Generating convincing lookalike domains using sophisticated homograph or homoglyph techniques has been refined through years of attacks impersonating popular brands like PayPal, and large government agencies like the IRS.\u00a0 However, the methods for applying these techniques range from the obvious to the obscure.<\/p>\n
A lookalike domain could be as simple as using myorganization[.]net to impersonate myorganization[.]com as part of an attack on customers.\u00a0 And, in a world where legitimate domain names are often long and elaborate, attackers are often successful using domain names like billing-support-login-myorganization[.]com.\u00a0 Simply expanding, rearranging, or slightly modifying a domain name can provide attackers with many alternatives.<\/p>\n
Character substitution, using homograph or homoglyph techniques, is another common practice in building believable lookalike domains.\u00a0 Most people today are familiar with the concept of single character-substitution, such as replacing the letter \u2018O\u2019 with the number \u20180\u2019.\u00a0 But there are a dozen other Unicode characters that would serve as credible replacements for an \u2018O\u2019.<\/p>\n
Unicode is a computing industry standard for the consistent encoding, representation, and handling of the text expressed in most of the world’s writing systems, including foreign languages like Cyrillic, Coptic, Mongolian and 136 others.\u00a0 In total, there are over 136,000 Unicode characters available today to create viable domain names using letters and symbols.\u00a0 To provide an example of the scale of this challenge, this provides for over 829 million substitution combination possibilities of Unicode characters for \u201cINFOBLOX\u201d.<\/p>\n
Punycode: Seeing past a lookalike deception<\/strong><\/p>\n Visibly, these Unicode substitutions usually appear legitimate in email messages, web pages, PDFs and many other text displays.\u00a0 Even putting your mouse over a link would typically display the deceptive Unicode character.\u00a0 But there is one way to reveal the true nature of a domain name would be to copy the link and past it into the address bar of your browser. But pasting the URL into the address bar of Google Chrome, Apple Safari, and recent versions of Microsoft Edge and Internet Explorer will display \u2018Punycode\u2019, a standard designed to represent Unicode characters with the limited ASCII character subset used for international hostnames.<\/p>\n Figure 1 provides several examples to illustrate a deceptive attempt and a revealing Punycode representation.\u00a0 The first two URLs appear identical, although only #1 is the correct \u201cmyorganization\u201d domain.\u00a0 The second URL uses a Unicode alternative for the letter \u2018y\u2019 to appear legitimate.<\/p>\n The third URL is what you would see if you were to cut-n-pasted URL #2 into a browser address bar, revealing the Punycode representation for the maliciously substituted \u2018y\u2019.<\/p>\n It should be noted that there are legitimate reasons for using Unicode character sets in domain names.\u00a0 An internationalized domain name (IDN) is a name that contains at least one character in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Devanagari, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as German.\u00a0 For example, M\u00fcnchen (the German name for Munich) would be displayed in Punycode as Mnchen-3ya.\u00a0 If a German user were to type in \u201cM\u00fcnchen\u201d in their browser address bar, they could easily see the same Punycode to help validate the legitimacy of a link.<\/p>\n Targeting employees with 3rd<\/sup> party lookalikes <\/strong><\/p>\n The most obvious application of these techniques would be to enhance attacks using popular brands like PayPal and BankofAmerica. It is not difficult to understand how an attacker’s expertise could be easily translated int an attack on your own customers.\u00a0 The applications for targeting your employees, however, are many and much more indirect.<\/p>\n Employees are accustomed to using internal portals, systems, tools and access methods when conducting confidential business for the organization.\u00a0 Their familiarity with these systems makes it difficult for attackers to create credible social engineering scenarios using a lookalike of your own public domain to compromise an employee.\u00a0 The greater risk to employees would be lookalike domains used in attacks impersonating a business partner or any organization that your business frequently interacts with or controls.\u00a0 As an example, consider the risk of success if your users received an email that appears to come from a nearby restaurant, popular among employees, with a \u2018special discount offer\u2019 if they will simply sign up for a membership, download an app, etc.<\/p>\n Lookalike domains support a broad range of human targeted, socially engineered threat with intent ranging from simply infecting endpoints to gain network access to a spear-phishing or Business Email Compromise attack focused on key employees with desired information or access. \u00a0Additional components in these attacks include lookalike web sites, email templates, and other indicators of legitimacy.<\/p>\n Protect employees, customers, and brand reputation<\/strong><\/p>\n Many modern security tools have some defense capabilities to address the risk of lookalike use for attacks impersonating popular brands.\u00a0 But they lack viable options for defending against an attack impersonating an organization outside the Fortune 1000 or large governments.\u00a0 And users, despite gains in security education and the availability of tools like Punycode, are an inconsistent and unreliable line of defense.<\/p>\n Infoblox provides lookalike domain defenses for a broad range of threat scenarios. Specifically designed for this latest evolution in the threat landscape, a Custom Lookalike Domain Monitoring<\/a> service is available for BloxOne Threat Defense<\/a> Advanced customers, allowing them to submit their organization\u2019s own domain, or domains frequently visited by or controlled by the organization for lookalike protection. The Infoblox Cyber Intelligence Unit (CIU)<\/a> turns the supplied domains into lists of high-risk lookalike domains for initial assessment and monitoring. Suspicious activity related to these lookalike domains is reported to provide customers with activity visibility and as an advanced warning to help the organization avert a potential network breach or customer threats.<\/p>\n Lookalike techniques provide for more convincing social engineering capabilities in support of increasingly advanced threats.\u00a0 With innovative lookalike defense features and unmatched threat intelligence sharing capabilities, Infoblox can help you better prevent, detect, investigate and respond by taking your entire security stack to the next level.<\/p>\n","protected":false},"excerpt":{"rendered":" Lookalike domains have been one of the many tools used in cyberattacks for many years.\u00a0 But lookalikes were infrequently implemented while other, easy to use alternatives remained effective at masking the true destination of a URL from their victims.\u00a0 Unfortunately for attackers, users have learned to be more suspicious of electronic communications and more adept […]<\/p>\n","protected":false},"author":334,"featured_media":3148,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,15,367,368],"class_list":{"0":"post-4822","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-security","10":"tag-government","11":"tag-federal","12":"entry"},"acf":[],"yoast_head":"\n![\"\"](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/lookalike-domain-1-300x139.png\")
<\/p>\n