Cyber-attacks using malicious lookalike domains, email addresses and other types of registered identifiers are rising, domain name system (DNS) security provider Infoblox found.
In a recent report, called A Deeper Look at Lookalike Attacks, which the company will present at Infosecurity Europe, the Infoblox Threat Intelligence Group (TIG) found over 1600 domains used since the beginning of 2022 alone that contained a combination of corporate and MFA lookalike features, with worldwide targets ranging from large corporations to major banks, software companies, internet service providers, and government entities.
However high that number might sound, it’s nothing compared to the surge in top-level domain (TLD) registering, which makes it harder for security researchers to spot the bad apples, Gary Cox, technical director for Western Europe at Infoblox, told Infosecurity.
"On average, there are 180,000 new domains registered every single day, which equates to roughly two per second. Certainly, not all of those will be lookalikes, let alone malicious, of course. But with that volume, identifying the malicious lookalikes is like trying to find a needle in a haystack. No wonder Infoblox had to look at over 70 billion DNS records to put this report together,” Cox said.
A Needle in a Haystack
Nevertheless, Cox added that the surge in registered lookalikes has more to do with criminality and less with this TLD usage increase.
“It's challenging today to get a TLD in [.]com. But if I want to go for [.]xyz, [.]top or [.]tk – which is managed by Tokelau, a small island and territory of New Zealand in the South Pacific and has extensively been used for malicious purposes – it's very easy and cheap,” he said.
"We need to analyze things before they're defined as malware and given fancy names."Gary Cox, technical director, Western Europe, Infoblox
While cybersecurity researchers have long been analyzing typosquatting attacks, where attackers exploit common typing errors by registering domains that closely resemble popular websites (e.g. substituting ‘google.com’ with ‘googgle.com’) to deceive users, lookalike domains now take other forms such as homographs (or homoglyphs), which use visually similar characters from different character sets (e.g. Cyrillic) to create domain names that appear identical to legitimate ones (e.g. substituting ‘a’ with ‘α’) and combosquats, a combination of the previous two.
The record found that combosquatting domains are 100 times more prevalent than typosquatting domains and that 60% of abusive combosquatting domains are active for over 1000 days.
A new lookalike technique, called soundsquatting, is also emerging. It first appeared in 2014 and leverages the use of homophones to trick users who hear the domain rather than read it – such as when using a personal assistant.
Everyone is a Target
Lookalikes domains “are often associated with broad, untargeted attacks on consumers through email spam, advertising, social media, and SMS messages. [They] are so synonymous with phishing attacks that security awareness training includes learning to inspect links for them,” Infoblox report reads.
And rightly so: The Anti-Phishing Working Group (APWG), of which Infoblox is a founding member, reported that phishing reached record levels in the third quarter of 2022, with identified lookalike tactics such as homographs, typosquats, combosquats and soundsquats.
However, they are not just a threat to individuals but are also used to gain access to corporate networks. “There have always been and probably always will be some bigger targets, such as banks, pharmaceuticals and anything related to industrial systems, but the bottom line is: everyone is a target,” Cox said.
Anthony James, VP for product marketing at Infoblox, will give a presentation on DNS Detection and Response (DDR) during Infosecurity Europe on Wednesday, June 21. Register here.
In the report, Infoblox provided many examples of lookalike attack victims, from SMEs through multinational enterprises across all sectors, including cryptocurrencies, humanitarian organizations, financial companies, famous retail brands, and government agencies – even Infoblox was extensively targeted, the report stated.
Lookalike attacks are effective because our human brain short-circuits while reading – the same reason our brain can read words even when the letters are slightly jumbled.
Punycode, Email Security and DNS Security
There are security measures in place to defend users against lookalikes attacks, such as email filtering solutions, anti-phishing and anti-smishing tools or the web browser function Punycode, which allows them to ‘translate’ the domains from Unicode characters into American Standard Code for Information Interchange (ASCII), a smaller, restricted character set.
However, these tools are not a silver bullet and malicious lookalike domains do bypass these guardrails.
According to Mozilla, owner of the Firefox browser, the first responsibility should be on the registries’ shoulders.
“It is up to registries to make sure that their customers cannot rip each other off. Browsers can put some technical restrictions in place, but we are not in a position to do this job for them while still maintaining a level playing field for non-Latin scripts on the web. The registries are the only people in a position to implement the proper checking here. For our part, we want to make sure we don’t treat non-Latin scripts as second-class citizens,” reads Mozilla’s description of its internationalized domain name (IDN) display algorithm.
Cox agreed: “Browser providers and personal assistant vendors cannot be made responsible for failing to detect malicious lookalike domains.”
That’s where DNS security comes into place, he added. "I firmly believe in defense-in-depth, but we must also analyze things before they're defined as malware and given fancy names. If something looks suspicious because of how it was being set up, the infrastructure it's hosted on, the history of the person registering it or the TLD it was registered on, we can start investigating. All these attributes, none of which on their own give us any definitive picture, can help start to build up a view of a level of suspicion."
Findings from the Infoblox report on lookalike attacks came from DNS event detections from January 2022 to March 2023.