016-03-08T07:37:11 | 2026-03-08T07:37:11 | 2025-02-06T07:26:39 | DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM |
| googpeapi.com | NameCheap, Inc. | 2024-07-05T16:20:48 | 2025-07-05T16:20:48 | 2024-07-05T16:31:39 | ANGELINA.NS.CLOUDFLARE.COM, EMERSON.NS.CLOUDFLARE.COM | |
| googleapls.com | NameSilo, LLC | See PrivacyGuardian.org | 2019-04-23T03:45:31 | 2025-04-23T03:45:31 | 2024-03-26T00:44:20 | KALLIE.NS.CLOUDFLARE.COM, VALENTIN.NS.CLOUDFLARE.COM |
| googleapics.com | NameSilo, LLC | See PrivacyGuardian.org | 2024-11-07T11:00:25 | 2025-11-07T11:00:25 | 2024-11-07T11:00:26 | NS1.HOST-WW.NET, NS2.HOST-WW.NET |
| googleapls.com | NameSilo, LLC | See PrivacyGuardian.org | 2019-04-23T03:45:31 | 2025-04-23T03:45:31 | 2024-03-26T00:44:20 | KALLIE.NS.CLOUDFLARE.COM, VALENTIN.NS.CLOUDFLARE.COM |
| googleaips.com | REGISTER S.P.A. | REDACTED FOR PRIVACY | 2024-08-26T11:56:57 | 2025-08-26T11:56:57 | 2024-08-26T12:07:02 | NS1.REGISTER.IT, NS2.REGISTER.IT |
| googlaepis.com | Registrar of Domain Names REG.RU LLC | 2017-01-27T07:07:36 | 2026-01-27T07:07:36 | 2024-11-06T09:32:53 | ISLA.NS.CLOUDFLARE.COM, ROCKY.NS.CLOUDFLARE.COM |
Findings
-
Legitimate Google Domains vs. Typosquats:
The domains registered by Google LLC through MarkMonitor (
googleapis[.]com,googleapi[.]com,googlepis[.]com,googleapp[.]com,googleqpis[.]com) all use Google's nameservers. This is expected as it's possible that Google proactively registers common typos to protect users.However, I identified 17 typosquatted variations present in the dataset that aren't likely controlled by Google.
-
Recently Registered Domains (Potential Threats):
Several domains were registered in the past year, suggesting active typosquatting campaigns:
googleapis[.]net(Dec 2024) - Alibaba Cloud, using Cloudflare nameserversgogleapi[.]com(Mar 2024) - NAMECHEAP, using Namecheap hostinggoogpeapi[.]com(Jul 2024) - NameCheap, using Cloudflare nameserversgoogleapics[.]com(Nov 2024) - NameSilo, using Host-WW nameserversgoogleaips[.]com(Aug 2024) - REGISTER S.P.A., using Register.it nameservers
-
Long-lived Typosquats:
Some typosquatting domains have been active for surprisingly long periods:
gogleapis[.]com(since 2014)googleapk[.]com(since 2010)
These long-established domains may have built significant traffic over time.
-
Very Recent Activity:
The domain
googleqpis[.]comwas updated on March 14, 2025 (today!)
My Experiment
To quantify the real-world impact of typosquatting against googleapis.com, I conducted a controlled experiment:
Methodology:
The particular typo I targeted (.cm instead of .com) has been documented as a frequent typosquatting vector. According to research by Brian Krebs, ..cm typosquatting sites received over 12 million visits in just the first quarter of 2018.
- I registered the domain
googleapis[.]cm(Cameroon TLD) - Implemented a Matomo instance to track visitors
- Created a minimal PHP endpoint, using Matomo PHP SDK, at
*.googleapis[.]cm
Results:
Within just 24 hours, my typosquatted domain received connections from several surprising sources:
- A United States-based medical service organization that provides services to more than 20,000 healthcare organizations
- An Indonesian government organization
- A water purification facility
- A media publication tool
- A small social media website
- An online education platform
The affected organizations have been notified about the vulnerability in their code.
Exploitation Methods
Had a malicious actor controlled any typosquatted variant of googleapis.com—whether through TLD confusion (.cm, .co, .net), character omission (googleapi.com), character insertion (gooogleapis.com), or character transposition (googelapis.com)—they could exploit any website that accidentally referenced these misspelled domains in their code. These attack vectors aren't limited to the .cm TLD example from my experiment; they apply to any typosquatted variant that appears in a website's HTML, CSS, or JavaScript. Here's how attackers could exploit different types of mistyped Google API endpoints:
-
For fonts.googleapis[.]cm (CSS resources): Attackers controlling this domain could return weaponized CSS using attribute selectors to exfiltrate sensitive data from form fields and page content, effectively creating data-stealing stylesheets. They might deploy specially crafted font files with malicious ligatures that capture and leak information when specific character combinations are displayed, or implement CSS-based keyloggers that track user input through clever selector combinations and background image requests that encode captured keystrokes in the requested URL parameters.
-
For ajax.googleapis[.]cm (JavaScript libraries): By controlling this domain, attackers could serve compromised versions of popular JavaScript libraries like jQuery or Angular with embedded backdoors or tracking code that executes in the context of the victim site. These malicious scripts could harvest form data, cookies, and authentication tokens; manipulate the DOM to alter page content, insert convincing phishing forms, or redirect users to fraudulent sites; and even inject cryptojacking scripts that silently mine cryptocurrency using visitors' CPU resources, all while appearing to come from a trusted Google domain.
-
For storage.googleapis[.]cm: Controlling this domain would allow attackers to serve malicious executables, libraries, or container images in place of legitimate software that developers and applications expect to download from Google's storage. This creates a particularly dangerous vector for software supply chain attacks where deployment pipelines, CI/CD systems, or automated update mechanisms unknowingly pull and integrate compromised packages, potentially affecting thousands of downstream systems and providing persistent access that survives beyond the initial compromise.
The impact of such an attack could be especially severe as the malicious code would execute with the privileges of the trusted website domain, bypassing same-origin policy protections. For websites handling sensitive information—like the healthcare organization in my findings—this could lead to HIPAA violations and exposure of protected health information.
Conclusion
A single mistyped character in a domain name can lead to data breaches, credential theft, and malware distribution. The financial and reputational damage from such attacks can be enormous, especially when they impact critical infrastructure or healthcare organizations.