Seeing is believing. While that is generally the case, it only applies when other people are not trying to trick you visually. But in the case of domain names, hackers can trick you.
Let’s take a look at the following domains:
G00gle.com
Goog1e.com
Bankofthevvest.com
rnicrosoft.com
I am sure you, a reader of this blog, can tell that the above domains are not google.com, bankofthewest.com, and microsoft.com, because you are a professional in the security business, or because you have sharp eyes, or because you have a natural instinct to identify the minor differences. However, if those domains appeared in a very long URL with a tiny font, like the one below, will you still be able to tell the difference at first glance?
https ://docs.goog1e.com/d/11nlyrVIYHsadg5vdFGxBRgm-LUICEc5FBUc_wgz5R000ZU/edit#slide=id.p2
Or, if it was part of an email that got sent to a grandmother with the message, “Happy Holidays from your grandson, click the following link to hear his first words.” Do you think the grandmother would be able to tell? I have little confidence in my own mother.
Welcome to the World of Lookalike Domains
As the name suggests, lookalike domains look very similar to legitimate domains. And they are often used in something called homograph attacks in the security context. The examples above, which replaced “o” with “0”, “l” with “1”, “w” with “vv” and “m” with “rn”, were actually early instances of homograph attacks. There are more advanced forms of lookalike domains that are much harder to detect with the naked eye. (For security reasons, all links to lookalike domains in this blog are presented as images to ensure you don’t mistakenly click on them.)
For example, can you tell the difference between the following?
and
wikipedia.org
In the picture, the Latin letters “e” and “a” are replaced with the Cyrillic letters “е” and “а”. [1]
Here is another example: [2]
In this picture, the “a” in apple.com is the Cyrillic “a”, not English “a”.
These two examples use an advanced form of homograph attack technique with lookalike domains. This technique uses a different alphabet (in this case Cyrillic) that has letters that look like English letters. But those letters are encoded differently in the computer, so while a human being may mistake them for a legitimate domain, computers wouldn’t. As a result, when you click on those links in a browser or any other application like email, you will be taken to domains that you did not intend. Such visits open doors to a lot of possibilities not in your favor. For example, it may lead to a website where you are asked to download some software which turns out to be malicious or a website that asks you to enter your banking credentials. You might have already been to at least one of those sites.
Not only can those malicious lookalike domains lead consumers into dangerous waters, they can also lead to significant financial losses for businesses.
Businesses care about their customers; they also care about their brand. A lookalike domain can hurt brands because they can be used to redirect/steal traffic to a different website, which might be sell competing goods. This is called URL hijacking and businesses take it seriously. They may report URL hijacking to law enforcement.
How to Protect Yourself Against Lookalike Domains
Various defense mechanisms against lookalike domains are available. For simple tricks such as replacing “o” with “0”, “l” with “1”, “w” with “vv” and “m” with “rn”, a user should be able to tell if they are careful enough. For the advanced tricks like replacing English letters with Cyrillic, most modern browsers will give you warnings (with the exception of Mozilla/Firefox [4]).
To defend against any attack you first have to detect it. One effective way to identify lookalike domains is to use artificial intelligence and machine learning technology (AI/ML) to scan through domains to find potential lookalike domains. You can then put those domains into a DNS firewall and automatically filter out the DNS requests to those domains. When the DNS requests are denied, Internet traffic to those domains will not go through. Infoblox recently released a lookalike domain detection feature in the latest version of ActiveTrust® and is working to put those detected domains into an RPZ data feed so that your enterprise and your employees will be protected from those domains. For more details, please visit Infoblox.com
References
- https://en.wikipedia.org/wiki/IDN_homograph_attack
- https://www.xudongz.com/blog/2017/idn-phishing/
- https://en.wikipedia.org/wiki/Typosquatting
- https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/