Domain Doppelgangers: Your Good Name as Phishing Bait?

 Cofense, Confense. Big deal, right? Wrong. Here’s why. 

Does your company have an evil twin on the web? Threat actors may be leveraging a lookalike version of your company’s name to deliver malware through phishing that plays off your brand. Say the company name is Cofense, with the internet domain name cofense[.]com. What would happen if someone registered a copycat domain name using, for example, Confense, with the domain confense[.]com? Wouldn’t the search engine just route users to the real deal, or wouldn’t it be obvious quickly that the name was misspelled?  

How do they do it? 

 Every day, attackers are busy registering lookalike, or doppelganger, domains that mimic reputable brands to lure users through phishing emails, malware delivery and more. The domains are designed to trick users into believing they’re engaging with a bona fide enterprise. The associated costs are minor for threat actors. Not so your business, which can face astronomical losses, beyond the purely financial, to include critical brand compromise and data theft. 

 Once the domain is registered, it can be used to create a website designed to closely resemble that of the legitimate company. It’s not a pricey or difficult endeavor. Match the copycat website with doppelganger email, and you have a solid starting point for scamming countless unsuspecting consumers.     

One way criminals get around domain-registration norms and standards is to use characters that look like those in the English language. An example often cited is trading English-alphabet characters or letters for those in another alphabet, such as Cyrillic. In this case, the letter “a” looks almost the same in English as Cyrillic.  

Why do they do it? 


Far too often, however, the objective is phishing. Users, believing the site is authentic, will click on a link, enter their credentials on a fake website, and lose control of online accounts to thieves. They may also unleash malware in the form of viruses, keyloggers, worms, trojans, ransomware, botnets, spyware or rootkits.  

Sometimes the sites are designed to pick off a portion of an established brand’s audience and sales. Other times, those registering lookalike domains seek to sell the domain to the copied brand’s owners, an exchange that can prove very profitable for the imitators. The real enterprise’s owners will often pay handsomely to safeguard brand integrity and reputation. 

 What can you do about doppelganger domains? 

Doppelganger domains can be particularly effective for BEC, or business email compromise, campaigns. An unsuspecting recipient who has regular business with, for example, Cofense, may receive an email from confense[.]com, rather than cofense[.]com. The email may contain a link to a “special offer.” When the link is clicked, malware may be launched or a phishing landing page may open that requires authentication – user name and password. Once the information is entered, the threat actor has a far easier path to successfully carry out a wide range of crimes, from account takeover to financial theft. 

If the lookalike domain is being used for criminal activity such as phishing, report the domain to services such as Google Safe Browsing or Netcraft. This may result in the domain’s delisting in search engines, or being pulled offline.²

You can decrease the likelihood of becoming a victim by preemptively registering variations of your domain name. Github can be a useful resource for identifying variations you should register. If you’ve discovered that a lookalike has already been registered, you may have to take legal action against the owner. Your efforts are more likely to succeed if you hold a trademark and can make a case for infringement or damage to your mark’s value. 

We’re the leading provider of phishing detection and response solutions designed for enterprise organizations. The Cofense Phishing Detection and Response (PDR) platform draws upon our global network of more than 27 million people actively reporting suspected phish, combining that with advanced automation to stop phishing attacks faster and stay ahead of breaches. While we can’t wipe out the doppelgangers, we can help you stay safe from phishing exploits. We’re here to help. Contact us at any time to find out what we can do for your business.     

At the end of the day, doppelganger domains – and those who register them – should be taken seriously. They can ruin your reputation, your profitability and your credibility. When you know what’s at stake, you can better protect your brand.  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
 The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc. 
¹ SecureList by Kaspersky (all names except cofense/confense):
² Source:

This post was first first published on Cofense’s website by Cofense. You can view it by clicking here