Doppelgänger domains and typosquatting

Malicious domains are lurking everywhere - a click on a genuine-looking, but false link or a typo when accessing a well-known website can already cause unnoticed damage.

There are two main types of so-called doppelgänger domains. Those that passively rely on frequent typos or misspellings (typosquatting), and those that are used for active attacks. 


Since we don't want to spread any dangerous links, we will play through the following scenario:

A company sells goods on its website via an online shop. Orders are always dispatched reliably and promptly, but recently there has been an increasing number of complaints from customers. A customer writes: "I've ordered from your online sbop two weeks ago, but still haven't received anything". The company reviews the case and finds that there are no orders from this customer.

Did you notice? A spelling mistake has crept into the word 'shop'. The customers have ordered from the online 'sbop', written with a 'b' instead of an 'h'.
Criminal third parties have registered this false domain to make money from the company's established name and the inattentiveness of the users. They have cloned the company's layouts, logos and texts to create an "Evil Twin", a fake website that looks deceptively similar to the real site.

Such domains are also used to steal customers' usernames and passwords to exploit customer accounts and payment information, damaging the company.

How to protect yourself

As the operator of a website, you should register similar domains with misspellings or risk of confusion yourself and set up a redirect to the correct domain. The cost per domain is usually low and can save the company and its customers a lot of trouble.

Users should take a close look, maybe even choose a larger or different font, and not solely rely on the lock symbol when accessing a website. This symbol merely indicates that the communication between the browser and the server is encrypted but does not guarantee that you are communicating with the correct server. 

Active attacks through emails

There are also more perfidious doppelganger domains, where attackers do not wait for website visitors to make a mistake, but instead register well-camouflaged domains and purposefully send out emails in the name of the company. This is done in the hopes that recipients will not notice the difference in the spelling of the domain. 

For example, an 'e' can be replaced with an 'е' almost unnoticed. It is even easier to replace l with I, i.e. capital 'i' and lowercase 'L'. The "online shop" can hardly be distinguished from the "onIine shop" and "online" and "onlinе" also look very similar.
There are many so-called letter-like symbols or similar letters from other alphabets that can also be used in domain names. i, ⅰ and 𝗂 are also almost identical in appearance.

Customers or employees of the company are often contacted in order to obtain data. In the worst-case scenario, criminals gain access to the company's intranet by taking over employee accounts, causing even greater damage. 

How to protect yourself

It is virtually impossible for companies to predict and register all similar letter combinations. This is where tools help that automatically recognize incorrect domains in emails and within the browser and warn the user of the discrepancy. 
In email programs, a notification can be displayed if the domain is generally unknown or external. This alerts employees to the fact that they are currently not communicating within the company, but with a third party. They can then make a conscious decision as to whether it is a trustworthy source (customers, interested parties) or a risk. 
If a duplicate domain is detected, customers can be warned immediately, and the relevant domain registrars can be notified of the abuse in order to have the domain deactivated as quickly as possible.