The Anatomy of a Look-alike Domain Attack

The Anatomy of a Look-alike Domain Attack

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

In this post, we’ll show how often the most common threat types show up, walk through the process of creating a look-alike domain threat from an attacker’s perspective, and share helpful resources that will enable security professionals to minimize the risk these threats pose to their organizations.

Distribution of Common Threat Types

Look-alike domain attacks reach millions of Internet users each year. The graph below represents a sampling of 50,000 threats we typically encounter and the pervasiveness of each type. 

Look-alike Domain Threats Distribution

Distribution of Look-alike Domain Threat Types

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

  1. The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website. 
  2. They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams. 
  3. If the related organization decides they want to buy the domain, the registrant can name their price for the transfer of ownership.

Phishing Sites are the second most popular type of threat, and often lead to account takeover attacks. Customers are prompted to enter their credentials on a fake website, and scammers take control of their online accounts with little effort to engage in fraudulent activity.

Unauthorized Brand Association is a common method that scammers use to piggyback on a trusted brand’s reputation. They typically use an organization’s logo and colors to lend credibility to their company or event.

The most dangerous threat, Malware Delivery, happens to be the least common we observe in connection with look-alike domains. These typically manifest as banking Trojans or Ransomware attacks, and they are extremely effective as just one incident can cause a significant amount of damage.

The Mechanics of a Look-Alike Domain Attack

Most look-alike domain threats have a common structure. Below are the steps in the creation process.


Steps to Create a Look-alike Domain Attack

Steps to Create a Look-alike Domain Threat


Step 1: Create, find, and register a look-alike domain

Scammers will first scout out successful businesses to impersonate, then find legitimate domains the company already owns or uses. They’ll use techniques to slightly modify the domain like changing the TLD, using hyphenation, and transposing, adding, or omitting letters.

As they formulate new names, they will usually check for availability against the WHOIS database using free online search tools. If they can’t quickly find a name or decide to create a large-scale attack, a more sophisticated scammer might automate this part of the process by writing a script that generates hundreds or thousands of variations and programmatically query the WHOIS database to find which ones are available.

Once they find their preferred name(s), they’ll choose a registrar and register it online. Most scammers select from several registrars that are cheap or free and allow them to hide their identity.

Step 2: Create DNS records

Most web hosting companies offer domain, website, email, and DNS hosting with simple tools to add or update DNS resource records. However, threat actors sometimes choose to use a different provider for each service. Spreading their attacks across multiple vendors adds a layer of complexity and can make takedown more difficult.

To set up an attack using a website, the next step is to configure an “A” or “Address” record. As the most fundamental type of DNS record, A records map the domain or a subdomain to an IP address. An AAAA record, also known as a quad A record, is similar to an A record yet it points to the newer IPv6 address records.

If a threat actor plans to send emails as part of their attack, they would configure an “MX” or “Mail Exchanger” record to indicate which mail server is responsible for sending and receiving email messages on behalf of the specified domain name.

Steps 3 and 4 (website): Build the website and distribute links

Most threat actors obtain SSL certificates for fake websites to add a layer of legitimacy. SSL certification can be anonymous, obtained at no cost, and very effective at giving an appearance of safety.

Once they build a website, they’ll share a link in various ways – usually via spam, SMS, blog comments, or in phishing emails. 

Steps 3 and 4 (email): Set up email server and send emails

For an email based threat like a Business Email Compromise (BEC) scam or ransomware attack, a scammer might visit LinkedIn or other social media platforms to find names and email addresses of company employees to use when setting up email accounts. This added step may take time, yet it can significantly increase the appearance of authenticity.

Emails might be sent from servers where the domain was registered, the website hosting provider, or a mailer program on a compromised or third party website. The goal is to increase deliverability rates and evade detection, so attackers will change tactics as often as needed. 

The last step in the process includes crafting emails, distributing them to targets, and waiting for the results. 

How to Protect Your Organization 

Enterprises can effectively protect themselves from look-alike domain threats by implementing an ongoing process for data collection, intelligence curation, and threat mitigation.

However, detecting and shutting down the immediate attack is not always sufficient. Cybercriminals can easily replace websites, phone numbers, and hosts to resume their attacks.

Look-alike domains have the ability to harm an otherwise healthy organization, sometimes permanently. Because of the various ways that domains can be abused, security teams must be both proactive and thorough in order to protect against fraudulent activity.

Look-alike domain resources:

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Tricia Harris. Read the original post at: