Lookalike Domain

A lookalike domain is a fake domain intentionally created by threat actors to deceive people into thinking it is the real thing. They are often used to steal sensitive information through phishing or commit other online fraud.


What is a Lookalike Domain?


Lookalike domains, also known as cousin, spoofed, doppelgänger, or fake domains, are designed to imitate a legitimate brand's domain name and trick users into believing they are visiting the genuine brand's website. Lookalike domains can be used for phishing attacks, where cybercriminals send emails or create fake websites that appear to be from a legitimate organization, in an attempt to steal sensitive information such as login credentials or financial information.

How Do Lookalike Domains Work?


Lookalike domains typically work by creating a domain name that is similar to a well-known, legitimate domain name, often with small changes that are easy to miss. For example, a lookalike domain might replace a letter with a similar-looking character, such as a capital "I" instead of a lowercase "l", or add extra letters or numbers to the domain name.

Here are some examples of well-known domain names and possible lookalike domains.

  • netflix.com – netfilx.com
  • facebook.com – faceb00k.com
  • LinkedIn.com – linkedln.com
  • amazon.com – amazonstore.com

Once the lookalike domain is created, the person or group behind the domain can use it to create a fake website or send emails that appear to be from a legitimate organization. These fake websites and emails are often used in phishing attacks, where the goal is to trick people into entering sensitive information such as login credentials or financial information.

Spotting a spoofed domain can be challenging, particularly if you are not actively searching for one. The brain's natural tendency is to read words as a whole rather than individual letters, making it easy to overlook misspellings.

It is even more challenging to notice deliberately camouflaged errors like replacing certain letters with similar-looking symbols, homoglyphs, or numbers. Criminals know this, and they use it to their advantage.


The Danger of Lookalike Domains


Lookalike domains can make it hard to identify a phishing email. The sender's address may look legitimate, and the criminal may use security measures such as DKIM and SPF authentication to avoid detection. This makes it difficult for email security systems to block fake emails. Unlike traditional phishing attacks that are sent to a large number of people in a spray and prey type attack, lookalike domains are often used in more targeted attacks.

Often, lookalike domains are used in Business Email Compromise (BEC) scams. BEC attacks leverage social engineering to make emails more believable. A sense of urgency is used to pressure victims into doing sensitive actions such as forwarding sensitive business info or making payments. The criminals use social media sites such as LinkedIn and Facebook to gather information on their target and send them an email using a lookalike domain of their company.

To protect against BEC scams and lookalike domains, it's important for employees to be aware of these types of attacks and to be cautious when receiving requests for sensitive information or money transfers. It's also a good idea for companies to establish protocols for verifying the authenticity of these types of requests, such as requiring a secondary form of authentication or confirmation before completing a money transfer.

Here are some additional steps that companies can take to protect against lookalike domains:

Tips for Preventing and Dealing with Lookalike Domains

Tip #1 Buying possible lookalike domains

Although it is not feasible for a business to buy all the alternatives to their domain name, they can purchase the most obvious ones to avoid malicious actors from acquiring those domains.

Tip #2 Communicating with clients

Businesses should educate their clients on threats, such as lookalike domains. Every business should tell their clients the importance of double-checking the form addresses in any email they receive. Clients should also be encouraged to report any lookalike domains they come across so that the business can take action against such domains by reporting them to registrars and hosting providers.

Tip #3 Using Two-factor authentication
Two-factor authentication is a vital security measure that each business should set up. Two-factor authentication adds an extra barrier for criminals. Even if threat actors manage to get someone's credentials, they get a short window of time to capture the 2FA token and use it to log in successfully before it expires.

Tip #4 Investing in education and awareness

Companies should educate employees on cyber-attacks, such as lookalike domains and BEC attacks. Because security mechanisms do not detect lookalike domains, it is up to each email recipient to double-check each email they receive to ensure it is from a credible source.

Tip #5 Reporting lookalike domains

Businesses should also proactively search online to identify domain registrations that closely resemble theirs. Any domain name too close to the business's domain that readers might not tell the difference should be monitored for malicious activity. Suppose the domain shows any hints of malicious brand impersonation or involvement in malicious activity. In that case, the domain should be reported to the registrar and hosting provider for a takedown.

Every year, cybercriminals create numerous lookalike domains to dupe unsuspecting victims into providing banking details or sending money to criminals. The lookalike domains are also used to divert traffic from websites, distribute malware, and also as part of BEC and phishing attacks. Businesses must stay vigilant if they hope to detect and stop attacks before they happen.