COMMENTARY: Domain mirroring, or a domain impersonation attack, remains one of the oldest tricks in the phishing playbook. It’s when threat actors mimic website domain names of established brands to deceive users into believing they are interacting with a legitimate site or service.
Imitating the likeness of a domain makes it harder for victims to spot phishing attempts and distinguish between a genuine or a fake. Some of the most common domain forgeries include:
- Lookalike domains: Phishers register domain names that appear like the original name, but differ slightly in appearance. For example, replacing characters with numbers (paypal.com to paypa1.com); adding, removing or transposing letters (netflix.com and netfilx.com); or using similar letters (google.com to googie.com). Major brands face an average of 73 lookalike domains per month.
- Subdomain takeovers: A technique where attackers takeover a subdomain under the guise of a trusted domain or a cloud service to create believable impressions. For example, attackerpage.wix.com; attackerpage.azurewebsites.net; attackerpage.blogspot.com. There were nearly 1.2 million instances of subdomains used for phishing, a 114% increase from 2023.
- Homograph attacks: Attackers register domain names with a look-alike character from another language. For example, using a Cyrillic “e” instead of a Latin “e.” To the naked eye, the domain name looks genuine, but it's not.
Abuse of new generic top-level domains
Multiple studies from Cloudflare, Palo Alto Networks and now Interisle Consulting confirm that spammers and scammers are increasingly leveraging generic top-level domains (gTLDs) for phishing and domain impersonation attacks. A gTLD is the final name of the domain after the last dot, for example .com, org or .net.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Interisle Consulting discovered that even though gTLDs account for only 11% of new domains, they represent roughly 37% of cybercrime domains reported between September 2023 and August 2024. Between May 2023 and April 2024, 42% of all domains reported for phishing were new gTLDs, a growth of 25% from the previous year.
Why gTLDs are leveraged for domain impersonation
The internet’s governance bodies the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) have created nearly 1,500 new gTLDs to give consumers and businesses more choices when selecting domain names. Some of the more popular gTLDs in recent years are .xyz, .online, .shop, .top and .site. As expected, .ai is an extension gaining popularity and it’s also the country-code top-level domain for the Caribbean island of Anguilla.
Unfortunately, gTLDs also make it too easy for threat actors to spoof legitimate brands. A malicious actor can purchase a domain name like amazon.shop and can deploy it in their phishing attacks. There are a number of reasons why gTLDs are popular with threat actors:
- They are cheap: Among the 35 gTLDs that have the highest phishing domain scores, 27 are available for under $2.
- They are available: Unlike .com, .net, and .org, which are usually booked out, new gTLDs are easily available, they let anyone with a malicious intent mimic well-known brands.
- No restriction on registration: A majority of gTLDs have no requirements for registration and anyone can register them. For example, .ai extensions.
- Some gTLDs resemble file names: Domains like .zip and .mov look like file names or file extensions, which can confuse users and therefore can be operationalized in phishing attacks.
- Brands have a hard time keeping track: As more and more gTLDs get released, major brands and organizations will struggle to keep up with registering their names on all of them.
Four ways to mitigate domain impersonation risks
Some steps organizations can take to mitigate domain impersonation risks include the following:
Security awareness training: Deliver consistent guidance and education to users regarding the risks associated with domain impersonation. By running phishing simulation exercises, companies can train employees to effectively identify and report suspicious indicators in domain extensions, warding off phishing attempts and thereby improving the overall security posture.
Domain monitoring: Proactively monitor domains and watch out for newly-registered domains that closely resemble the company’s brand. There are many online companies that offer a domain monitoring service.
Phishing protection standards: Use of email authentication standards such as DMARC, SPF and DKIM can prevent attackers from spoofing domains and email addresses.
Brand protection services: Opt for a brand protection service from a reputed domain registrar that can help secure and monitor the company’s online presence and respond to threats when an impersonation attack emerges.
As new gTLDs get introduced, the risk of domain impersonation and phishing becomes increasingly concerning for brands and organizations. By adopting proactive strategies such as employee training, use of phishing protection standards, and adoption of domain monitoring and brand protection services, organizations can safeguard their digital identity, reputations, and ultimately the business itself.
Stu Sjouwerman, founder and CEO, KnowBe4
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
