From Typos to Treason: The Dangerous Fun of Government Domain Squatting

Hey there 👋 Since you’re reading this, chances are you’ve got some chaos brewing in your brain—I love it.

For legal reasons I must kindly ask you to read and actually understand my disclaimer.

Full full disclosure: I did have written permission to do this. And anything I didn’t have written permission for is wildly exaggerated fiction—pure imagination, no receipts, no logs, nothing but brain static.

Now, another fair warning: this post is about to get particularly hairy. So seriously, do not try this without proper written consent, unless you have an unshakable desire to land yourself in a world of trouble.

Intro

I get bored really easily 😪. And when boredom strikes, I usually start a new project. Honestly, the fact that I’m still sticking with this blog is nothing short of a miracle. Could this be my forever project? Who knows—place your bets.

Anyway, purely by accident, I stumbled across a tool that I immediately recognized as easy mode for typo squatting and bit squatting. The tool itself was kinda trash, but it did spark a deliciously questionable thought in my brain:

“Can I intercept sensitive emails from government organizations and snatch session tokens and API keys?”

To keep you on the edge of your seat (and slightly concerned), the answer is: Yes. Yes, I can. And trust me, it’s way worse than you think.

It’s always the stupidly simple ideas that end up working the best.

Typosquatting

Typosquatting, also called URL hijacking, a sting site, a cousin domain, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. A user accidentally entering an incorrect website address may be led to any URL, including an alternative website owned by a cybersquatter.

— Wikipedia

Basically, you register kark.fail, kick back, and wait for people to fat-finger karl.fail — and trust me, they will. Congratulations, you just hijacked some of my traffic without lifting a finger. It’s like phishing, but lazier.

Bitsquatting

Bitsquatting is a form of cybersquatting which relies on bit-flip errors that occur during the process of making a DNSrequest. These bit-flips may occur due to factors such as faulty hardware or cosmic rays. When such an error occurs, the user requesting the domain may be directed to a website registered under a domain name similar to a legitimate domain, except with one bit flipped in their respective binary representations.

— Wikipedia

You register a domain that is a single-bit off your target, on my site you could register “oarl.fail”

• ASCII of “k” = 01101011
• Flipping the third-to-last bit:
• 01101111 → This corresponds to “o”
• This changes “karl” → “oarl“

Personally I have had 0 success with this, but apparently still works.

The Setup

Now that you know the basics, you’re officially armed with enough knowledge to cause some mild chaos 🎉.

Here’s what we need to get started:

• Money – Because sadly, domains don’t buy themselves.
• A domain registrar account – I use Namecheap
• Cloudflare account (optional, but much recommended)
• A server connected to the internet – I use Hetzner (optional but also recommended)

Getting a Domain

You should probably know this if you’re planning to hack the government (or, you know, just theoretically explore some questionable cyberspace).

Step one:

Follow all the steps on Namecheap—or whichever registrar you fancy. You can probably find one that takes Bitcoin or Monero, if you want.

For generating typo domains effortlessly, I use ChatGPT:

Give me the top 5 most common typos english speaking people make for the domain "karl.fail" on a qwerty keyboard.

ChatGPT does not know .fail is a valid TLD, but you get the point.

Step two

Add your domain to Cloudflare—unless, of course, you’re feeling extra ambitious and want to host your own Mailserver and Nameserver. But let’s be real, why suffer?

Mailserver

I highly recommend Mailcow, though it might be complete overkill for this—unless your job involves hacking governments. In that case, totally worth it.

Nameserver

This is the best tutorial I could find for you—he’s using CoreDNS.

In my tests, I used Certainly, which built a small authoritative DNS server with this Go library.

The big perk of running your own nameserver is that you get to log every DNS query to your domain. As many pentesters know, DNS is passive recon—it doesn’t hit the target directly. That’s why you can get away with otherwise noisy tasks, like brute-forcing subdomains via DNS. But if your target runs their own nameserver, they’ll see you poking around.

I went with a different setup because DNS logs are a mess—super noisy and, honestly, boring. Everyone and their mom ends up enumerating your domain until kingdom come.

Beware! Different top-level domain organizations have different expectations for name servers. I ran into some trouble with the .de registry, DENIC—they insisted I set up two separate nameservers on two different IPs in two different networks. Oh, and they also wanted pretty SOA records before they’d even consider my .de domains.

Save yourself the headache—double-check the requirements before you spend hours wrecking yourself.

Hetzner Server

Any server, anywhere, will do—the goal is to host a web server of your choice and capture all the weblogs. I’ll be using Debian and Caddy for this.

We’ll be building our own Caddy with the Cloudflare plugin because I couldn’t get wildcard certificates to work without it. Plus, I always use Cloudflare (❤️ you guys).

Installation of Go (current guide):

sudo apt update && sudo apt upgrade -y
wget https://go.dev/dl/go1.23.5.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.5.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.profile
source ~/.profile

Build Caddy with Cloudflare-DNS

The official guide is here.

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
sudo mv ~/go/bin/xcaddy /usr/local/bin/
xcaddy build --with github.com/caddy-dns/cloudflare
sudo mv caddy /usr/local/bin/
caddy version

Getting a Cloudflare API Key

To get the API key just follow the Cloudflare docs, I set mine with these permissions:

All zones - Zone:Read, SSL and Certificates:Edit, DNS:Edit

Here is also the official page for the Cloudflare-DNS Plugin.

export CF_API_TOKEN="your_cloudflare_api_token"
echo 'CF_API_TOKEN="your_cloudflare_api_token"' | sudo tee /etc/default/caddy > /dev/null

Caddyfile

I am using example domains!

(log_requests) {
	log {
		output file /var/log/caddy/access.log
		format json
	}
}

karlkarlkarl.de, *.karlkarlkarl.de {
	import log_requests

	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
	}

	header Content-Type "text/html"
	respond "Wrong!" 200
}

karlkarl.de, *.karlkarl.de {
	import log_requests

	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
	}

	header Content-Type "text/html"
	respond "Wrong!" 200
}

Running Caddy as a service

nano /etc/systemd/system/caddy.service

[Unit]
Description=Caddy Web Server
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
EnvironmentFile=/etc/default/caddy
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
RestartSec=5s
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

systemctl start caddy
systemctl enable caddy
systemctl status caddy

Everything should work if you closely followed the steps up until now. If not check the caddy.service and Caddyfile. To check logs use:

journalctl -u caddy --no-pager -n 50 -f

Just a heads-up—Caddy automatically redacts credentials in its logs, and getting it to not do that is kind of a pain.

{"level":"info","ts":1738162687.1416154,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"1.0.0.1","remote_port":"62128","client_ip":"1.0.0.1","proto":"HTTP/1.1","method":"GET","host":"api.karlkarlkarl.de","uri":"/api/resource","headers":{"User-Agent":["curl/8.7.1"],"Authorization":["REDACTED"],"Accept":["application/json"]}},"bytes_read":0,"user_id":"","duration":0.000052096,"size":0,"status":308,"resp_headers":{"Connection":["close"],"Location":["https://api.karlkarlkarl.de/login"],"Content-Type":[],"Server":["Caddy"]}}

"Authorization":["REDACTED"]

Lame for us 😒. If you want more control over logging, you can use any other server or even build your own. One day I might add this as a feature to my Node-RED-Team stack, including automatic Cloudflare settings via API, just add domain and go.

As I mentioned earlier, I had permission for this, and my scope didn’t allow me to grab actual credentials since they belonged to third parties using the service.

The most interesting things in these logs:

• Credentials
• IP addresses
• Paths
• Subdomains
• Cookies and tokens

That should be more than enough to hijack a session and dig up even more data—or at the very least, get some freebies.

Cloudflare – DNS & Mail

DNS

We’ll add some wildcard DNS records so that all subdomains get routed to our server—because let’s be real, we don’t know all the subdomains of our target.

It’s almost as good as having your own nameserver. Plus, Cloudflare gives you a ton of DNS logs. Sure, you won’t get all of them like you would with your own setup, but honestly… I don’t really care that much about DNS logs anyway.

Make sure to check your SSL/TLS setting in Cloudflare to be “Full (strict)” otherwise Caddy and Clouflare will get stuck in a redirect loop and it is gonna take you forever to figure out that this is the issue, which will annoy you quite a bit.

Email

Set up email routing through Cloudflare—it’s easy, just two clicks. Then, you’ll need a catch-all email rule and a destination address.

This will forward all emails sent to the typo domain straight to your chosen domain.

You could set up your own mail server to do the same thing, which gives you more control over how emails are handled. But for my POC, I didn’t need the extra hassle.

I should mention that I set up an email flow to notify people that they sent their mail to the wrong address and that it was not delivered using n8n:

This post is already getting pretty long, so I might do a separate one about n8n another time. For now, just know that people were notified when they sent mail to the wrong address, and their important messages were delivered into the void.

Profit

By “profit,” I’m, of course, making a joke about the classic Step 1 → Step 2 → Step 3 → Profit meme—not actual profit. That would be illegal under American law, so let’s keep things legal and fun. Just thought I’d clarify 🫡.

Now, you wait. Check the logs now and then, peek at the emails occasionally. Like a fisherman (or fisherwoman), you sit back and see what bites.

How long does it take? Well, that depends on how good your typo is and how popular your target is—could be minutes, could be days.

For me, I was getting around 10-15 emails per day. The weblogs are mostly just people scanning the crap out of my server.

Conclusion

I bought 14 domains with the most common typos for my target and ended up catching around 400 emails in a month —containing some of the most devastating info you could imagine.

I’m talking government documents, filled-out contracts, filed reports. I got people’s birth certificates, death certificates, addresses, signatures—you name it.

Think about it—when you email a government office, they already know everything about you, so you don’t think twice about sending them paperwork, right? Well… better triple-check that email address before you hit send, or guess what? It’s mine now.

As for weblogs, their real value comes in when a developer is testing a tool and mistypes a public domain. I didn’t manage to snag any API keys, but I guarantee that if your target has public APIs or a sprawling IT infrastructure, credentials will slip through eventually.

Defense

The only real defense is to buy all the typo domains before the bad guys do. There are services that specialize in this—if you’ve got the budget, use them.

If you can’t buy them, monitor them. Plenty of commercial tools can do this, or you can build your own. The easiest DIY approach would be to use dnstwist to generate typo variations and check WHOIS records or dig to see if anyone has registered them.

Typo domains aren’t just used for passive logging—people also host malicious content and phishing campaigns on them. That said, those methods get caught pretty fast. The approach I showed you is much more silent and in my opinion, dangerous. It doesn’t set off alarms right away.

Also, don’t bother scanning for typo domains with MX records—most registrars have catch-all rules, so that’s a dead end.

Domains are dirt cheap compared to the damage I could do if I decided to leak this to the press, extort people, or trick them into giving me money. You instantly gain trust because the emails you receive usually say things like “As we just discussed over the phone… or contain entire ongoing conversations.

This whole setup takes about an hour and costs maybe 50 bucks for some domains.

Anyway, thanks for reading. Good night, sleep tight, and don’t let the bed bugs bite.

Love you 😘