📌 Get the latest strategies to protect your revenue in your inbox

How to protect your business against lookalike domain attack
Brand Protection
9 mins

How to protect your business against lookalike domain attack

Table of Contents:

    An enormous number of lookalike domains are registered each year by cybercriminals to imitate well-known companies and gain money. In addition to phishing emails and bogus websites, these domains are also used to divert web traffic and distribute malware.

    To deceive their customers into thinking they’re dealing with well-known businesses, lookalike websites use deceptive tactics to harm established companies’ reputations, financial resources, and customer data. 

    In this article, we will understand what lookalike domain attacks are, what makes them possible, how to detect them, and steps to prevent and protect brands from being victims of similar domain attacks.

    Red Points' Domain Takedown Services

    What is a lookalike domain?

    A lookalike domain is a type of cyber threat where fraudsters register domain names closely resembling those of established companies. The intent is to deceive internet users into believing they are visiting a legitimate website. This technique involves subtle alterations in the domain name, such as minor spelling changes or different domain extensions, which can easily go unnoticed. In the first half of 2023, brands were targeted by an average of 39.4 lookalike domains each month, with a general trend upward. The primary purpose of these domains is to conduct fraudulent activities like phishing, data theft, or malware distribution. This rising trend underscores the critical importance of recognizing and understanding lookalike domains for businesses, as they are essential in safeguarding brand integrity and protecting customers from potential cyber threats.

    6 most common tactics of lookalike domain attacks

    Domain names are used by internet users to discover companies, services, professionals, and personal websites. By registering domain names that appear to be linked to other domains or companies, cybercriminals profit from users’ errors, taking advantage of the internet’s crucial role in domain name registrations. Cybersquatting is a term for this practice.

    To carry out domain-based attacks, attackers employ a variety of techniques, including phishing, social engineering, and malware. There are several ways criminals try to evade lookalike domain detection, from mimicking legal websites to depending on subtle differences that fool the untrained eye.

    Tactic 1: Copycatting

    It’s one of the most prevalent methods used by criminals to impersonate your website. In many cases, this is done by choosing an alternate top-level domain, or TLD, or by adding additional TLDs to a domain name. To make people believe they are dealing with a respectable business, attackers with lookalike domains often employ these techniques. This makes it easier to carry out phishing or malicious assaults successfully. If a site looks to be authentic, an assault employing a generic, disposable domain will be more successful.

    The logo and brand name of your company will frequently appear on malicious domains in an attempt to fool visitors into thinking they are visiting a legitimate site. Unwitting victims may be persuaded to give personal or financial information or purchase counterfeit items from these similar domains because of the familiarity and confidence that these sites establish.

    Tactic 2: Combosquatting 

    Combosquatting involves appending additional words or phrases to a well-known domain name. This creates a new domain that seems related to the original brand but is under the control of attackers. For example, a fraudulent website might use a domain like apple-support.com to impersonate a legitimate service from Apple.

    Tactic 3: Typosquatting

    Attackers are constantly on the lookout for new ways to defraud unwary internet users who are unlikely to realize that their traffic is being faked. In addition to typosquatting and homoglyphs, there are many other possibilities.

    Using frequent URL misspellings that users are either likely to make on their own or aren’t aware of is known as “typosquatting.” Typo-lookalike domain attacks are common when a company has no registered domains that are near its real domain name. In addition to trademark infringement, attackers may use legal images or other intellectual property to make malicious websites appear to be legitimate.

    Adding a letter to the organization’s name, such as the ‘i’ in the picture below, is an example of this practice:

    Tactic 4: Similar Top-Level Domain (TLD) exploitation

    Similar Top-Level Domain (TLD) exploitation is a tactic in lookalike domain attacks where cybercriminals register a domain using the same second-level domain (SLD) as a target brand but with a different TLD. For example, if the original website is example.com, attackers might register example.net, example.org, or example.biz. This approach relies on the user’s familiarity with the SLD of a well-known brand while overlooking the change in TLD, which could be as subtle as switching from a .com to a .net. The effectiveness of this tactic stems from the ease with which users might remember a brand’s name (the SLD) but not pay close attention to the TLD, making it a significant threat in the cybersecurity landscape.

    Tactic 5: Subdomain deception

    In subdomain deception, cybercriminals create a URL where the legitimate domain appears as a subdomain of an attacker-controlled domain. For instance, if the authentic site is example.com, the attacker might use a URL like example.com.maliciousdomain.com. At a glance, the URL gives the impression that it leads to a subdomain of example.com, leveraging the trust associated with the genuine domain. However, the actual domain being accessed is maliciousdomain.com, with example.com merely being a subdomain in this structure. This tactic is particularly deceptive because it exploits the common use of subdomains by legitimate businesses for various functions, such as support.example.com or shop.example.com.

    Users, accustomed to seeing such legitimate subdomains, might not immediately recognize the trick, making it an effective method for phishing or distributing malware. The key to this deception lies in the visual presentation of the URL, where the familiar name of a trusted brand is prominently placed to mask the nefarious intent of the actual domain in use.

    Tactic 5: IDN Homograph Attacks

    In IDN Homograph Attacks, attackers register domain names using characters from different scripts, such as Cyrillic or Greek, that visually resemble Latin script characters. For instance, a Cyrillic ‘a’ might be used in place of the Latin ‘a’, creating a domain name that appears identical to a well-known domain in Latin script. To an unsuspecting user, the deceptive domain looks exactly like the legitimate one, such as аpple.com (with a Cyrillic ‘а’) appearing as apple.com. This type of attack exploits the user’s familiarity with the visual appearance of a domain name, leveraging the fact that many characters in various scripts look alike but are technically different. The result is a URL that is visually indistinguishable from a trusted domain, making it an effective tool for phishing and other malicious activities. The challenge in countering these attacks lies in their subtlety and the reliance on the user’s inability to discern the slight differences in the script, underscoring the need for vigilance in verifying the authenticity of web addresses.

    New call-to-action

    What makes a lookalike domain attack possible?

    There is a structure among the majority of domain threats that appear to be identical. As you can see below, each stage of the creation process is laid out:

    Step 1: Make use of a similar domain name.

    When an attacker is looking for a domain name to spoof, they first check to see if the registrar has any open variants and then register a similar domain name.

    Step 2: Publish DNS records

    Afterward, they set up an A or MX record for email delivery, depending on the situation.

    Steps 3 and 4 (website): Make a website and distribute the URLs.

    Phishing sites are generally secured using free SSL certificates obtained by threat actors. A variety of methods will be used to disseminate the URL of the fake site.

    Steps 5 and 6 (email): Get an email server set up, and then start sending emails.

    Scammers use an email server to create a BEC or ransomware assault, then create and send emails to their intended victims.

    Why domain protection is necessary

    Domain names and the websites they host are critical to an organization’s online reputation and brand. They are often the first point of contact between your organization and a prospective client, business partner, or employee. Cybercriminals are fully aware of this and are attempting to exploit the present situation by launching similar domain name attacks.

    As a result of malevolent, impersonating websites hurting the brand’s reputation, customers may wish to buy elsewhere.  Both the client and retailer lose money as a consequence, which hurts both sides.

    Many companies keep tabs on domains relevant to their brand to make sure it is being portrayed correctly. Larger companies with a large number of subsidiary brands may find this approach much more challenging. It’s easy for businesses to become overwhelmed by the volume of notifications because of the pervasive nature of similar domain name attacks. To safeguard their brand, products, trademarks, and other intellectual property, businesses must keep a watch out for websites that may be imitating or pirating such items.

    Active monitoring of domains that may infringe on a company’s trademark is the only way to ensure it is protected.

    3 steps to defend your brand against lookalike domains

    An established and continuous strategy for data gathering, curation, and mitigation may help companies effectively monitor and detect risky lookalike domains. Adopting a multi-pronged strategy is considered excellent practice.

    1. Collection – the gathering of enough domain intelligence to spot possible risks

    2. Curation – intelligence research and development to discover genuine domain dangers and assemble adequate proof

    3. Mitigation – the steps are taken to mitigate the risk posed by known domain threats

    1. Collection

    Organizations require access to new and current registered domain names to identify domain hazards. There are some good domain intelligence resources:

    • TLD zone files keep track of every newly registered domain daily.
    • For millions of new SSL certificates issued every day, the certificate transparency tracks current domains, subdomains, third-level domains, fourth-level domains, and so on.
    • DNS traffic comprises domain names that are searched and may be used to track new domains.
    • Lookalike versions of valid domains can be used in DNS searches to determine if such lookalike variations exist.

    Domain intelligence gathered from the sources mentioned above can be scrutinized for signs of domain impersonation.

    2. Curation

    To detect possible risks, domain intelligence must be searched for brand-related phrases and variants.

    However, keywords might appear in domain strings accidentally. The analysis is required to eliminate the process’s false positives.

    Two separate elements of a domain can reveal whether it is genuinely a danger:

    1. Analyze the domain string and provide a score based on how likely it is to be confused with legal brand usage.

    • Does it closely match keywords?
    • Can you tell whether a word is different?
    • Are there any letters, symbols, or capitalizations that can cause a user to become confused?

    2. Examine the content by visiting each of the domain’s pages.

    • Do you have any data?
    • Does it appear to be associated with a reputable brand?

    It’s not always easy to tell if two pieces of information are connected or not. To assess if a suspicious domain is a threat, marketing, legal, or other company operations may need to review the domain.

    A second set of considerations must be made when the domain is judged, suspect:

    • A thorough review of all of the domain’s material should be conducted to uncover any illicit or harmful activity. Web pages should be thoroughly inspected by security experts in search of any indications of malicious activity.
    • Inspect the domain to see whether it has an MX Record. The domain’s mail servers are included in this record. If a domain has an MX record, it may send an email even if it does not have any content. BEC, email phishing, and spam operations can take advantage of this. MX records may be used to detect whether a lookalike domain is malicious.

    3. Mitigation

    A domain must be eliminated as a danger once it has been identified as a threat. Domain security teams should implement a thorough domain mitigation approach that involves removing the danger and employing indicators to prevent internal users from accessing it.

    Attempts to visit lookalike domains by enterprise users and systems should be detected and prevented by incorporating them into internal intelligence and workflow procedures.

    Automated interfaces with intelligence and security tools and controls are ideal here. Security restrictions are less likely to harm users as a result of this mitigating strategy. On the other hand, this approach doesn’t deal with the danger posed by users who bypass security safeguards. In addition, this method fails to address the dangers of brand and customer fraud.

    Taking the malicious domain offline is the only surefire way to reduce the risk posed by a lookalike domain. Security teams must have enough proof to immediately shut down a similar domain name that is being used for nefarious purposes. A potentially harmful domain should be watched until proof of malicious material or activity can be found to warrant the removal of the site if at first, no evidence is present when the domain is initially discovered.

    Security teams can take down a domain if they have gathered enough evidence to support its removal. Domain registries, in general, have a wide range of anti-abuse authorities. 

    When presented with evidence, they will often delete names that have been abused for:

    • Hosting phishing sites
    • Hosting malware
    • Botnet command and control
    • Disseminating material that encourages the exploitation of children

    In these cases, the registry can see that abuse is occurring. However, in other cases, a similar domain may be involved in fraud that the registration does not consider to be abusive. Takedowns are not necessary unless there is a court order or a request from police enforcement for them to be removed.

    Legal action isn’t the best approach to deal with these threats, unfortunately. A domain shut down by legal action is extremely time-consuming and expensive, regardless of whether it is pursued through litigation or arbitration. Domain risks can’t be mitigated using this method. It’s a last resort, after all.

    This is where Red Points comes in to protect brands from similar domain attacks.

    Red Points Domain Management helps you to recognize and detect lookalike domains that are exploiting your brand. The heart of your online presence is your domain name. Any successful firm might face considerable hazards without adequate domain protection, including:

    • Reduced revenue from your website as a result of the business being diverted away by infringing websites.
    • Infringing domains are causing traffic to be redirected away from your official website.
    • Consumer health and safety are jeopardized due to distorted user perception.

    In three phases, Red Points helps businesses manage and protect their domain portfolio:

    • Find domains that include your trademark.
      • Obtain a historical list of all infringing domains by doing a brand audit.
      • Find and document all new infringing domains that have been registered.
    • Implement domain cancellation and recovery methods.
      • Notify domain owners who are infringing on your IP rights.
      • Suspend or regain control of your domain name by filing a complaint with the appropriate authorities.
    • Prevent future assaults by identifying domain portfolio gaps.
      • Get a complete view of your domain portfolio and make smart decisions with it.
      • Acquire and register following local administrative processes and mediation.

    You may achieve good effects for your organization and restore customer confidence and brand integrity by proactively finding and eliminating illegal lookalike domains.

    For Keen, the adoption of a domain takedown strategy was crucial in safeguarding their clients from deceptive practices and fraud, while also preserving their corporate reputation.

    What’s next

    It is possible for lookalike domains to permanently damage an otherwise healthy organization. To guard against domain abuse, security teams need to be both proactive and comprehensive in their efforts.

    Following the steps outlined in this strategy should help security teams better understand domain risks, how to gather and evaluate domain intelligence, and techniques to employ to reduce threats caused by lookalike domain attacks on their networks.

    See how you can detect and enforce domains that exploit your brand with Red Points.


    You may like...

    Everything you need to know about domain spoofing protection
    The ultimate guide on how to protect domain names
    How to report duplicate websites to Google and protect your content
    Domain management: What is it? Why should you care?