DUBAI — If you think you’re seeing double, you probably are – in the world of website domains. Despite the growing threat of lookalike domains, a form of phishing where malicious actors use visually similar domains to deceive users into clicking harmful links or visiting fake websites, these tactics can be overlooked as a key attack vector. As users become more vigilant in scrutinizing email links, and as the security industry enhances its threat detection capabilities, cybercriminals continue to innovate with smarter tactics.
These threat actors successfully direct people to lookalike domains through SMS messages, social media direct messages, and QR codes, leading to potential identity theft.
Ever wonder how hackers easily entice unsuspecting victims to click on suspicious links? It’s because lookalike domain attacks often start at the Domain Name System (DNS) level, a primary target for many attackers. DNS is commonly used for locating internet content via domain names. For instance, Facebook/Meta is accessible through facebook.com. However, DNS is frequently unprotected and overlooked, meaning that breaching this layer with a lookalike domain can provide hackers access to entire networks. Even cautious users, wary of emails from unknown senders, may be fooled by domain names that appear legitimate.
Lookalike domains are a profitable method for attackers due to the asymmetry of the attack. The low cost of domain registration and the capability for widespread attack distribution give these actors a significant advantage. Although techniques to identify malicious activity have improved, keeping pace remains a challenge for organizations. Hackers can even purchase toolkits on the dark web for as little as $300, enabling them to launch large-scale attacks with minimal effort.
Infoblox analyzes over 70 billion DNS events daily to identify new and potential threats. Organizations should be particularly vigilant about these four types of lookalike domain attacks:
Homographs or Homoglyphs: These attacks use visually similar characters from different character sets, like Cyrillic or Greek, to create domain names almost identical to legitimate ones (e.g., substituting “o” with “0”). The effectiveness of homographs lies in the subtle, often indiscernible differences between characters, depending on fonts and typesets used.
Typosquats: This type involves registering domains that closely resemble popular websites, with slight typing errors (e.g., “amazonn[.]com” instead of “amazon[.]com”). These fraudulent websites not only aim for financial gain and advertising revenue but also visually mimic the expected sites to deceive users.
Combosquats: These combine well-known brand or company names with additional keywords like “mail”, “security”, or “support”. For example, “wordpresssecurityt[.]store” might appear in a Google search for WordPress help but is actually linked to a Russia-based IP address. Infoblox’s report indicates that around 60 percent of abusive combosquatting domains remain active for over 1,000 days, with only 20 percent being reported and blocked within 100 days. Combosquatting is about 100 times more common than typosquatting.
Soundsquats: The newest form of lookalike threats, soundsquats use domain names that phonetically resemble legitimate ones (e.g., “hsbsee[.]com” instead of “hsbc[.]com”). They are particularly deceptive when users hear a domain name rather than reading it, posing a potential risk for smart devices like Google Home, Siri, and Alexa.
While these four methods highlight different types of attacks, threat actors rarely limit themselves to just one approach. They often combine these techniques to defraud users and target businesses. Lookalike domains are crafted to deceive consumers, and although some people may be adept at recognizing them, it only takes a few individuals engaging with these domains to trigger the attack’s effects.
Being able to spot lookalike domains is crucial, but it’s not a foolproof defense. A robust DNS security strategy is essential for protection, as it can help detect and block these attacks early. At Infoblox, we take pride in being the first DNS security solution to offer Lookalike Domain Monitoring capability. This feature is designed to identify sites attempting to impersonate company brands, a common tactic in phishing, malvertising, and similar attacks.
Detecting these attacks and avoiding falling victim to them is vital, but the ability to take down lookalike domains is equally important. The increasing sophistication and prevalence of lookalike domain attacks necessitate specialized solutions like DNS security as an essential tool for all organizations.
Mohammed Al-Moneer is Regional Sr. Director for META at Infoblox.
The opinions expressed are those of the author and may not reflect the editorial policy or an official position held by TRENDS.