Lookalike domains and how to spot them

Fake websites and email addresses are often used in phishing and targeted attacks. How do fake domains get created, and how to spot one?

Lookalike attacks in phishing and BEC

You’ve received an email at work asking you to change your email password, confirm your vacation period, or make an urgent money transfer at the request of the CEO. Such unexpected requests could be the start of a cyberattack on your company, so you need to make sure it’s not a scam. So how do you check email addresses or links to websites?

The centerpiece of a fake is usually the domain name; that is, the part of the email after the @, or the beginning of the URL. Its task is to inspire confidence in the victim. Sure, cybercriminals would love to hijack an official domain of the target company, or of one of its suppliers or business partners, but in the early stages of an attack they usually don’t have that option. Instead, before a targeted attack, they register a domain that looks similar to that of the victim organization – and they hope that you won’t spot the difference. Such techniques are called lookalike attacks. The next step is to host a fake website on the domain or fire off spoof emails from mailboxes associated with it.

In this post, we explore some of the tricks used by attackers to prevent you from noticing a domain spoof.

Homoglyphs: different letters, same spelling

One trick is using letters that are visually very similar or even indistinguishable. For example, a lowercase “L” (l) in many fonts looks identical to a capital “i” (I), so an email sent from the address JOHN@MlCROSOFT.COM would fool even the more eagle-eyed. Of course, the sender’s actual address is john@mLcrosoft.com!

The number of devilish doubles increased after it became possible to register domains in different languages, including ones that don’t use the Latin alphabet. A Greek “ο”, Russian “о”, and Latin “o” are totally indistinguishable to a human, but in the eyes of a computer they’re three distinct letters. This makes it possible to register lots of domains that all look like microsоft.cοm using different combinations of o’s. Such techniques employing visually similar characters are known as homoglyph or homograph attacks.

Combo-squatting: a little bit extra

Combo-squatting has become popular with cybercriminals in recent years. To imitate an email or website of the target company, they create a domain that combines its name and a relevant auxiliary word, such as Microsoft-login.com or SkypeSupport.com. The subject of the email and the end of the domain name should match up: for example, a warning about unauthorized access to an email account could link to a site with the domain outlook-alert.

The situation is made worse by the fact that some companies do indeed have domains with auxiliary words. For example, login.microsoftonline.com is a perfectly legitimate Microsoft site.

According to Akamai, the most common combo-squatting add-ons are: support, com, login, help, secure, www, account, app, verify, and service. Two of these – www and com – warrant a separate mention. They are often found in the names of websites, and the inattentive user might not spot the missing period: wwwmicrosoft.com, microsoftcom.au.

Top-level domain spoofing

Sometimes cybercriminals manage to register a doppelganger in a different top-level domain (TLD), such as microsoft.co instead of microsoft.com, or office.pro instead of office.com. In this case, the name of the spoofed company can remain the same. This technique is called Tld-squatting.

A substitution like this can be very effective. It was just recently reported that, for over a decade, various contractors and partners of the U.S. Department of Defense have been mistakenly sending emails to the .ML domain belonging to the Republic of Mali instead of the American military’s .MIL domain. In 2023 alone, a Dutch contractor intercepted more than 117,000 misdirected emails bound for Mali instead of the DoD.

Typo-squatting: misspelled domains

The simplest (and earliest) way to produce doppelganger domains is to exploit various typos that are easy to make and hard to spot. There are lots of variations here: adding or removing doubles (ofice.com instead of office.com), adding or removing punctuation (cloud-flare or c.loudflare instead of cloudflare), replacing similar-sounding letters (savebank instead of safebank), and so on.

Typos were first weaponized by spammers and ad fraudsters, but today such tricks are used in conjunction with fake website content to lay the groundwork for spear-phishing and business email compromise (BEC).

How to guard against doppelganger domains and lookalike attacks

Homoglyphs are the hardest to spot and almost never used for legitimate purposes. As a result, browser developers and, in part, domain registrars are trying to defend against such attacks. In some domain zones, for example, it is forbidden to register names with letters from different alphabets. But in many other TLDs there’s no such protection, so you have to rely on security tools. True, many browsers have a special way of displaying domain names containing a mix of alphabets. What happens is that they represent the URL in punycode, so it looks something like this: xn--micrsoft-qbh.xn--cm-fmc (this is the site microsoft.com with two Russian o’s).

The best defense against typo-squatting and combo-squatting is attentiveness. To develop this, we recommend that all employees undergo basic security awareness training to learn how to spot the main phishing techniques.

Unfortunately, the cybercriminal’s arsenal is wide-ranging and by no means limited to lookalike attacks. Against carefully executed attacks tailored to a specific company, mere attentiveness isn’t enough. For example, this year attackers created a fake site that cloned Reddit’s intranet gateway for employees and successfully compromised the company. Therefore, infosec teams need to think about not only employee training, but also vital protection tools: