Lookalike domains, also known as cousin domains or doppelganger domains, are domains that closely imitate legitimate domains in order to deceive users. They have become a major threat in recent years, being used extensively in phishing and other cyberattacks.
What are Lookalike Domains
A lookalike domain is designed to be visually similar to a legitimate domain, with only minor differences that are hard to detect at a glance. For example, a lookalike might replace the letter “l” with the number “1”, use a different top-level domain like .net instead of .com, or add extra words or characters.
Attackers often choose domain names that closely resemble well-known brands and websites that users are likely to recognize and trust. The goal is to deceive targets into thinking they are visiting a legitimate site when in fact they are visiting a fake phishing site controlled by the attacker.
Some of the most common lookalike techniques include:
- Typosquatting – register common typos of popular domain names
- Homoglyphs attacks – using similar-looking characters from different alphabets
- Combosquatting – combine typosquatting and homographs
- Soundsquatting – using homophones, words that sound alike
- Copycatting – To achieve this, attackers either choose a different top-level domain (TLD) or add more TLDs to an existing domain name. Your company’s logo and brand name will commonly be found on these malicious sites in an effort to deceive users into thinking they are accessing a legitimate site.
Why Lookalike Domains Are Dangerous
The inherent danger of lookalike domains comes from their ability to credibly impersonate legitimate websites and domains. They allow attackers to create convincing phishing sites and emails that victims perceive as trustworthy. Some of the risks include:
- Phishing – stealing login credentials, financial info, sensitive data
- Malware distribution – fake sites push malware downloads
- Scams – defraud users via fake lookalike e-commerce sites
- Brand impersonation – damages the brand reputation and trust
Major brands are frequent targets as users readily recognize them and may share sensitive data without realizing the site is fake. However, lookalike domains can target any individual or business if the attacker knows their domain name.
Real-World Examples of Lookalike Domains
Some real-world examples of lookalike domains used in attacks:
- Fᙓcebook[.]com – impersonating Facebook (Homoglyphs attack)
- PaypaI[.]com – impersonating Paypal (Homoglyphs attack)
- Apⲣle[.]com – ApplehHomoglyphs attack
- Twltter[.]com – Typosquatting on Twitter
- Bank0fAmerica[.]net – BOFA domain with .net
These examples showcase the dangerous effectiveness of lookalike domains. The differences are subtle and hard to detect at first glance. Users often realize the mistake too late, after they’ve entered sensitive information or downloaded malware.
How to Spot Lookalike Domains
Here are some tips on how to spot lookalike domains:
- Carefully examine the URL spelling – look for substitutions, typos, and added words
- Verify the domain extension – .com vs .net etc
- Check for the secure lock icon – lack indicates an invalid SSL cert
- Hover over hyperlinks to preview the URL before clicking
- Be wary of emails asking for login or sensitive info
No single method is foolproof, so utilizing multiple detection techniques is recommended. The most secure approach is simply not providing any sensitive data unless you are 100% certain the website is legitimate.
Protecting Yourself from Lookalike Domains
For individuals, the following precautions can help protect against lookalike domains:
- Verify URLs before entering login credentials or sensitive info
- Use URL preview plugins that show the real URL
- Avoid clicking links in unsolicited emails
- Use unique passwords for each account and enable two-factor authentication
- Keep software updated and use antivirus protection
- Monitor financial accounts and credit reports for suspicious activity
For businesses, technical protections include:
- Register defensively similar domains to prevent their abuse.
- Configure SPF, DKIM, and DMARC email authentication.
- Scan for domain typosquatting using threat intelligence.
- Educate employees on phishing and lookalike attacks.
- Use web proxy filtering to block access to identified fake domains.
- Enforce strict cybersecurity policies on networks and devices.
For high-risk transactions like wire transfers, calling to verbally confirm new information before sending funds can prevent business email compromise scams exploiting lookalikes.
Continuously monitoring for new domain registrations containing your brand name can also help detect and takedown emerging lookalike threats early on before they are used in attacks.
Lookalike Domains in Phishing Campaigns
Phishing is one of the most common uses of lookalike domains. Attackers rely on authentic-looking domains to bypass traditional email security filters. Recent research found lookalike domains are 100x more prevalent in phishing than typosquatting domains.
In a typical phishing attack utilizing a lookalike domain:
- The attacker registers a domain that closely imitates the target brand.
- Phishing emails are crafted appearing to come from the legitimate domain.
- The email directs the user to a fake login page hosted on a lookalike domain.
- The user enters login credentials not realizing the domain is fake.
- The attacker gains access to compromised accounts using stolen credentials
This simple but highly effective attack exploits the human tendency to quickly recognize brands by closely examining the full domain name in an email or hyperlink.
Defending against phishing requires training employees to identify subtle differences in domains and instilling a mindset of always verifying a domain before entering any sensitive information. Technical controls like DMARC authentication can also help block spoofed lookalike domains from reaching employee inboxes.
Combating Business Email Compromise
In addition to phishing, lookalike domains enable business email compromise (BEC) scams targeting organizations. BEC scams accounted for over $43 billion in losses between 2016-2021 by the FBI.
A typical attack unfolds as:
- The attacker spoofs an email that appears to come from a known vendor using a lookalike domain.
- Email requests updated payment information or new wire instructions.
- The company sends payments per instructions to the attacker’s bank account.
- Funds are then stolen before the company realizes the vendor email was spoofed
Defending against these scams again comes down to training and policies that mandate verbal confirmation of any payment or account changes, not just relying on a lookalike email domain. Technical measures like restricting external email collaboration to secure platforms can also help limit BEC vectors.
Protecting Customers from Lookalike Confusion
Another consideration is protecting your own customers from lookalike domains impersonating your business domain. This can jeopardize customer trust and data if they are duped into providing info to fake support sites.
- Educate customers on lookalike threats and verify domains
- File trademarks to aid takedowns of infringing domains
- Purchase defensively similar domains to prevent their abuse
- Monitor typosquatting domains for new registrations
- Report fake domains and seek their suspension/takedown
Maintaining awareness of lookalike threats and being proactive in defending your domain space is key to avoiding confusion that could expose your customers.
The Future of Lookalike Domain Defense
As long as popular internet brands exist, lookalike domains will remain a threat for impersonation and phishing. Advances in AI could eventually produce highly convincing fake domains, however, human vigilance will still be needed.
Proactive defenses will require greater collaboration across registrars, security vendors, and businesses to identify and block lookalike domains at the point of registration before they can be used maliciously.
Ongoing security awareness training is essential for employees to adopt behaviors that include taking a few extra seconds to verify a domain rather than assuming an email or site is legitimate based on a quick glance. Backed by the right technical controls, this human layer builds resilience against the menace of deceptive lookalike domains.