Most of the credential theft I have read case files on did not start with a clever exploit. It started with a domain name that was almost right, and a user who did not look closely enough. This piece is a tour of how look-alike domains work, why they keep working, and what each side — the user, the operator, the registrar — can do about it.
The three flavours of look-alike domain
There are three patterns worth knowing.
Typosquatting. The attacker buys a domain one keystroke off from the legitimate site: gogle.com, amazn.co.uk, hsbc.co. The traffic comes from people who type the URL and miss a letter. Typosquatting is the oldest version of this, and the easiest to catch if you read your address bar.
Combosquatting. The attacker adds a word to the brand name: amazon-secure.com, natwest-online-banking.net, verify-paypal.app. The extra word is chosen to sound official. These domains tend to come and go quickly, registered just before a phishing campaign goes out.
Homograph attack. The attacker registers a domain using look-alike characters from a different alphabet: a Cyrillic а instead of a Latin a, an underscore-like character instead of a hyphen. Modern browsers display the punycode version (xn--…) when they detect this, but the protection is not perfect, and a long busy URL can still hide the trick.
Why look-alike domains keep working
Two reasons. The first is that registrars sell domain names to whoever pays, and a domain takes about five minutes to register. The second is that defences live downstream — at the browser, at the email gateway, at the search engine — and they are always playing catch-up. By the time a phishing page is on a Google "deceptive site" warning list, the attacker has already harvested most of the credentials it was going to harvest, and has moved to a new domain.
Browsers have got better. Chrome and Firefox now show a warning on most known phishing domains, and both will display the punycode version of an internationalised name when it looks suspicious. Mail providers have got better too — Gmail will mark messages from look-alike domains with a "be careful" tag. But none of this catches everything, and the gap between a domain being registered and being added to a blocklist is the window in which damage happens.
What users can do
The single best habit is the one in our previous article: type the URL yourself, do not follow links from messages, and read the address bar before you type your credentials. Two further habits help:
- Use the app, not the link. If your bank has a mobile app and you have already installed it, log in there. The app does not have an address bar to read wrong.
- Bookmark the right login page. Once you have reached the real login page once, save it as a bookmark and open it from the bookmark every time. The address only has to be right once.
What we do at CeeTrust
Every "official site" link on this site is checked manually. If a slug arrives with a URL that looks even slightly off — a missing letter, a wrong TLD, a suspicious subdomain — we either reverify or skip the slug entirely. We never link to "redirect" pages or login aggregators, because those are exactly the kind of intermediate URL that conditions users to ignore a wrong address bar.
It is a slow process. It is also why the directory exists in the first place.
— The CeeTrust Editorial Team