If you think you’re seeing double, you probably are. Website domains, that is. Yet, despite the growing threat of lookalike domains, a targeted form of phishing where malicious actors use visually similar website domains to deceive unsuspecting users into clicking links or visiting fake websites, they can be overlooked as a key attack vector for threat actors. As users have learned to scrutinize links in emails they receive – and while the security industry has increased their ability to automatically detect threats, cyber criminals only continue to innovate and get smarter in their tactics.
Threat actors have successfully driven people towards lookalike domains in their attacks via SMS messages, direct messages on social media, and QR codes. For example, have you heard of the threat actors that sent a fake SMS message that looks like it came from the United States Postal Service (USPS) providing a tracking link for your package? In this case, when a link is clicked, it’s likely that the website it’s directing you to, will look very similar to the original USPS website, making it that much harder for the user to realize they’ve been fooled by a lookalike domain attack. What happens next? The criminals gather personal data that can lead to identity theft.
Wondering how hackers are able to easily reach and trick unsuspecting victims to click on suspicious links? It’s because lookalike domain attacks often start at the domain name system (DNS) level, which is the first point of attack for many threat actors. The most common use of DNS is for computers to be able to find content on the internet for a domain name. Facebook/Meta, for example, can be accessed through the domain name facebook.com. However, DNS is often overlooked and unprotected, meaning that if hackers break through that initial DNS layer with a lookalike domain attack, they can often gain access to an entire network. Even though users are suspicious of email from unknown senders, these domain names may appear indistinguishable from the expected domain and the user may be caught off guard.
The use of lookalike domains is profitable for threat actors because it is an asymmetric attack. Cheap domain registration prices and the ability to distribute large-scale attacks unfortunately give actors the upper hand. While techniques to identify malicious activity have improved recently, it’s still become increasingly difficult for organizations to keep pace. In fact, hackers can buy tool kits on the dark web for just $300, allowing these attacks to be launched at scale with little to no effort.
Infoblox analyzes over 70 billion DNS events daily to find new and potential threats. Here are four types of lookalike domain attacks, in particular, that all organizations should be on the lookout for:
- Homographs or homoglyphs use visually similar characters from different character sets such as Cyrillic or Greek to create domain names that appear identical to legitimate ones (e.g., substituting “o” with “0”). What makes homographs particularly effective is that the difference between individual characters is not always clearly distinguishable, depending on the fonts and typesets used.
- Typosquats include sneaky typing errors by registering domains that closely resemble popular websites (e.g., substituting “amazonn[.]com” for “amazon[.]com“) to take users to a fraudulent website. Often, typosquats will be used for popular domains that are already registered for financial gain and to draw in advertising money, but malicious actors also ‘squat’ in these domains with websites that are visually close to what users are expecting to see.
- Combosquats combine well-known brand or company names with other keywords such as “mail”, “security” or “support”. For instance, the domain wordpresssecurityt[.]store might be searchable on Google for WordPress users seeking help, but actually has a Russia-based IP address. According to Infoblox’s report, around 60% of these abusive combosquatting domains stay active for more than 1,000 days, and only 20% are reported and blocked after 100 days. Combosquatting is around 100 times more prevalent than typosquatting.
- Soundsquats are the most recent form of lookalike threats, using domain names that sound similar to legitimate ones when spoken aloud (e.g., “hsbsee[.]com” instead of “hsbc[.]com”). This can trick users who hear a domain instead of reading it, and has been researched for its potential impact on smart devices such as Google Home, Siri, and Alexa.
While these four emphasize different types of attacks, threat actors rarely stick to one of these lanes. They often attempt to use a combination of these techniques to defraud users and target businesses. Lookalike domains are designed to trick consumers, and while some may be good at spotting them, it only takes one or two people to engage with these domains to activate the effects of the attack.
While knowing how to spot lookalike domains is key, it won’t completely protect you from falling victim to one. One of the best ways to stay protected from lookalike domain attacks is having a strong DNS security strategy already in place, as it can help to detect and block lookalike domain attacks sooner. At Infoblox, we’re proud to be the first DNS security solution to offer a Lookalike Domain Monitoring capability that works to identify sites attempting to impersonate company brands that are increasingly used to deceive consumers with phishing, malvertising and similar attacks.
Detecting and not falling prey to these kinds of attacks are crucial, but the ability to takedown lookalike domains is equally important. Lookalike domain attacks are increasing in sophistication and prevalence, making specialized solutions like DNS security a must-have for all.
More information on lookalike domains can be found in our whitepaper here.
