Contact Us
Item added Item updated Item removed No more products on stock You entered wrong value.

No products in the cart.

Item added Item updated Item removed No more products on stock You entered wrong value.

No products in the cart.


Look-alike domains: a Sneaky Cybersecurity Threat

August 17, 2023
Posted by Aware Force

Deceptively simple and almost imperceptible: look-alike domains are designed to trick the user’s eyes by mimicking URLs of trustworthy websites. After luring the prey into a fake website, the foundation for a series of other cyber threats is established.

The domain can be used to create a phishing website or even launch attacks such as Business Email Compromise (BEC) or ransomware with a small likelihood of being flagged by email security software. Since these domains are legitimately registered and technically aren’t doing anything unsanctioned, emails coming from them will pass through any authentication.

Look closer: it’s in the details

Take a look at these two mockup pages. Can you spot what is wrong? Can you tell which one is a look-alike domain?

Homographs and look-alike domains are among cyber criminals' sneakiest forms of attacks. They are geared to trick the untrained eye. 

In this example, the second domain is the correct one for our mockup bank website. The first one, however, had the Latin "a" replaced by a Cyrillic letter that looks very similar.

Could you spot the difference? Would your team be able to?

Warning: Your Brain is Being Hacked

The human factor, yes! I know, we’re always coming back to it. But here’s the truth: our brains are simply not wired to read letter by letter. We see words as a whole. We look for patterns and try to anticipate the results.

Here’s a classic example, try reading this:

Easy, right?! Even though the letters themselves are shuffled, you are still absolutely capable of reading the entire paragraph as if it was written correctly.

Hackers know this, and use it against you. Remember that “Brain Games” show on National Geographic?! Well, they watched the whole thing and took notes.

This is called Typoglycemia. It suggests people can read scrambled words as long as the first and last letters are in the right place.

How homographs are employed to trick users

In April 2017, Xudong Zheng, a security enthusiast based in New York, discovered a flaw in how browsers handle international domain names.

He created and registered a mock-up page for to demonstrate this flaw. However, instead of using the Latin letters we know, his domain was written in pure Cyrillic characters

Although the domain he used looks indistinguishable from, it is a fake website that could be used to trick users into visiting it.

Zheng's page is an example of an internationalized domain name (IDN) homograph attack, where a threat actor creates and registers one or several fake domains using at least one lookalike character from a different language. Although computers read these letters differently, to the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. 

The following table shows the different hex codes assigned to them:

This particular attack can be highly successful and dangerous if used in the wild, not only undermining a company's reputation but also threatening the trust of its customers, employees, and stakeholders.

Spotting a Look-alike Domain: Anatomy of an Attack

In a look-alike domain scam, the perpetrator creates a visually similar URL to that of a trusted entity. They often use common typing errors or replace characters with visually similar ones. For instance, replacing "m" with "rn" ("" instead of ""). These differences can be virtually unnoticeable, particularly on a mobile device or in a hastily read email. 

Take a look at some examples for :

  • (with a zero instead of the letter 'o')
  • (with an 'm' instead of an 'n')
  • (with an extra 'n')
  • (with an 'x' instead of a 'z')

And here are two more examples of a :

  • (with an uppercase 'i' instead of a lowercase 'L')
  • fictionalbanк.com (with a Cyrillic 'к' instead of a Latin 'k')

Now, let's walk through the typical steps in a look-alike domain attack.

Setting the Trap: A Deceptive Domain

The criminals will set up a deceptive domain, mimicking a trusted entity. The domain can be for a well-known brand, a bank, a government agency, or an internal company system.

For example, someone trying to impersonate Amazon could create the domain:

Instead of:

The Phishing Bait: An Urgent Email or Message

With the deceptive domain live, the cybercriminal sends out phishing emails or messages. 

These may pose as notifications, updates, or urgent requests, designed to trick the recipient into clicking the deceptive link. Urgent and threatening messages are social tactics to heighten the chances of an unattentive user taking the bait.

The Catch: Data Theft

Once a victim clicks on the link and provides their login credentials or other sensitive information, the fraudster can then use this data for various malicious activities, such as identity theft, financial fraud, or launching further attacks within a company network.

Staying Safe Against Domain Lookalike Scams

This might be a hard to swallow pill but the truth is: your first and strongest line of defense a company has against threats like these are its employees. Software can only go so far.

A few defensive measures to be considered to stay safe:

  • Education and awareness campaigns should be top of mind
  • Anything that presents itself as urgent or threatening must be faced with increased caution. If you need help raising awareness about this, take a look at our "Sloooooww down" poster
  • Use two-factor authentication for all accounts
  • AI-based threat detection systems 

Conclusion: Ongoing cybersecurity awareness is key

Look-alike domain attacks will likely remain a preferred strategy since they excel at tricking even the most vigilant among us. These threats are not simply an IT problem; they are an enterprise-wide concern, requiring active participation from everyone within the organization.

Many of these breaches are linked by a common factor: complacency.

Employees may let their guard down and become less attentive about cybersecurity when it is not a top priority in their daily tasks. The false sense of safety caused by the reliance on software solutions might be the opening cybercriminals are looking for.

Building a strong defense requires constant vigilance, education, and awareness. Reinforcing the importance of these cybersecurity issues and providing continuous training helps embed safe practices into the daily routines of employees, making them the first line of defense against such attacks.

Get the latest insights in cybersecurity. Subscribe to the Aware Force Cyber Blog
Insightful cyber news, fresh ideas for engaging your employees and more.
Let's connect!
Learn innovative ways organizations are using Aware Force.
(470) 448-3887
Contact US

© 2024 Aware Force LLC - All Rights Reserved - Privacy Policy
usercartmagnifiercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram