COMMENTARY: Domain mirroring, or a domain impersonation attack, remains one of the oldest tricks in the phishing playbook. It’s when threat actors mimic website domain names of established brands to deceive users into believing they are interacting with a legitimate site or service.
Imitating the likeness of a domain makes it harder for victims to spot phishing attempts and distinguish between a genuine or a fake. Some of the most common domain forgeries include:
Abuse of new generic top-level domains
Multiple studies from Cloudflare, Palo Alto Networks and now Interisle Consulting confirm that spammers and scammers are increasingly leveraging generic top-level domains (gTLDs) for phishing and domain impersonation attacks. A gTLD is the final name of the domain after the last dot, for example .com, org or .net.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Interisle Consulting discovered that even though gTLDs account for only 11% of new domains, they represent roughly 37% of cybercrime domains reported between September 2023 and August 2024. Between May 2023 and April 2024, 42% of all domains reported for phishing were new gTLDs, a growth of 25% from the previous year.
Why gTLDs are leveraged for domain impersonation
The internet’s governance bodies the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Assigned Numbers Authority (IANA) have created nearly 1,500 new gTLDs to give consumers and businesses more choices when selecting domain names. Some of the more popular gTLDs in recent years are .xyz, .online, .shop, .top and .site. As expected, .ai is an extension gaining popularity and it’s also the country-code top-level domain for the Caribbean island of Anguilla.
Unfortunately, gTLDs also make it too easy for threat actors to spoof legitimate brands. A malicious actor can purchase a domain name like amazon.shop and can deploy it in their phishing attacks. There are a number of reasons why gTLDs are popular with threat actors:
Four ways to mitigate domain impersonation risks
Some steps organizations can take to mitigate domain impersonation risks include the following:
Security awareness training: Deliver consistent guidance and education to users regarding the risks associated with domain impersonation. By running phishing simulation exercises, companies can train employees to effectively identify and report suspicious indicators in domain extensions, warding off phishing attempts and thereby improving the overall security posture.
Domain monitoring: Proactively monitor domains and watch out for newly-registered domains that closely resemble the company’s brand. There are many online companies that offer a domain monitoring service.
Phishing protection standards: Use of email authentication standards such as DMARC, SPF and DKIM can prevent attackers from spoofing domains and email addresses.
Brand protection services: Opt for a brand protection service from a reputed domain registrar that can help secure and monitor the company’s online presence and respond to threats when an impersonation attack emerges.
As new gTLDs get introduced, the risk of domain impersonation and phishing becomes increasingly concerning for brands and organizations. By adopting proactive strategies such as employee training, use of phishing protection standards, and adoption of domain monitoring and brand protection services, organizations can safeguard their digital identity, reputations, and ultimately the business itself.
Stu Sjouwerman, founder and CEO, KnowBe4
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
