Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Oct 11, 2018

Here’s what to know about look-alike domain attacks.

There are many kinds of attacks in the arsenal of your typical cybercriminal. One that has proven itself to be especially effective and thus increasingly popular comes down to tricking users into thinking they’re clicking on a webpage—or getting an email—from a person or organization (business partner or web site) they think they know and can trust.

But, that interaction was really just the newest way to lose sensitive information to an attacker. Now, there’s talk in the security industry about these look-alike or cousin domain attacks becoming more prevalent.

A recent article by Information Age highlighted key findings from cybersecurity firm Venafi about look-alike domain attacks leveraging online shopping sites—attacks that appear to be on the rise as more and more retail business is done online.

In these attacks, cybercriminals replace a few characters in a URL to create a similar but different domain and they will often scrape the pages from the legitimate site to make things look even more realistic. They’ll pick popular sites or sites of organization’s your organization does business with to mimic and users with an untrained eye will click away and enter data none the wiser. At that point it becomes incredibly easy for these attackers to steal sensitive data, login credentials and money from unsuspecting victims.

It many cases, these pages have a trusted TLS certificate – thus the lock in the browser is there - and that makes it even harder for users to differentiate a legitimate site from an illegitimate one.

What Look-Alike Domain Attacks Mean for Business Users

Of course, these attacks don’t only happen against consumers. Look-alike domains are used as a tactic against business users to steal corporate IP, login credentials, or money. For example, an attacker could use the spoofed domain to pose as a company CFO and send an email to a subordinate finance worker directing that they execute a fund transfer.

The use of look-alike domains, while not new, are gaining in popularity with attackers. The advent of internationalized domain names, the support of many international alphabets on the internet, and punycode has made the very large number of possible similarities, such as “rn” being similar looking to an “m,” infinitely more numerous.

This is also one area where user awareness training can only get you so far. The combination of the issuance of valid certificates and the scraping of html from legitimate web sites makes it near impossible for user awareness alone to detect these types of attacks.

Fortunately, there are technical means, such as advanced similarity checks as part of an email security system, that can be applied to ferret out those attacks that attempt to impersonate well-known internet brands, business partners of the organization, or your organization’s own domains.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Oct 11, 2018

You may also like:

Why Did Mimecast Expand Security Services to Cover the Web?

Web and email security: better together.…

Web and email security: better together. Customers, partner… Read More >

Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Oct 02, 2018

How Should You Address the Gaps in Office 365™?

The email features in Office 365 may not…

The email features in Office 365 may not be all you need. Bu… Read More >

Jake O'Donnell

by Jake O'Donnell

Global Editorial Content Manager

Posted Sep 03, 2018

How Lack of Training is Hurting Your Cyber Resilience Strategy

Get the facts about the lack of training…

Get the facts about the lack of training around cybersecurit… Read More >

Bob Adams

by Bob Adams

Product Marketing Manager - Security

Posted Aug 15, 2018