{"id":12846,"date":"2026-01-20T07:55:05","date_gmt":"2026-01-20T15:55:05","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=12846"},"modified":"2026-01-19T08:21:30","modified_gmt":"2026-01-19T16:21:30","slug":"hallucinating-for-fun-and-profit-using-llms-to-find-lookalikes-without-targets","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/hallucinating-for-fun-and-profit-using-llms-to-find-lookalikes-without-targets\/","title":{"rendered":"Hallucinating for Fun and Profit: Using LLMs to Find Lookalikes without Targets"},"content":{"rendered":"

Lookalike domains<\/strong> are internet domain names that are deliberately made to look very similar to a legitimate, trusted domain\u2014often with the goal of deceiving users. Examples include: \u201ctacobe11.com\u201d versus \u201ctacobell.com\u201d, \u201clogin-outlook.com\u201d versus \u201clogin.outlook.com\u201d or \u201cinfoblocks.com\u201d versus \u201cinfoblox.com\u201d. They are a common tactic for many types of threats on the internet. These can include scams, credential harvesting, phishing attacks or even for use as innocuous-looking command-and-control (C2) domains.<\/p>\n

Infoblox uses many algorithms to detect lookalikes. One challenge in finding lookalikes is compiling a list of target domains that could be used against our customers. We can compile these using various methods, such as creating top queried domain lists, soliciting customer input or even evaluating non-resolved domains for common typos.<\/p>\n

However, this list will be far from comprehensive as we may leave the less queried domain on any of our lists. In addition, requiring each new domain to be evaluated against the entire growing target set will slow down processing.<\/p>\n

Recently, data scientists at Infoblox Threat Intel decided to prompt a large language model (LLM) to determine the likelihood of a given domain and, if so, what were the most likely target domains. With frontier-level LLMs, the results for the popular domains both for intentional lookalikes and non-lookalikes were very accurate, generally at an accuracy of 91 percent or greater. However, Infoblox takes false positives seriously as they can cause outages, and overload analysts with more alerts.<\/p>\n

As we investigated further\u2014particularly when identifying additional lookalikes at the tail end of the possible variations\u2014we found the process to be prone to errors. In fact, target lists could become completely inaccurate. For instance, the benign domain \u201cnetgeek.com\u201d was incorrectly considered a lookalike of \u201cnetgear.com\u201d or \u201cgeeksquad.com\u201d. Careful prompt engineering\u2014including chain-of-thought and reflection techniques\u2014helped addressing these issues. Sometimes, though, the best way to tame hallucination is to go back to traditional methods.<\/p>\n

Here additional steps how Infoblox reduces false positives for improved \u201clookalike domain\u201d detections<\/h3>\n

Step 1<\/strong><\/p>\n

We use our old algorithms to determine if \u201cnetgeek.com\u201d is a lookalike in the target set of \u201cnetgear.com\u201d or \u201cgeeksquad.com\u201d. Our modified edit distance<\/strong><\/a> algorithm did quite well disambiguating both targets from \u201cnetgeek.com\u201d. But let\u2019s consider another benign example, \u201camzn.com\u201d, the LLM helpfully suggested \u201camazon.com\u201d and here our modified edit distance algorithm still scored \u201camzn.com\u201d close to \u201camazon.com\u201d. This might be a problem if we didn\u2019t consider additional context that amzn.com is owned by Amazon, Inc and as such really isn\u2019t something we need to alert or block on.<\/p>\n

Step 2<\/strong><\/p>\n

We can look up the registration and SSL\/TLS certificate information about both \u201camzn.com\u201d and \u201camazon.com\u201d. Here we see \u201camzn.com\u201d and \u201camazon.com\u201d have the same name servers, registrars and a common SSL certificate, so we can be confident \u201camzn.com\u201d is a domain owned by the same entity as \u201camazon.com\u201d. This means while \u201camzn.com\u201d does indeed look like \u201camazon.com\u201d there would be no need to report on the domain.<\/p>\n

Infoblox is committed to responsible AI. Part of this process is not taking data generated at face value. By employing these secondary checks, we trust but verify all predictions.<\/p>\n

Recent Examples<\/strong><\/p>\n

So far, we have discussed how we avoid hallucinations and potentially misclassify a domain as a lookalike. Now, let\u2019s see how this might help defend against various lookalike threats. In the following table, we give some recent examples of lookalikes we\u2019ve found along with the explanations the LLM generated.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Domain<\/th>\nTarget<\/th>\nConfidence Score (out of 10)<\/th>\nExplanation<\/th>\n<\/tr>\n<\/thead>\n
infobiox.com<\/td>\ninfoblox.com<\/td>\n8<\/td>\nThis may be a suffix-based lookalike, attempting to get a user to try to log in to an Infoblox portal, but the \u201cx\u201d instead of \u201cl\u201d could be a typo or a legitimate variation.<\/td>\n<\/tr>\n
paioaltonetworks.tech<\/td>\npaloaltonetworks.com<\/td>\n6<\/td>\nThe domain \u201cpaioaltonetworks.tech\u201d appears to be a typo or substitution attempt, with \u201cpaio\u201d being similar to \u201cpalo\u201d, which is a well-known cybersecurity company. However, the use of \u201c.tech\u201d instead of \u201c.com\u201d and the slight misspelling may indicate a legitimate domain or a non-malicious typo.<\/td>\n<\/tr>\n
icloudservi.me<\/td>\nicloud.com<\/td>\n9<\/td>\nThis domain appears to be a lookalike of \u201cicloud.com\u201d with a typo (\u201cservi\u201d instead of \u201cservice\u201d) and a different top-level domain (\u201c.me\u201d), which might be an attempt to deceive users into thinking it\u2019s related to Apple\u2019s iCloud services.<\/td>\n<\/tr>\n
maps-iphone.cloud<\/td>\napple.com<\/td>\n9<\/td>\nThe domain \u201cmaps-iphone.cloud\u201d could be a lookalike of Apple\u2019s services by combining \u201cmaps\u201d (a service offered by Apple) with \u201ciphone\u201d (a product by Apple) and a trendy top-level domain (\u201c.cloud\u201d), potentially to target iPhone users.<\/td>\n<\/tr>\n
go\u00f3gl\u00e9.com<\/td>\ngoogle.com<\/td>\n9<\/td>\nThe domain contains Unicode characters (\u201c\u00f3\u201d and \u201c\u00e9\u201d) that are visually similar to the characters in the well-known domain \u201cgoogle.com\u201d, which could be an attempt to deceive users.<\/td>\n<\/tr>\n
onedrive-micrasoft.com<\/td>\nmicrosoft.com<\/td>\n8<\/td>\nThis may be a suffix-based lookalike, with a typographical error in \u201cmicrasoft\u201d instead of \u201cmicrosoft\u201d, which is a well-known company and product.<\/td>\n<\/tr>\n
coinbase-invoice.com<\/td>\ncoinbase.com<\/td>\n8<\/td>\nThis may be a suffix-based lookalike, attempting to deceive users into thinking it\u2019s an official invoice from Coinbase, a well-known cryptocurrency exchange.<\/td>\n<\/tr>\n
login-wellsfargo.com<\/td>\nwellsfargo.com<\/td>\n9<\/td>\nThis may be a prefix-based lookalike, attempting to get a user to try to log in to a fake Wells Fargo portal.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Recently, Infoblox Threat Intel did a study on risks related to parked domains<\/strong><\/a> and utilized these methods to better understand which legitimate domains the actors were impersonating.<\/p>\n

Lessons Learned<\/h3>\n

It\u2019s interesting to note that the LLM suggested \u201capple.com\u201d as the target for \u201cmaps-iphone.cloud\u201d as this shows that the LLM can detect things that can sometimes not be detected by string similarity techniques. It also points to a potential limitation in mitigating hallucination using our traditional string similarity techniques. Here, we are starting to consider confidence score along with Registration, SSL Certificate information and, in some cases, content.<\/p>\n

However, one must be careful trusting the confidence predictions of LLMs as they are token predictors and not regressors<\/strong><\/a>. When using sufficient temperature<\/strong><\/a> to nominate targets, the confidence score can often vary by up to 3 on a 10-point scale. Additionally, we note that while in all these cases the model correctly identified the target, the explanations can be slightly wrong. For example, the first entry shows a clear example of hallucination. The model\u2019s explanation states that \u201cx\u201d was substituted instead of \u201cl\u201d, when in fact the lookalike domain \u201cinfobiox.com\u201d demonstrates an \u201cl\u201d \u2192 \u201ci\u201d substitution (\u201cinfoblox.com\u201d \u2192 \u201cinfobiox.com\u201d). While this provides additional evidence to verify the results, it also shows how a wrong model can still be useful if properly constrained.<\/p>\n

Why it matters<\/h3>\n

How does this help protect Infoblox customers? We have now figured out how to make these LLM queries scale to all newly registered domains seen each day. This allows us to protect Infoblox customers against more types of lookalike attacks, including many domains our customers may not consider to be part of their risk profile. We will start by adding this to Zero Day DNS detection and Infoblox Threat Defense feature called \u201cDossier\u201d, followed by adding processes to add to feed domains.<\/p>\n