Designed to Deceive: 6 Common Look-alike Domain Tactics

With threat actors lurking around every digital corner, it can sometimes make scrolling through an inbox feel like traversing a minefield. Employing various strategies to deceive their targets, attackers count on end-user oversight to convince the recipients of their malicious emails that the messages (and any included requests) are legitimate.

One effective strategy is the use of look-alike domains—URLs that closely resemble the domain of a real website but are altered slightly to trick targets into visiting fraudulent sites. From subtle character substitutions to Unicode manipulations, threat actors have myriad methods for exploiting human error with these deceptive domains.

In this article, we’ll explore six common look-alike domain tactics, discuss some of the ways attackers use look-alike domains, and share steps you can take to reduce your risk.

1. Using Similar-Looking Letters

Look-alike domains often use similar-looking letters to fool targets. For instance, a lowercase “i” looks enough like a lowercase “l” to pass muster, and vice versa. In practice, this might look like “googie[.]com” instead of “google[.]com” or “wlklpedia[.]org” instead of “wikipedia[.]org.”

Another strategy is to use a double “n” instead of an “m.” In this case, “abnormalsecurity[.]com” becomes “abnornnalsecurity[.]com.” Alternatively, “cnn[.]com” becomes “cm[.]com.” Bad actors also like to put an “r” next to an “n” to resemble an “m,” as in “rnicrosoft[.]com” instead of “microsoft[.]com.”

2. Replacing Letters with Numbers

Sometimes cyberattackers use numbers instead of letters. For example, they may swap the number zero for the letter “o”, as in “yah00[.]com.” Other examples include using the number one for the letter “l” or the number five for “s.” Compared to some other look-alike tactics, these are easier for users to spot due to the difference in size and shape of the characters. Nevertheless, employees can and do fall for these deceptions.

3. Substituting Foreign-Language Letters

Homoglyphs are characters that come from different alphabets or character sets but look visually similar or identical to one another, especially when displayed in certain fonts or styles.

Attackers often use homoglyphs in look-alike domains—for example, substituting the English letter "o" with its near-identical counterpart "о" from the Cyrillic alphabet. This subtle manipulation can easily go unnoticed at first glance, making it difficult for targets to discern the fraudulent nature of the domain.

4. Adding, Removing, or Transposing Letters

The human brain has a built-in autocorrect feature. Because our cognitive processes are tuned to anticipate and interpret information based on familiar patterns and expectations, we often automatically fill in the gaps and correct perceived errors, such as spelling mistakes.

Attackers exploit this by strategically altering domain names through the addition, removal, or rearrangement of letters. For example, “insurrance[.]com” instead of “insurance[.]com”, “travelcity[.]com” instead of “travelocity[.]com,” or “abnomralsecurity[.]com” instead of “abnormalsecurity[.]com.”

5. Utilizing Fake Protocols and Manipulating Domains

Because users often overlook the beginning of a domain, attackers will utilize non-standard protocols like "httpss" instead of "https." Additionally, they engage in subdomain spoofing, transforming legitimate addresses like "login.bank[.]com" into deceptive variants like "login-bank[.]com."

Threat actors also append common prefixes or suffixes to legitimate domain names, such as "secure-google-login[.]com,” or manipulate top-level domains, replacing ".com" with alternatives such as ".co" or ".ai." While legitimate international and custom domains exist, these manipulations contribute to user confusion, which attackers can capitalize on.

6. Inserting Unicode Characters

Another especially crafty method is Unicode character abuse. Slashes (/) are commonly seen in address bars, but when they are replaced by certain Unicode characters (u+2044 or u+2215), they can direct users to some scary places.

Could you tell the difference between the legitimate address and the malicious address below?

• hxxps://github[.]com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
• hxxps://github[.]com∕kubernetes∕kubernetes∕archive∕refs∕tags∕v1271.zip

This approach can fool even the most vigilant security professionals.

The three most common ways threat actors utilize look-alike domains are phishing emails, typosquatting, and brand impersonation.

Look-alike domains are often a key component of phishing emails and social engineering attacks as they help enhance the credibility and authenticity of the fraudulent communications. This enables attackers to deceive recipients and manipulate them into divulging sensitive information or performing harmful actions.

Typosquatting involves registering domain names that are intentionally similar to popular and legitimate websites but contain slight typographical errors. For example, they might register "googgle[.]com" instead of "google[.]com." Also known as URL hijacking, it’s a deceptive tactic used by cybercriminals to capitalize on typos made by internet users when typing in a website's domain name.

Attackers also register domains that closely resemble the names of well-known brands and then use these domains to host fake websites that mimic the branding, layout, and content of the legitimate sites. This can be as simple as “microsoft-security[.]com” instead of “microsoft[.]com/en-us/security.” Hackers can also merge words that are commonly associated with legitimate websites, like "slacksecurity[.]com."

The risks associated with look-alike domains can grow when combined with other activities, like poor password hygiene and malware attacks. Reused passwords can give hackers access to multiple accounts, and malware attacks can compromise or corrupt devices.

By recognizing common look-alike domain tactics, practicing safe browsing habits, and remaining alert, you can effectively shield yourself from the dangers posed by these fraudulent websites.

Here are a few ways to avoid falling prey to look-alike domains:

• Read through the domain name yourself to spot potential red flags.

• Rather than clicking links found in emails, type in the web address yourself into the address bar.

• Type the intended website into a trusted search engine to ensure you’re landing on the website you intended.

If you think you’ve fallen prey to a look-alike domain attack, do not share any sensitive information, download anything, or sign into the website. Report it to your security team as soon as possible.

While staying cautious is a good defense against cybercrime, it’s not perfect. Organizations can protect their employees from malicious emails containing suspicious links by using Abnormal Security. Abnormal analyzes email behavior to identify malicious links, even when they mimic trusted websites. By leveraging AI and machine learning, Abnormal proactively blocks emails with malicious URLs before they reach employees.

For more insight into popular attack strategies, download our report, 5 Emerging Email Attacks to Watch For in 2024.