Cybercriminals constantly create new tactics to trick their targets, exploiting typographical variations and emerging technologies to build convincing domain impersonations. Familiarising yourself with some common strategies helps you prepare your team for the next domain phishing scam heading your way.
Below, you’ll find ten common domain impersonation strategies. Learning each strategy informs your threat intelligence with the insights required to unmask digital attackers. Each point also includes a technical solution, provided by our anti-phishing experts.
1. Doppelgänger domain impersonation
Doppelgängers, or eerily identical twins, often crop up in horror films and ghost stories. The same goes for phishing websites, where doppelgänger domains appear identical to a legitimate fully qualified domain name (FQDN). However, these impersonators miss the crucial dot between host/subdomain and domain, imitating an FQDN for malicious purposes.
Examples for genericdomain.com
- www-genericdomain.com
- wwwgenericdomain.com
Solution: You can stop these doppelgängers reactively or proactively. Reactive approaches include asking registrars or other authorities to take these suspicious domains down, while proactive businesses register or block hazardous domains and subdomains before they fall into a cybercriminal’s hands.
2. IDN Spoofing
IDN stands for Internationalized Domain Names, and with these kinds of attacks, cybercriminals exploit international alphabets to trick their targets. As IDNs support letters from scripts like Cyrillic, Greek, Arabic, and Chinese, several characters from different alphabets appear similar to those in the English alphabet. These often include the Greek “α” in place of the English “a” or the Cyrillic “е” in place of its English counterpart. In IDN homoglyph attacks, cybercriminals intentionally substitute lookalike characters to mimic legitimate domains.
Examples for genericdomain.com
- genericdօmain.com
- genericdomαin.com
Solution: To get ahead of IDN spoofers, you have to research the most visually confusing domains in and around your brand. If necessary, you can then block or register any assets that seem vulnerable to a spoofing attack.
3. Homographic impersonation
In linguistics, pairs of characters that look alike are known as homographs. For example, the similarities between „l“ (lower case letter „L“) and „1“ (the number) often confuse readers.
The same goes for „O“ (the capital letter) and „0“ (the number). Phishing attackers intentionally exploit this confusion in their domain spoofing tactics.
Examples for genericdomain.com
- genericclomain.com
- Genericdonnain.com
Solution: Make sure you’re aware of any available domains with homographs that could confuse your online traffic. You can then review them and register any assets if necessary.
4. Typo-squatting
Everyone makes mistakes, especially when we’re writing or typing in a rush. Typo-squatting impersonation makes the most of these mistakes, registering domains around common typos for their target brands. They base these variations on keyboard key proximity, and common typos over different keyboard layouts.
Examples for genericdomain.com
- genericdomian.com
- genericdimain.com
Solution: Again, proactive businesses typically research common typos around their brand, either with smart solutions like Corporate Domain Management, manual typing research, or reactive takedown requests.
5. TLD Squatting
Crafty criminals register identical names to their target brand, but on a different top-level domain (TLD). The internet’s governance bodies ICANN (the Internet Corporation for Assigned Names and Numbers) and IANA (the Internet Assigned Numbers Authority) created over 1,500 TLDs, leaving plenty of options for hackers to spoof legitimate brands. Phishing gangs could impersonate your brand across country code TLDs like .SU (Soviet Union) or generic TLDs like .zip and .xyx.
Examples for genericdomain.com
- genericdomain.cm
- genericdomain.co
- genericdomain.pk
Solution: As a digital strategy best practice, businesses should register the domains for each country they operate in, and wherever they own trademarks. You can also register your brand’s main gTLD (generic top-level domain), and subscribe to block lists such as TMCH, DPML, and Adult Block.
6. Combo Squatting
Brands typically support their customers with various different digital resources, often registering domains that combine their business name with the name of a service. These combinations open another spoofing vector for phishing attacks.
Combo squatting occurs when phishing attackers create variations of the target where a generic word like „support“ or a country appears in the domain name.
Examples for genericdomain.com
- genericdomain.com
- genericdomain-france.com
- genericdomaingermany.com
Solution: Review the list of the most used words in the domain name space, and register the name if necessary.
7. Level Squatting
This simple yet effective attack takes an existing website and registers the same string with an additional subdomain. To the non-trained eye, these subdomains seem like legitimate extensions, worth trusting with your login information or financial details. A visitor in a rush may not even clock the subdomain at all, falling victim to a malicious phishing attack.
Examples for genericdomain.com
- genericdomain.com.shady-domain.net
Solution: Businesses find technical solutions to level squatting by monitoring sources like passive DNS and SSL certificates.
8. Subdomain Takeover
Cloud services often benefit businesses and their users alike, but again, hackers target subdomains to trick traffic. Subdomain takeovers use the domain name in a subdomain of a cloud service to generate believable impersonations.
Examples for genericdomain.com
- genericdomain.azurewebsites.net
- genericdomain.atlassian.com
- genericdomain.gitlab.com
- genericdomain.wix.com
Solution: Similarly, businesses can also monitor sources like passive DNS and SSL certificates to detect subdomain takeover.
9. Domain Shadowing and subdomain impersonation
Beyond hacking their audience directly, phishing attackers also target businesses and their domain admins. Hacking a domain admin’s account lets a criminal create multiple subdomains in the domain to evade detection.
Examples for genericdomain.com
- suspicious.genericdomain.com
Solution: Defending against domain shadowing requires robust domain security measures, including 2FA, IP Limitations, 4-eyes review, activity logs, and more. You can find out more about each of those strategies, and how to implement them for your business, in our CTO’s domain cybersecurity checklist.
10. Sound-squatting
Last but not least, it’s important to acknowledge emerging technology in the battle against domain impersonations. Cybercriminals also exploit smart devices and voice control, registering phishing domains that sound like their targets, as well as look like them.
Using homophones therefore empowers a phishing attacker to trick visitors who may be unfamiliar with written English, or rely on voice assistants.
Examples for genericdomain.com
- jenericdomain.com
- generikdomain.com
- genericdomane.com
Solution: Solving this last tactic also requires research and manual effort, or support from Corporate Domain Management experts. Robust businesses must detect all of the most confusing aurally confusing domains that mimic their brand. After checking for each aural match, you can block phishing attacks by registering domains across potential impersonation vectors.
Conclusions
Understanding these common domain phishing strategies helps you build an effective foundational awareness of the threats facing your business. However, knowledge in the abstract only takes you so far. Proactive steps like training your team, detecting domain threats, and eliminating impersonations delivers a safe, productive landscape for yourself and your clients.