Tricky Typo’s Create 'Lookalike' Attacks
By: Jim Stickley and Tina Davis
October 15, 2019
Keeping tabs on the latest phishing scams may be a challenge, but cyber-smart users are always a hacker’s worst enemy. The recently released 2019 Proofpoint Domain Fraud Report exposes a growing threat to online security–the use of fraudulent Top Level Domains (TLD’s) to lull users into a false sense of security. The report finds the growing use of bogus TLD’s is increasing to record levels, with a 24% rise in these attacks from early 2018 to the end of the year. The report notes the TLD’s are typically part of larger, highly targeted attacks.
A TLD is the main URL domain used by an organization, or even a person. For example, “Stickleyonsecurity.com” is a TLD. Other website names may be created from that as a subdomain. However, fake TLD’s, the ones you usually type into the address bar, often use a number of exploits to work. Malicious actors are still relying on some tried and true efforts like typosquatting and the clever use of tricky typo’s (“lookalike”) to fool users.
Typosquatting, also called URL hijacking, is when hackers purchase a domain name very similar to the real deal name. They use closely matched characters, called homoglyphs, sometimes very subtle typo’s to catch users off guard. It may be as simple as “Amazan” or using letters from other languages that look very similar to our alphabet. In either case, users who are quick to click and miss a URL misspelling may find themselves being hacked for their Personally Identifiable Information (PII) often requested on these bogus websites.
Attackers also use “dot” domains as part of the ruse. We’re used to seeing “.com” or “.net” at the end of a domain name, but those are now unavailable. As a result, there’s been a proliferation of fake dot domains as part of steering users to phony sites. Proofpoint finds the most common uses as “.app” and “.site” in TLD names, but there are many more being used. Even the lock icons at the beginning of a TLD are no longer a sign of absolute safety. Phishing hackers are able to use apps like Let’s Encrypt to create and sign their own security certificates.
Although it may seem users are fighting a losing battle against these TLD tricks, those who take a moment to carefully inspect a TLD or Google the domain names to catch a thief are always way ahead of the cybersafety curve.