Rise of the Homoglyph Domains

It has been a while since my last post. Since then, our world continues to change, including one significant development in the cyber war - the rise of attacks utilizing Homoglyph Domain names.

What is a Homoglyph Domain? At Modo, we like to think of it as something that is dangerously close to a domain you would trust. The addresses look and feel very similar to yours.

These attacks devastate a company’s brand, confidence with customers, and may cause financial damage.

So, how do they work? The threat actor buys a domain that looks like your domain but has one or more characters that are different. Their intent is purely malicious. They are betting they can get someone from your organization or one of your customers to “click” on the email and use it as a gateway into the organization.

This type of misdirection can be easy to catch in some circumstances and very difficult in others. Imagine your company domain name is “lovemyjob.com” and a nefarious person purchases “l0vemyjob.com” or “1ovemyjob.com”. Please note that I have replaced the “o” with a zero and the “l” with the numeral one. At first glance many folks miss this. The key to avoiding this trap is being aware that criminals are trying to steal your information, how they do it and what to look for as we work through emails and websites during our workday.

Next, after finding the domain they want to use to trick you, the threat actor gathers some information about individuals in your company. They may go to LinkedIn, Facebook, Outlook, Gmail, the Dark Web, etc. to acquire your company email address format. For example, John Thomas would be jthomas@lovemyjob.com. Unfortunately, it is not difficult to identify email formats and impossible to hide them with the data breaches that are on the rise.

Once they have the email format, the threat actor then harvests names of key individuals such as a mortgage broker or accountant. The next step is to get the email signature of the targeted company by simply emailing the target and hopefully getting a response with the target’s full signature intact. This is how the threat actor steals your brand.

With this information, they start sending emails as jthomas@l0vemyjob.com to potential victims such as customers or banking institutions. What makes this hard to combat is you do not know it is happening as they are not contacting you; they are contacting your customers. Where you likely have tools and/or an I.T. department to combat these malicious email threats, your customer may not and can be easily duped into financial losses or loss of sensitive information. In some of the worst-case scenarios your customers may be using free email platforms and have no additional security or a technical contact for guidance.

In many cases the criminals send an email with an attachment or a link that has a method for deploying a crypto virus. This scenario is almost completely out of your control as the threat is indirect to your organization. I used the word “almost” as there is one thing that can be done. Buy the homoglyph domains and, if they already exist, then you should contact the registrar and request it be blocked.

Homoglyph domains differ from the typosquatting threat, but I recommend buying those domains as well. Typosquatting is purchasing domains with characters flipped such as google.com vs googel.com. REFERENCE SECURITY BLOG POST – NOT POSTED YET

The threat landscape can be difficult to navigate in business today, if you need assistance in securing your environment, Modo Networks can help. Please reach out to us at info@modonetworks.com or call us at (214) 299-8040 to learn more.

View all blog posts »