Lookalike domains have been one of the many tools used in cyberattacks for many years. But lookalikes were infrequently implemented while other, easy to use alternatives remained effective at masking the true destination of a URL from their victims. Unfortunately for attackers, users have learned to be more suspicious of electronic communications and more adept at applying techniques to reveal the true destination of a link. As the effectiveness of old methods declined, cybercriminals have turned to lookalike domains to support renewed efforts to impersonate a user, organization or brand in an attack.
Wide-ranging lookalike techniques
Generating convincing lookalike domains using sophisticated homograph or homoglyph techniques has been refined through years of attacks impersonating popular brands like PayPal, and large government agencies like the IRS. However, the methods for applying these techniques range from the obvious to the obscure.
A lookalike domain could be as simple as using myorganization[.]net to impersonate myorganization[.]com as part of an attack on customers. And, in a world where legitimate domain names are often long and elaborate, attackers are often successful using domain names like billing-support-login-myorganization[.]com. Simply expanding, rearranging, or slightly modifying a domain name can provide attackers with many alternatives.
Character substitution, using homograph or homoglyph techniques, is another common practice in building believable lookalike domains. Most people today are familiar with the concept of single character-substitution, such as replacing the letter ‘O’ with the number ‘0’. But there are a dozen other Unicode characters that would serve as credible replacements for an ‘O’.
Unicode is a computing industry standard for the consistent encoding, representation, and handling of the text expressed in most of the world’s writing systems, including foreign languages like Cyrillic, Coptic, Mongolian and 136 others. In total, there are over 136,000 Unicode characters available today to create viable domain names using letters and symbols. To provide an example of the scale of this challenge, this provides for over 829 million substitution combination possibilities of Unicode characters for “INFOBLOX”.
Punycode: Seeing past a lookalike deception
Visibly, these Unicode substitutions usually appear legitimate in email messages, web pages, PDFs and many other text displays. Even putting your mouse over a link would typically display the deceptive Unicode character. But there is one way to reveal the true nature of a domain name would be to copy the link and past it into the address bar of your browser. But pasting the URL into the address bar of Google Chrome, Apple Safari, and recent versions of Microsoft Edge and Internet Explorer will display ‘Punycode’, a standard designed to represent Unicode characters with the limited ASCII character subset used for international hostnames.
Figure 1 provides several examples to illustrate a deceptive attempt and a revealing Punycode representation. The first two URLs appear identical, although only #1 is the correct “myorganization” domain. The second URL uses a Unicode alternative for the letter ‘y’ to appear legitimate.
The third URL is what you would see if you were to cut-n-pasted URL #2 into a browser address bar, revealing the Punycode representation for the maliciously substituted ‘y’.
It should be noted that there are legitimate reasons for using Unicode character sets in domain names. An internationalized domain name (IDN) is a name that contains at least one character in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Devanagari, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as German. For example, München (the German name for Munich) would be displayed in Punycode as Mnchen-3ya. If a German user were to type in “München” in their browser address bar, they could easily see the same Punycode to help validate the legitimacy of a link.
Targeting employees with 3rd party lookalikes
The most obvious application of these techniques would be to enhance attacks using popular brands like PayPal and BankofAmerica. It is not difficult to understand how an attacker’s expertise could be easily translated int an attack on your own customers. The applications for targeting your employees, however, are many and much more indirect.
Employees are accustomed to using internal portals, systems, tools and access methods when conducting confidential business for the organization. Their familiarity with these systems makes it difficult for attackers to create credible social engineering scenarios using a lookalike of your own public domain to compromise an employee. The greater risk to employees would be lookalike domains used in attacks impersonating a business partner or any organization that your business frequently interacts with or controls. As an example, consider the risk of success if your users received an email that appears to come from a nearby restaurant, popular among employees, with a ‘special discount offer’ if they will simply sign up for a membership, download an app, etc.
Lookalike domains support a broad range of human targeted, socially engineered threat with intent ranging from simply infecting endpoints to gain network access to a spear-phishing or Business Email Compromise attack focused on key employees with desired information or access. Additional components in these attacks include lookalike web sites, email templates, and other indicators of legitimacy.
Protect employees, customers, and brand reputation
Many modern security tools have some defense capabilities to address the risk of lookalike use for attacks impersonating popular brands. But they lack viable options for defending against an attack impersonating an organization outside the Fortune 1000 or large governments. And users, despite gains in security education and the availability of tools like Punycode, are an inconsistent and unreliable line of defense.
Infoblox provides lookalike domain defenses for a broad range of threat scenarios. Specifically designed for this latest evolution in the threat landscape, a Custom Lookalike Domain Monitoring service is available for BloxOne Threat Defense Advanced customers, allowing them to submit their organization’s own domain, or domains frequently visited by or controlled by the organization for lookalike protection. The Infoblox Cyber Intelligence Unit (CIU) turns the supplied domains into lists of high-risk lookalike domains for initial assessment and monitoring. Suspicious activity related to these lookalike domains is reported to provide customers with activity visibility and as an advanced warning to help the organization avert a potential network breach or customer threats.
Lookalike techniques provide for more convincing social engineering capabilities in support of increasingly advanced threats. With innovative lookalike defense features and unmatched threat intelligence sharing capabilities, Infoblox can help you better prevent, detect, investigate and respond by taking your entire security stack to the next level.
