Deciphering Look-Alike Domains: A Closer Look at this Exploding Phishing Tactic

Today’s cybercriminals are relying more heavily on executive and brand impersonations to reach their nefarious goals. Impersonation attacks aim to trick targeted users into believing that they’re receiving an email message from a person, company, or business partner they know and trust.

There are many different techniques that are used in impersonation attempts, such as display-name spoofing, owned domains, newly registered domains, and reply-to mismatch, but one common tactic that we’ll look at more closely in this blog is the use of domain look-alikes.

Look-a1ike domains still pose a real threat to unsuspecting recipients

Look-alike or spoofed domains are typically used in highly targeted impersonation attacks that zero in on the reader’s ability to differentiate mail from trusted sources from those using visually similar source addresses. Spoofed domains are designed to appear legit to the eye, and attackers can directly control their sending configurations to pass authentication checks.

The use of look-alike domains, while not new, is gaining in popularity with attackers. The advent of internationalized domains creates boundless spoofing possibilities for phishers seeking to evade company defenses. The support of many alphabets on the internet has made the already large number of possible similarities, such as the letters “rn” being similar looking to the letter “m,” or the number “1” looking like the letter “l” infinitely more numerous.

So, how does this impersonation method work?

Look-alike domains use visual perception and deception. In many cases, the look-alike domain may contain a typographical variation, such as omitting a letter, transposing letters, or substituting one letter for another, often next to it on a keyboard.

Here’s an <exarnple> of a domain look-alike where the “r” and the “n” appear as the letter “m”.

Here’s another example: <lol1ipop>. Look closely. Did you see the word “lollipop”? The domain name does not contain the letter “L” but instead contains the number “1″ which can look like the letter “L”!

With domain look-alikes, attackers register a homograph or cousin domain in order to impersonate users from a specific organization. The phisher’s “From” address looks close enough to the impersonated brand’s domain to fool trusting recipients. In other words, an attacker either registers or spoofs a domain name that looks like one your organization actually uses, and then sends mail from the faked domain to people inside your real domain. For example, an attacker could use the spoofed domain to pose as your company’s CFO and send an email to a finance team member directing that he or she executes a fund transfer.

Want to change the way you manage email risk?

Domain look-alikes–a deceiving trend or here to stay?

Impersonation attacks are on the rise, but how big is the problem really? In the past six months, we’ve seen a return to form on attempted domain spoofs, which dropped off earlier this year in favor of a more basic form of spoofed “return path” emails.

GreatHorn recently conducted a survey of information security professionals, and the results indicate some frightening stats. 50% of respondents said that they see impersonation emails (executive, brand, or third-party impersonations) in their inboxes on at least a monthly basis. It’s easy to understand why so many organizations are falling victim to these types of attacks, considering that for every one of these spoofs, there was a potential multi-million-dollar wire transfer fraud attempt.

With the increased use of domain look-alikes, security teams need the ability to detect the wide variety of spoofing techniques.

Relying on legacy technology designed to catch standard malware and spam isn’t good enough. Fortunately, there are technical solutions, such as more sophisticated detection methods as part of an email security solution that flags these malicious messages attempting to impersonate well-known brands, customers of your organization, or your organization’s own domains.

Read our latest press release to learn more about GreatHorn’s newly-patented detection method that identifies fraudulent email messages that impersonate either the target’s company domain or a well-known brand.

Get Your FREE Email Threat Assessment

Learn what advanced threats are currently getting through your existing email security and into your end users’ mailboxes.