Designed to Deceive: 6 Common Look-alike Domain Tactics

Learn 6 common look-alike domain tactics, some of the ways attackers use look-alike domains, and steps you can take to reduce your risk.
January 30, 2024

With threat actors lurking around every digital corner, it can sometimes make scrolling through an inbox feel like traversing a minefield. Employing various strategies to deceive their targets, attackers count on end-user oversight to convince the recipients of their malicious emails that the messages (and any included requests) are legitimate.

One effective strategy is the use of look-alike domains—URLs that closely resemble the domain of a real website but are altered slightly to trick targets into visiting fraudulent sites. From subtle character substitutions to Unicode manipulations, threat actors have myriad methods for exploiting human error with these deceptive domains.

In this article, we’ll explore six common look-alike domain tactics, discuss some of the ways attackers use look-alike domains, and share steps you can take to reduce your risk.

6 Ways Attackers Generate Look-alike Domains

1. Using Similar-Looking Letters

Look-alike domains often use similar-looking letters to fool targets. For instance, a lowercase “i” looks enough like a lowercase “l” to pass muster, and vice versa. In practice, this might look like “googie[.]com” instead of “google[.]com” or “wlklpedia[.]org” instead of “wikipedia[.]org.”

Another strategy is to use a double “n” instead of an “m.” In this case, “abnormalsecurity[.]com” becomes “abnornnalsecurity[.]com.” Alternatively, “cnn[.]com” becomes “cm[.]com.” Bad actors also like to put an “r” next to an “n” to resemble an “m,” as in “rnicrosoft[.]com” instead of “microsoft[.]com.”

2. Replacing Letters with Numbers

Sometimes cyberattackers use numbers instead of letters. For example, they may swap the number zero for the letter “o”, as in “yah00[.]com.” Other examples include using the number one for the letter “l” or the number five for “s.” Compared to some other look-alike tactics, these are easier for users to spot due to the difference in size and shape of the characters. Nevertheless, employees can and do fall for these deceptions.

3. Substituting Foreign-Language Letters

Homoglyphs are characters that come from different alphabets or character sets but look visually similar or identical to one another, especially when displayed in certain fonts or styles.

Attackers often use homoglyphs in look-alike domains—for example, substituting the English letter "o" with its near-identical counterpart "о" from the Cyrillic alphabet. This subtle manipulation can easily go unnoticed at first glance, making it difficult for targets to discern the fraudulent nature of the domain.

4. Adding, Removing, or Transposing Letters

The human brain has a built-in autocorrect feature. Because our cognitive processes are tuned to anticipate and interpret information based on familiar patterns and expectations, we often automatically fill in the gaps and correct perceived errors, such as spelling mistakes.

Attackers exploit this by strategically altering domain names through the addition, removal, or rearrangement of letters. For example, “insurrance[.]com” instead of “insurance[.]com”, “travelcity[.]com” instead of “travelocity[.]com,” or “abnomralsecurity[.]com” instead of “abnormalsecurity[.]com.”

5. Utilizing Fake Protocols and Manipulating Domains

Because users often overlook the beginning of a domain, attackers will utilize non-standard protocols like "httpss" instead of "https." Additionally, they engage in subdomain spoofing, transforming legitimate addresses like "[.]com" into deceptive variants like "login-bank[.]com."

Threat actors also append common prefixes or suffixes to legitimate domain names, such as "secure-google-login[.]com,” or manipulate top-level domains, replacing ".com" with alternatives such as ".co" or ".ai." While legitimate international and custom domains exist, these manipulations contribute to user confusion, which attackers can capitalize on.

6. Inserting Unicode Characters

Another especially crafty method is Unicode character abuse. Slashes (/) are commonly seen in address bars, but when they are replaced by certain Unicode characters (u+2044 or u+2215), they can direct users to some scary places.

Could you tell the difference between the legitimate address and the malicious address below?

  • hxxps://github[.]com/kubernetes/kubernetes/archive/refs/tags/
  • hxxps://github[.]com∕kubernetes∕kubernetes∕archive∕refs∕tags∕

This approach can fool even the most vigilant security professionals.

How Threat Actors Use Look-alike Domains

The three most common ways threat actors utilize look-alike domains are phishing emails, typosquatting, and brand impersonation.

Look-alike domains are often a key component of phishing emails and social engineering attacks as they help enhance the credibility and authenticity of the fraudulent communications. This enables attackers to deceive recipients and manipulate them into divulging sensitive information or performing harmful actions.

Typosquatting involves registering domain names that are intentionally similar to popular and legitimate websites but contain slight typographical errors. For example, they might register "googgle[.]com" instead of "google[.]com." Also known as URL hijacking, it’s a deceptive tactic used by cybercriminals to capitalize on typos made by internet users when typing in a website's domain name.

Attackers also register domains that closely resemble the names of well-known brands and then use these domains to host fake websites that mimic the branding, layout, and content of the legitimate sites. This can be as simple as “microsoft-security[.]com” instead of “microsoft[.]com/en-us/security.” Hackers can also merge words that are commonly associated with legitimate websites, like "slacksecurity[.]com."

The risks associated with look-alike domains can grow when combined with other activities, like poor password hygiene and malware attacks. Reused passwords can give hackers access to multiple accounts, and malware attacks can compromise or corrupt devices.

Defending Against Attacks Leveraging Look-alike Domains

By recognizing common look-alike domain tactics, practicing safe browsing habits, and remaining alert, you can effectively shield yourself from the dangers posed by these fraudulent websites.

Here are a few ways to avoid falling prey to look-alike domains:

  • Read through the domain name yourself to spot potential red flags.

  • Rather than clicking links found in emails, type in the web address yourself into the address bar.

  • Type the intended website into a trusted search engine to ensure you’re landing on the website you intended.

If you think you’ve fallen prey to a look-alike domain attack, do not share any sensitive information, download anything, or sign into the website. Report it to your security team as soon as possible.

While staying cautious is a good defense against cybercrime, it’s not perfect. Organizations can protect their employees from malicious emails containing suspicious links by using Abnormal Security. Abnormal analyzes email behavior to identify malicious links, even when they mimic trusted websites. By leveraging AI and machine learning, Abnormal proactively blocks emails with malicious URLs before they reach employees.

For more insight into popular attack strategies, download our report, 5 Emerging Email Attacks to Watch For in 2024.

Download the Report
Designed to Deceive: 6 Common Look-alike Domain Tactics

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More