Phishing Domains & Lookalike Domains

A phishing domain is a maliciously registered domain designed to mimic a legitimate website, tricking users into revealing sensitive information such as passwords, credit card numbers, or personal data. Attackers often rely on visual similarity, misspellings, or subtle changes to deceive the target.

---

Common Techniques

1. Typosquatting / Misspelling

   • Slight misspellings of the legitimate domain.

   • Example:

     • Legitimate: paypal.com

     • Malicious: paypol.com, papyal.com

   • Users mistyping the address are redirected to a fake site.

2. Homograph Attacks (Unicode Domain Spoofing)

   • Use of visually similar characters from different alphabets (Cyrillic, Greek, etc.).

   • Example:

     • Legitimate: apple.com

     • Malicious: аррle.com (the first two “p” are Cyrillic letters)

3. Added Words / Prefixes / Suffixes

   • Adding extra words to appear legitimate or urgent.

   • Example:

     • secure-paypal.com

     • paypal-login.com

     • account-paypal-security.com

4. Subdomain Abuse

   • Making a subdomain appear like the main site.

   • Example:

     • paypal.com.security-check.info (real domain is security-check.info)

5. Hyphenation Tricks

   • Using dashes to make the domain look official.

   • Example: bank-of-america-login.com

6. Combosquatting

   • Combining brand names with related keywords.

   • Example: amazon-prime-support.com

---

Cybersecurity Perspective

Risks:

• Credential theft through fake login forms.

• Malware delivery via drive-by downloads.

• Brand damage and customer trust loss.

• Potential large-scale phishing campaigns.

Detection & Prevention:

• Domain monitoring: Watch for registrations similar to your brand.

• Levenshtein distance checks: Detect domains with minimal letter changes.

• User awareness training: Teach users to check URLs carefully.

• Browser and email filters: Block known malicious domains.

• Certificate monitoring: Watch for SSL certificates issued for lookalike domains.

Pentesting Considerations:

• Use OSINT tools (dnstwist, urlcrazy, typosquatter) to find lookalike domains.

• Check WHOIS and hosting provider details for suspicious registrations.

• Report phishing domains to authorities (Google Safe Browsing, PhishTank, hosting providers).

---

Example (for hydrattack.com):

Possible phishing variants:

• hydrattak.com (missing “c”)

• hyderattack.com (letter swap)

• hydrattack-login.com (added keyword)

• hydrattack.com.verify-security.net (subdomain trick)

• hydràttack.com (Unicode spoofing)