The appearance of a malicious domain all depends on the skills of the threat actor, but it can vary from a very bad replica to such a perfect copy it is hard to tell the difference. Common traps include cybersquatting, when someone registers, uses or sells a domain name in bad faith with the intent to profit from someone else’s trademark. These lookalike domains are designed to trick the human eye, for example replacing one letter that may go unnoticed, so ‘bank-connection’ could become ‘bank-connect1on’. Threat actors may also remove or add characters to a similar effect, ‘bank-conect’, or replace two letters that resemble one another, ‘bank-connedion’.
Victims are often tricked because they do not pay attention to the domain name that is in front of them, whether it is a website they visit or an email they receive. At best we catch a glimpse of the domain, process a few letters that compose it, and we take that as truth. Given the number of emails the average worker receives, or websites visited in one day, it is easy to see why these oversights occur.
It is no longer enough to simply look at the link being clicked on. Recent progress in web browsers means that new characters can now be used in domain names, thanks to the inclusion of Punycode character encoding. As a result, a lowercase ‘a’ is indistinguishable from the Cyrillic character for ‘a’. Individuals must check the URLs in their browser’s navigation bar to better understand whether websites are suspect.
In addition to domain lookalikes, we also see malicious subdomains on the rise. Threat actors start by registering “myportal.”, then create subdomains and end up with convincing phishing websites. Criminals are even able to write the brand name fully. This technique is very effective because it tends to bypass the usual security solutions.