Kaspersky: How to identify lookalike domains

Kaspersky, a cybersecurity solutions provider, has compiled a list of methods used by cybercriminals to trick victims into clicking malicious links and falling for phishing scams.

Cybercriminals often employ fake websites and email addresses to initiate phishing attacks, either by distributing malware or by deceiving individuals into sharing personal information. Unfortunately, unsuspecting victims can easily fall prey to these tactics.

The core element of these deceptive tactics is usually the domain name, which appears after the “@” symbol in an email or at the beginning of a URL. The purpose of the domain is to create a sense of trust in the victim. Cybercriminals aim to gain control of official domains belonging to the target company, its suppliers, or partners. 

Kaspersky explains how phishing works
Kaspersky detects cyberstalking software in 176 countries

However, during the initial stages of an attack, this might not be possible. Instead, before launching a targeted assault, they register domains that closely resemble those of the victim organization, hoping that people won’t notice the difference. Such techniques are referred to as lookalike attacks. They then proceed to host fake websites on these domains or send spoof emails from associated mailboxes.

Here is a list that Kaspersky provided that can serve as a guide in spotting fake websites.

• Homoglyphs: Similar-looking but different letters

One tactic is the use of visually similar or nearly indistinguishable letters. For example, a lowercase “L” (l) in certain fonts appears identical to a capital “i” (I). Consequently, an email from the address JOHN@MlCROSOFT.COM could easily deceive even the observant. The true sender’s address is

The proliferation of similar-looking characters has increased due to the ability to register domains in various languages, including those not using the Latin alphabet. Characters such as the Greek “ο,” Russian “о,” and Latin “o” are indistinguishable to humans but are distinct for computers. This has led to the registration of numerous domains resembling microsоft.cοm using different combinations of these characters. This strategy, utilizing visually similar characters, is known as homoglyph or homograph attacks.

• Combo-squatting: Adding a relevant word

Combo-squatting has gained popularity among cybercriminals. To mimic a target company’s email or website, they create a domain merging the company’s name with a pertinent auxiliary term, like or The subject of the email and the domain’s end should align. For example, an email warning about unauthorized account access might link to a site with the domain outlook alert.

The challenge is heightened by legitimate companies possessing domains with auxiliary words. For instance, is a valid Microsoft site.

Top-level domain spoofing

Cybercriminals occasionally register a similar domain under a different top-level domain (TLD), like instead of This technique is referred to as Tld-squatting. The company’s name remains the same, making this substitution highly effective.

Typo-squatting: Misspelled domains

The simplest way to generate fake domains is by exploiting common typos that are difficult to spot. Variations include adding/removing letters or punctuation and replacing similar-sounding letters.

To guard against these tactics:

  • Homoglyphs are particularly challenging to spot and are rarely used for legitimate purposes. Browser developers and some domain registrars are implementing defenses. Some domain zones prohibit names with letters from different alphabets. However, in many other TLDs, reliance on security tools is necessary.
  • Vigilance is key against typo-squatting and combo-squatting. Basic security awareness training for employees helps them identify phishing techniques.

Cybercriminals have an extensive array of tactics, extending beyond lookalike attacks. Advanced protection tools, such as safeguarding all employee devices and intercepting malicious content from various channels, are essential for countering sophisticated attacks tailored to specific companies.

1 reply »