Spot the difference: how to protect endpoints from phishing emails with lookalike domains
December 2020 by Kaspersky
Kaspersky experts have found that the service and e-commerce industry has become the most targeted by phishing attacks with domains that look legitimate. In Q3 2020, the sector accounted for 35% of all attacks that use this technique. This may be a result of the pandemic, as there has been a massive transition in the number of consumers relying on online services and shopping. Half (50%) of fake domains are only used once and 73% are active for just one day, which makes them very hard to detect. Automated multi-layered analysis is able to detect such attacks without compiling domain lists manually.
The lookalike technique means phishing emails are sent from a domain that looks like a legitimate web address, but in fact may have a minor spelling error (such as a missing letter). In many cases, a recipient is unlikely to notice the mistake, for example fraudsters will change @netflix.com to @netffix.com or use @kapersky.com instead of @kaspersky.com. The messages with lookalike domains pass authentication without any problems, have a cryptographic signature and do not arouse the suspicion of anti-spam systems.
Kaspersky’s research reveals which industries most often suffer from attacks with lookalike domains. In Q3 2020, services and e-commerce were hit the most, with IT & Telecom in second place.
The traditional method of detecting lookalikes is the manual insertion of all possible variants of fake domains into an anti-phishing solution, which is time consuming and not always effective, as some options may still be missed from the list. It is as if the police created an identikit of a criminal but were not sure about some of the facial features, so they had to make a hundred identikits with a wide range of options for the nose or eyes.
The technology which is more effective against phishing with lookalike domains includes several stages of analysis, helping to identify the fake by comparing a suspicious domain to legitimate ones, rather than a list of false ones. When a letter from an unknown sender is delivered to an email inbox, it goes through all of the standard anti-spam filters. If nothing malicious is revealed, the domain analysis begins. During the first stage, the system compares the domain with all known lookalikes. If there are no matches, in the second stage, the system reviews information about the domain, such as registration details or certificates. If something looks suspicious, the investigation continues. In the third stage, the domain is compared with the list of known legitimate web addresses. This list is also composed automatically. If the system finds any similarity between the suspicious domain and a legitimate one, then the verdict will deem it as a ‘lookalike’.
This approach allows an anti-phishing solution to block attacks which use lookalike domains in real time when they first appear. It doesn’t require any manual actions, such as compiling a list of legitimate or possible lookalikes from the customer. All calculations are performed in the cloud and do not require additional computing resources from the client.
This approach is implemented in Kaspersky’s solutions with mail server protection and Kaspersky Security for Microsoft Office 365.