CeeTrustIndependent access guides
Editorial

The look-alike domain problem

Why domains that almost match a real bank, school, or government site are the single biggest cause of stolen credentials online — and what users and operators can actually do about it.

Most of the credential theft I have read case files on did not start with a clever exploit. It started with a domain name that was almost right, and a user who did not look closely enough. This piece is a tour of how look-alike domains work, why they keep working, and what each side — the user, the operator, the registrar — can do about it.

The three flavours of look-alike domain

There are three patterns worth knowing.

Typosquatting. The attacker buys a domain one keystroke off from the legitimate site: gogle.com, amazn.co.uk, hsbc.co. The traffic comes from people who type the URL and miss a letter. Typosquatting is the oldest version of this, and the easiest to catch if you read your address bar.

Combosquatting. The attacker adds a word to the brand name: amazon-secure.com, natwest-online-banking.net, verify-paypal.app. The extra word is chosen to sound official. These domains tend to come and go quickly, registered just before a phishing campaign goes out.

Homograph attack. The attacker registers a domain using look-alike characters from a different alphabet: a Cyrillic а instead of a Latin a, an underscore-like character instead of a hyphen. Modern browsers display the punycode version (xn--…) when they detect this, but the protection is not perfect, and a long busy URL can still hide the trick.

Why look-alike domains keep working

Two reasons. The first is that registrars sell domain names to whoever pays, and a domain takes about five minutes to register. The second is that defences live downstream — at the browser, at the email gateway, at the search engine — and they are always playing catch-up. By the time a phishing page is on a Google "deceptive site" warning list, the attacker has already harvested most of the credentials it was going to harvest, and has moved to a new domain.

Browsers have got better. Chrome and Firefox now show a warning on most known phishing domains, and both will display the punycode version of an internationalised name when it looks suspicious. Mail providers have got better too — Gmail will mark messages from look-alike domains with a "be careful" tag. But none of this catches everything, and the gap between a domain being registered and being added to a blocklist is the window in which damage happens.

What users can do

The single best habit is the one in our previous article: type the URL yourself, do not follow links from messages, and read the address bar before you type your credentials. Two further habits help:

What we do at CeeTrust

Every "official site" link on this site is checked manually. If a slug arrives with a URL that looks even slightly off — a missing letter, a wrong TLD, a suspicious subdomain — we either reverify or skip the slug entirely. We never link to "redirect" pages or login aggregators, because those are exactly the kind of intermediate URL that conditions users to ignore a wrong address bar.

It is a slow process. It is also why the directory exists in the first place.

— The CeeTrust Editorial Team

Browse portal guides →