chat
expand_more

Designed to Deceive: 6 Common Look-alike Domain Tactics

Learn 6 common look-alike domain tactics, some of the ways attackers use look-alike domains, and steps you can take to reduce your risk.
January 30, 2024

With threat actors lurking around every digital corner, it can sometimes make scrolling through an inbox feel like traversing a minefield. Employing various strategies to deceive their targets, attackers count on end-user oversight to convince the recipients of their malicious emails that the messages (and any included requests) are legitimate.

One effective strategy is the use of look-alike domains—URLs that closely resemble the domain of a real website but are altered slightly to trick targets into visiting fraudulent sites. From subtle character substitutions to Unicode manipulations, threat actors have myriad methods for exploiting human error with these deceptive domains.

In this article, we’ll explore six common look-alike domain tactics, discuss some of the ways attackers use look-alike domains, and share steps you can take to reduce your risk.

6 Ways Attackers Generate Look-alike Domains

1. Using Similar-Looking Letters

Look-alike domains often use similar-looking letters to fool targets. For instance, a lowercase “i” looks enough like a lowercase “l” to pass muster, and vice versa. In practice, this might look like “googie[.]com” instead of “google[.]com” or “wlklpedia[.]org” instead of “wikipedia[.]org.”

Another strategy is to use a double “n” instead of an “m.” In this case, “abnormalsecurity[.]com” becomes “abnornnalsecurity[.]com.” Alternatively, “cnn[.]com” becomes “cm[.]com.” Bad actors also like to put an “r” next to an “n” to resemble an “m,” as in “rnicrosoft[.]com” instead of “microsoft[.]com.”

2. Replacing Letters with Numbers

Sometimes cyberattackers use numbers instead of letters. For example, they may swap the number zero for the letter “o”, as in “yah00[.]com.” Other examples include using the number one for the letter “l” or the number five for “s.” Compared to some other look-alike tactics, these are easier for users to spot due to the difference in size and shape of the characters. Nevertheless, employees can and do fall for these deceptions.

3. Substituting Foreign-Language Letters

Homoglyphs are characters that come from different alphabets or character sets but look visually similar or identical to one another, especially when displayed in certain fonts or styles.

Attackers often use homoglyphs in look-alike domains—for example, substituting the English letter "o" with its near-identical counterpart "о" from the Cyrillic alphabet. This subtle manipulation can easily go unnoticed at first glance, making it difficult for targets to discern the fraudulent nature of the domain.

4. Adding, Removing, or Transposing Letters

The human brain has a built-in autocorrect feature. Because our cognitive processes are tuned to anticipate and interpret information based on familiar patterns and expectations, we often automatically fill in the gaps and correct perceived errors, such as spelling mistakes.

Attackers exploit this by strategically altering domain names through the addition, removal, or rearrangement of letters. For example, “insurrance[.]com” instead of “insurance[.]com”, “travelcity[.]com” instead of “travelocity[.]com,” or “abnomralsecurity[.]com” instead of “abnormalsecurity[.]com.”

5. Utilizing Fake Protocols and Manipulating Domains

Because users often overlook the beginning of a domain, attackers will utilize non-standard protocols like "httpss" instead of "https." Additionally, they engage in subdomain spoofing, transforming legitimate addresses like "login.bank[.]com" into deceptive variants like "login-bank[.]com."

Threat actors also append common prefixes or suffixes to legitimate domain names, such as "secure-google-login[.]com,” or manipulate top-level domains, replacing ".com" with alternatives such as ".co" or ".ai." While legitimate international and custom domains exist, these manipulations contribute to user confusion, which attackers can capitalize on.

6. Inserting Unicode Characters

Another especially crafty method is Unicode character abuse. Slashes (/) are commonly seen in address bars, but when they are replaced by certain Unicode characters (u+2044 or u+2215), they can direct users to some scary places.

Could you tell the difference between the legitimate address and the malicious address below?

  • hxxps://github[.]com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
  • hxxps://github[.]com∕kubernetes∕kubernetes∕archive∕refs∕tags∕v1271.zip

This approach can fool even the most vigilant security professionals.

How Threat Actors Use Look-alike Domains

The three most common ways threat actors utilize look-alike domains are phishing emails, typosquatting, and brand impersonation.

Look-alike domains are often a key component of phishing emails and social engineering attacks as they help enhance the credibility and authenticity of the fraudulent communications. This enables attackers to deceive recipients and manipulate them into divulging sensitive information or performing harmful actions.

Typosquatting involves registering domain names that are intentionally similar to popular and legitimate websites but contain slight typographical errors. For example, they might register "googgle[.]com" instead of "google[.]com." Also known as URL hijacking, it’s a deceptive tactic used by cybercriminals to capitalize on typos made by internet users when typing in a website's domain name.

Attackers also register domains that closely resemble the names of well-known brands and then use these domains to host fake websites that mimic the branding, layout, and content of the legitimate sites. This can be as simple as “microsoft-security[.]com” instead of “microsoft[.]com/en-us/security.” Hackers can also merge words that are commonly associated with legitimate websites, like "slacksecurity[.]com."

The risks associated with look-alike domains can grow when combined with other activities, like poor password hygiene and malware attacks. Reused passwords can give hackers access to multiple accounts, and malware attacks can compromise or corrupt devices.

Defending Against Attacks Leveraging Look-alike Domains

By recognizing common look-alike domain tactics, practicing safe browsing habits, and remaining alert, you can effectively shield yourself from the dangers posed by these fraudulent websites.

Here are a few ways to avoid falling prey to look-alike domains:

  • Read through the domain name yourself to spot potential red flags.

  • Rather than clicking links found in emails, type in the web address yourself into the address bar.

  • Type the intended website into a trusted search engine to ensure you’re landing on the website you intended.

If you think you’ve fallen prey to a look-alike domain attack, do not share any sensitive information, download anything, or sign into the website. Report it to your security team as soon as possible.

While staying cautious is a good defense against cybercrime, it’s not perfect. Organizations can protect their employees from malicious emails containing suspicious links by using Abnormal Security. Abnormal analyzes email behavior to identify malicious links, even when they mimic trusted websites. By leveraging AI and machine learning, Abnormal proactively blocks emails with malicious URLs before they reach employees.

For more insight into popular attack strategies, download our report, 5 Emerging Email Attacks to Watch For in 2024.

Download the Report
Designed to Deceive: 6 Common Look-alike Domain Tactics

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More