Analysis: Lookalike Confusable Domains Fuel Phishing Attacks

[ This article was originally published here ]

By John E. Dunn 

Phishing attacks depend on creating huge numbers of lookalike ‘confusable’ domains. A new report has highlighted the most prevalent examples and suggested a way to detect phishing domains before they are used in anger.  

Ever since phishing attacks gathered steam two decades ago, the ability of criminals to create ‘confusable’ or typosquatting domains that look plausibly similar to real ones has been a thorn in everyone’s side. 

Companies have their brands hijacked, users are tricked into clicking on phishing emails that look genuine, and registrars are roundly criticized for allowing all of this to happen. 

Large companies employ admins or third-party service providers to watch out for and block these domains soon after they are registered and yet still the stream of fakes shows no sign of abating. 

So Many Options 

The underlying problem is that spotting confusable domains in phishing emails is challenging because the number of possible word combinations in different languages is vast. 

A confusable domain is a multi-part domain that usually includes the brand’s name somewhere, not to be confused with homograph domains that impersonate brands using unusual characters that visually look similar to the brand’s name. 

For instance, Cloudflare’s list of the top 50 most abused brands resolved through it’s 1.1.1.1 DNS service, offers the following top 10 alongside the most common domains used to target them: 

It’s not news that phishing criminals gravitate towards big tech and telco brands they think recipients will have a trust relationship with. But the interesting element are the domains in the right-hand column, many of which look perfectly plausible. For example, the Amazon ‘login-amazon-account[.]com’ domain could fool almost anyone.  

It’s often said that recipients should never use domain names to verify an email’s authenticity, but the tactic must work. If confusable domains were ineffective, the criminals wouldn’t devote so much effort to creating them. 

And yet Cloudflare’s complete list only covers the top 50. The long tail of this phenomenon probably extends into thousands of brands and could in principle affect any organization worth targeting. 

Fuzzy matching 

The twist to this story is how the list was developed, which perhaps holds out at least some hope that phishing attacks could be better contained in future.  

The answer is that it traffic to the 1.1.1.1. DNS resolution service through a ‘fuzzy matching’ algorithm was used to see how similar each query is to the domain patterns used by the Cloudflare One customer base.  

“These saved patterns, which can be strings with edit distances, enable our system to generate alerts whenever we detect a match with any of the domains in the list,” wrote Cloudflare. 

If it detects matches, these are automatically flagged as suspicious in near real time. A catch is that customers have to generate the patterns it wants its domains to be associated with although Cloudflare says it plans to do this automatically in future.  

Cloudflare should know. Last July the company’s Okta IAM interface by sending phishing text messages to dozens of its employees via a rogue domain that had been registered only 40 minutes earlier.  

Three employees were phished. However, Cloudflare uses FIDO2 security tokens, which stopped the attack from getting any further. The domain should have been spotted by its registrar monitoring system but for some reason there was a delay. This underlined the need for a system that could work in real time.  

The battle of confusable domains and phishing isn’t over. If obvious domain lookalikes are detected, criminals could move on to more complex variations on the same idea after registering test possibilities to see whether they are detected as well. 

Ad