One of the most pervasive and unavoidable threats on the internet, domain impersonation can be used by bad actors as the basis for a wide range of attacks. The various ways in which cybercriminals make use of lookalike domains often fluctuate, and the first half of 2023 has exemplified this fact. Staying on top of security and not falling victim to these attacks requires knowing what the dangers are and keeping track of the threats that are likely to spring up. Fortra’s 2023 Domain Impersonation Report explores recent trends in lookalike domains, top-level domain abuse, and email domain spoofing to inform readers of the current threat landscape regarding domain impersonation.
In H1 of 2023, brands were targeted by an average of 39.4 lookalike domains each month, with a general trend upward. Averages from January to May ranged from 27.29 to 37.23 lookalike domains per month, but the change from May to June showed an increase of more than 120%. One factor contributing to this growth is an increase in lookalike domains targeting certain industries, including the technology, retail, manufacturing, and financial sectors. This is also reflected in a significant jump in attacks on a top three webmail provider.
Because of the vast number of ways in which bad actors can take advantage of lookalike domains, it is useful to break up these methods into categories. The report categorizes content hosted on lookalike domains into four separate groups: no relevant content, branded content, redirects, and malicious content. The “no relevant content” category applies to cases where the domain displays attributes of a brand but does not host harmful content, often only serving ads to the target. This type of site accounted for 86% of lookalike domains in the first half of 2023.
The other categories of lookalike domains—branded content, misdirects, and malicious content—are the types likely to pose a threat to the target. Lookalike domains hosting branded content, which accounted for 53.4% of these threats, are domains that host content related to an organization, often including logos and brand names to bolster the illusion. Redirects, making up 36.3% of lookalike domain threats, are domains that redirect the user to a third party or competitor website.
Malicious lookalikes, which made up 10.3% of the threats in H1 of 2023, are domains hosting content that is associated with or contributes to any number of online scams or attacks. Of the lookalike domains that fell under this category, more than three-quarters (76.95%) were domains hosting phishing content, such as those attempting to get targets to enter login credentials. Cryptocurrency scams accounted for 17.2% of malicious content lookalike domains, followed by counterfeit sites (4.41%) and malicious activity such as malware (1.44%).
H1 of 2023 showed unusual levels of fluctuation in the types of top-level domains (TLDs) used in phishing campaigns, shifting away from common free registration providers and leading to new and paid TLDs in the top ten. In Q2, half of the top ten abused TLDs were new, and many showed significant changes in volume. Several of the TLDs in the top ten can be used in conjunction with a brand or industry URL to mislead targets. These include the new generic TLDs (gTLDs) .APP and .SHOP, which both showed massive increases in abuse and “would be ideal choices in targeting a technology company or retail brand.”
This report marks the first time that country code TLDs (ccTLDs) have made up the largest portion of TLD abuse, at almost 46%. There were increases in the abuse of all four ccTLDs in the top ten—.PL, .CO, .ID, and .FR—but the most significant jumps were .PL, up 246% from Q1, and .FR, up 699% from Q1. Legacy gTLDs overall decreased by 18.5% from Q1, with .COM dropping 8.5% but remaining the most abused TLD by a long shot. In contrast, .ORG dropped from the second-most abused TLD to the seventh between Q1 and Q2. New TLDs from Google, while not abused enough to make the top ten, have notably been used for phishing in June, with two incidents associated with the TLD .ZIP and eighteen associated with .DAD.
Besides lookalike domains, bad actors can also take advantage of spoofing in emails in a variety of ways. Email sender addresses can be forged without the necessity of the cybercriminal actually registering the domain being impersonated. Domain spoofing attacks impersonate the brand not with an actual domain, but with the display name attached to an email message. The most commonly used domain spoofing categories are brand display name imposters (used in 62.36% of email spoofing cases in this report), individual display name imposters (34.54%), and lookalike domains (3.10%).
A brand name display imposter attack and an individual display name imposter attack both rely on the mail client showing the display name to the recipient and hiding the actual email address. The email address is irrelevant, so long as the target sees the display name and takes it at face value, believing the email to come from the brand or individual whose name is being used. Lookalike domain spoofing in emails requires the attacker to use an email domain that is similar to the domain being impersonated, often deviating by a single character.
It is important to recognize and understand the threats posed by cybercriminals using domain impersonation. Many cyberattacks rely on the victim believing a lookalike domain to be the real thing and responding accordingly, often risking their data, login credentials, or financial assets in the process.
The number of lookalike domains targeting each brand per month has trended upwards so far this year, with a massive spike toward the end of H1. The first half of this year has shown significant fluctuations in many areas concerning domain impersonation, and following these trends is the first step in protecting against these types of attacks.
Read the latest 2023 Domain Impersonation Report to learn more.