Lookalike websites and domains are on the rise
And deception strategies – designed to fool even the most alert – have grown increasingly complex.
Large or well-known organisations like retailers, banks, telcos, and utility providers are popular (but by no means exclusive) targets. But it’s not just your customers who fall prey to fraud. Despite the best cyber awareness training, it can be difficult for even your employees to identify when a suspect domain mimics one they know and trust. They can unwittingly provide cybercriminals with open-door access to your systems and data.
How are lookalikes used, and why are they hard to spot?
Lookalikes are deployed in a variety of ways including SMS messages, phone calls, direct messages on social media sites, emails, embedded in QR codes and domains on the World Wide Web.
To make a lookalike nearly indistinguishable from the real thing, cybercriminals use tactics such as homographs, typosquats, combosquats and soundsqats.
Homographs (aka homoglyphs) look the same as your domain but replace a letter (like a capital I) with a lowercase l, or an O with a 0 (zero). Whereas typosquats capitalise on popular typos made when typing out a domain name. For example, gikthub.com instead of github.com
Combosquatting combines brand or company names with other credible keywords – so PayPal.com becomes PayPalSupport.com. And soundsquats reflect the rise of Siri, Google Voice, and Alexa – using words that sound the same but have different spellings. So, a voice request to go to Netflix could point you to NetFlicks.
What’s at risk from lookalikes?
Here are just a few examples of how cybercriminals use lookalike websites and domains to access customer and organisational data.
-
Thinking they are on the correct website or scanning a genuine QR code, your customers are duped into making purchases or paying for services that are never honoured while also sharing their personally identifiable information (PII) and credit card details with criminals.
-
In response to sophisticated MFA phishing campaigns, bank and financial institution account holders are directed to malicious lookalike websites or help desk numbers. Once the criminals have a user’s genuine MFA code in their hands, they access the account and help themselves to customer funds in real-time.
-
Employees respond to internal emails or MFA alerts sent by SMS requesting them to log in to a system, download a system update, or open a link, potentially giving criminals access to your systems and data, sharing privileged user credentials, and distributing malware.
It doesn’t happen here. Does it?
Sadly, yes.
In 2023, a persistent lookalike smishing actor ran a campaign where they directed account holders to access MyGov (the Australian Government’s online portal for the government cloud) via MFA rather than the normal login page. Account holders were instructed to enter a code sent by SMS, and the page even offered links to a helpdesk to add credibility.
The goal? To direct users to malicious websites and collect valid user credentials to gain access to the ‘real’ site.
Mitigate the impact of a lookalike attack with Baidam Takedown Services
In conjunction with Infoblox, a premier DNS security company, we have launched Baidam Takedown Services. The service is designed to help your organisation maintain a secure and trustworthy online presence and quickly mitigate the impact of any incidents.
Phishing site
Is someone impersonating your website? We will remove any lookalike websites within 24-72 hours – guaranteed. If we don’t, we’ll work for free until our mission is accomplished.
Malicious name servers
Is your domain name being taken in vain? We will work with service providers to remove servers that provide criminals with (malicious) Authoritative Domain Name Services.
Malware command and control (C2)
Has someone used a lookalike site or landing page as a C2 server for malware campaigns? We will collaboratively review the threat and once confirmed, work with you to remove it.
Malware file hosting location
Have you got malware on your public-facing website? After reviewing and confirming the existence of potential malware, we will work to remove the malicious files.
Stolen credentials or other content
Has your corporate proprietary information (e.g., access credentials, personally identifiable information, credit card data) been stolen and hosted in a forum or a fraudulent host account? We’ll work with you to remove the stolen content.
How does it work?
Our Takedown Services can be purchased in packs of 25, 50, or 100. Each ‘takedown’ resolves one of the following issues and gets you back to business as usual as quickly as possible. You can use your services one at a time as needed or in clusters to resolve multiple issues.