Why Look-Alike Domain Attacks Are Rising

There are many kinds of attacks in the arsenal of your typical cybercriminal. One that has proven itself to be especially effective and thus increasingly popular comes down to tricking users into thinking they’re clicking on a webpage—or getting an email—from a person or organization (business partner or web site) they think they know and can trust.

But, that interaction was really just the newest way to lose sensitive information to an attacker. Now, there’s talk in the security industry about these look-alike or cousin domain attacks becoming more prevalent.

A recent article by Information Age highlighted key findings from cybersecurity firm Venafi about look-alike domain attacks leveraging online shopping sites—attacks that appear to be on the rise as more and more retail business is done online.

In these attacks, cybercriminals replace a few characters in a URL to create a similar but different domain and they will often scrape the pages from the legitimate site to make things look even more realistic. They’ll pick popular sites or sites of organization’s your organization does business with to mimic and users with an untrained eye will click away and enter data none the wiser. At that point it becomes incredibly easy for these attackers to steal sensitive data, login credentials and money from unsuspecting victims.

It many cases, these pages have a trusted TLS certificate – thus the lock in the browser is there - and that makes it even harder for users to differentiate a legitimate site from an illegitimate one.

What Look-Alike Domain Attacks Mean for Business Users

Of course, these attacks don’t only happen against consumers. Look-alike domains are used as a tactic against business users to steal corporate IP, login credentials, or money. For example, an attacker could use the spoofed domain to pose as a company CFO and send an email to a subordinate finance worker directing that they execute a fund transfer.

The use of look-alike domains, while not new, are gaining in popularity with attackers. The advent of internationalized domain names, the support of many international alphabets on the internet, and punycode has made the very large number of possible similarities, such as “rn” being similar looking to an “m,” infinitely more numerous.

This is also one area where user awareness training can only get you so far. The combination of the issuance of valid certificates and the scraping of html from legitimate web sites makes it near impossible for user awareness alone to detect these types of attacks.

Fortunately, there are technical means, such as advanced similarity checks as part of an email security system, that can be applied to ferret out those attacks that attempt to impersonate well-known internet brands, business partners of the organization, or your organization’s own domains.