Fake and Look-alike Domains used in Phishing

What’s a look-alike domain?

Hackers sometimes use look-alike domains to confuse victims.  Look-alike domains look very similar to common domains, but are actually completely different.  An example is lbm.com vs. ibm.com  –notice the ‘l’ instead of ‘i’. The strategy is rather simple; divert the end-user to the look-alike domain while waiting for them to enter their credentials- them steal them. Look-alike domains can be purchased cheap from many domain registrars and spun into production quickly, often by bad guys. 

Many phishing emails contain malicious links to look-alike domains.  They are so common that learning to recognize them should be a part of every security awareness program–but let’s get real for a minute; someone in the organization is going to get tricked and click something they shouldn’t.  So how do companies protect themselves when we all know ‘people click stuff‘? It’s one of the few hard-and-fast digital security facts you need come to grips with.

How to defend against look-alike domains (and people who click stuff)

  • Training 

    •  Don’t skimp here, over communicate the dangers, find a partner who can help with cloud based training, or even internal phishing campaigns to drive the point home.  Yes, training is good, but even 95% good is 5% bad, and the 5% bad is 100% bad — and that’s about the end of my math skills.  
  • Buy look-alike domains

    • You’re probably wondering, “How do I even know what to buy, how is that even possible?”  Simple–use the opensource tool called URLCrazy to find the domains that could potentially be used against you, and then purchase the domain names!  Problem solved.    Okay, okay….  Since security teams and IT both have a limited budget, we need another solution, and a free one would be awesome.   How ’bout we just find the domains in URLCrazy and block end-users from clicking on them?
  • Block look-alike domains

    • Fire up a copy of Kali LInux and run URLcrazy from the command line,  or for an online version, browse over to https://suip.biz/?act=urlcrazy and enter a domain name.  (That website has an online look-alike domain name generator using URLcrazy–very handy tool but use for good, not evil!)   You will get a long list of look-alike domains that someone could fraudulently use.   Here is an example of the first few from ‘nerdosaur.com’.
      URLcrazy results


      Just for kicks, run URLcrazy for microsoft.com or facebook.com and check out the data on the look-alike domains…..it’s somewhat terrifying but educational.

    • Take the output from URLcrazy and import the look-alike domains to your internal DNS server.  Redirect the IP addresses of each to  If you want to get real fancy, point them to an internal web server where you have a landing page that offers security awareness training or points to this blog! They will be protected from browsing to the bad domains, they’ll love it and my hit counters will go way up!  What’s not to love?

So, now that you’ve saved your world from one more techno-peril, help me teach everyone to be paranoid.

don't click





Leave Comment

Your email address will not be published. Required fields are marked *