Domain Doppelgangers: Your Good Name as Phishing Bait?

Does your company have an evil twin on the web? Threat actors may be leveraging a lookalike version of your company’s name to deliver malware through phishing that plays off your brand. Say the company name is Cofense, with the internet domain name cofense[.]com. What would happen if someone registered a copycat domain name using, for example, Confense, with the domain confense[.]com? Wouldn’t the search engine just route users to the real deal, or wouldn’t it be obvious quickly that the name was misspelled?  

 Cofense, Confense. Big deal, right? Wrong. Here’s why. 

 Every day, attackers are busy registering lookalike, or doppelganger, domains that mimic reputable brands to lure users through phishing emails, malware delivery and more. The domains are designed to trick users into believing they’re engaging with a bona fide enterprise. The associated costs are minor for threat actors. Not so your business, which can face astronomical losses, beyond the purely financial, to include critical brand compromise and data theft. 

How do they do it? 

One way criminals get around domain-registration norms and standards is to use characters that look like those in the English language. An example often cited is trading English-alphabet characters or letters for those in another alphabet, such as Cyrillic. In this case, the letter “a” looks almost the same in English as Cyrillic.  

 Once the domain is registered, it can be used to create a website designed to closely resemble that of the legitimate company. It’s not a pricey or difficult endeavor. Match the copycat website with doppelganger email, and you have a solid starting point for scamming countless unsuspecting consumers.     

¹

Why do they do it? 

Sometimes the sites are designed to pick off a portion of an established brand’s audience and sales. Other times, those registering lookalike domains seek to sell the domain to the copied brand’s owners, an exchange that can prove very profitable for the imitators. The real enterprise’s owners will often pay handsomely to safeguard brand integrity and reputation. 

Far too often, however, the objective is phishing. Users, believing the site is authentic, will click on a link, enter their credentials on a fake website, and lose control of online accounts to thieves. They may also unleash malware in the form of viruses, keyloggers, worms, trojans, ransomware, botnets, spyware or rootkits.  

Doppelganger domains can be particularly effective for BEC, or business email compromise, campaigns. An unsuspecting recipient who has regular business with, for example, Cofense, may receive an email from confense[.]com, rather than cofense[.]com. The email may contain a link to a “special offer.” When the link is clicked, malware may be launched or a phishing landing page may open that requires authentication – user name and password. Once the information is entered, the threat actor has a far easier path to successfully carry out a wide range of crimes, from account takeover to financial theft. 

 What can you do about doppelganger domains? 

You can decrease the likelihood of becoming a victim by preemptively registering variations of your domain name. Github can be a useful resource for identifying variations you should register. If you’ve discovered that a lookalike has already been registered, you may have to take legal action against the owner. Your efforts are more likely to succeed if you hold a trademark and can make a case for infringement or damage to your mark’s value. 

If the lookalike domain is being used for criminal activity such as phishing, report the domain to services such as Google Safe Browsing or Netcraft. This may result in the domain’s delisting in search engines, or being pulled offline.²

At the end of the day, doppelganger domains – and those who register them – should be taken seriously. They can ruin your reputation, your profitability and your credibility. When you know what’s at stake, you can better protect your brand.  

We’re the leading provider of phishing detection and response solutions designed for enterprise organizations. The Cofense Phishing Detection and Response (PDR) platform draws upon our global network of more than 27 million people actively reporting suspected phish, combining that with advanced automation to stop phishing attacks faster and stay ahead of breaches. While we can’t wipe out the doppelgangers, we can help you stay safe from phishing exploits. We’re here to help. Contact us at any time to find out what we can do for your business.     

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
 The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 
¹ SecureList by Kaspersky (all names except cofense/confense): https://securelist.com/lookalike-domains-and-how-to-outfox-them/99539/.
² Source: https://www.jamieweb.net/apps/lookalike-domains-test/.

Cofense TAP Program Still Setting the Standard for Threat Intelligence Five Years After Launching the Program

Email attacks are the primary mechanism impacting companies to deploy ransomware, steal credentials, or trick recipients with business email compromise (BEC) attacks. When they occur, these attacks are capable of inflicting financial and reputational damage to an organization. That’s where the Cofense Technology Alliance Program (TAP) comes in. For more than five years, Cofense has been strengthening phishing detection and response for security teams through our technology partnerships. And our list of partners keeps growing.

Current Cofense TAP partners and areas of focus below include:

Graphical user interface Description automatically generated

Cofense integrations enable customers to simplify deployment, improve efficiency, reduce costs, and optimize their overall IT security investments. TAP cultivates a strong and mutually profitable ecosystem with our technical alliance partners to provide a more comprehensive solution to fight phishing attacks. Cofense TAP provides the capabilities that security analysts or incident responders need to make more effective decisions on the threats facing their company and enhanced integrations to foster ongoing phishing detection and response innovation.

To become a Cofense TAP partner, visit here.

How it Works

When armed with Cofense Triage™ and Cofense Intelligence™, organizations can leverage a combination of employee-reported phish bypassing secure email gateways (SEGs) and 100% human-verified phishing threat intelligence. Both Cofense Triage and Cofense Intelligence enrich automation, orchestration and response. Cofense Triage and Cofense Intelligence offer security teams the ability to harness the power of credible employee-reported and human-verified phishing intelligence.