Spear phishing attackers use lookalike domains to impersonate brands and bypass security. Learn how to detect, monitor, and prevent these threats with domain tracking, threat intelligence, and email authentication.

What You'll Learn in This Guide

• Lookalike domains in phishing: How attackers register deceptive domains to trick users.

• Parked domains: a hidden threat? Why inactive domains can turn into active scams overnight.

• Email spoofing tactics: Can your brand be used to send fake emails without you knowing?

• Threat intelligence in action: How monitoring domains and SMTP servers can expose fraud.

• Caught a suspicious domain? The key steps to investigate, report, and take it down fast.

In April 2023, Axur identified a domain very similar to our own, registered with contacts in privacy mode, initially displaying a blank page. We started monitoring the infrastructure, predicting that it could soon host a fake page or email service for spear phishing. A few weeks later, the site started replicating our page and activated an SMTP server. Although we removed the content, such cases happen daily, leaving many organizations unsure how to act.

The danger increases when the similar domain does not display fake content, making it difficult to request a takedown (as we discussed in our article on parked domains). While targeted attacks on employees can be mitigated by applying filters on the internal network and email server, threats to suppliers or customers unfortunately end up working.

This article presents practical insights and free tools to discuss how to act in these scenarios.

How Spear Phishing Exploits Similar Domain Names

Spear phishing is a highly targeted attack where criminals conduct detailed research to create personalized messages aimed at specific individuals. When attackers register domains that visually resemble your company's domain, they increase the credibility of phishing emails. Here's how it happens:

• Reconnaissance: Attackers gather public information (from websites, social networks, leaked data, etc.) to understand your organization's structure and communication style.

• Impersonation through Domains: By registering domains that are visually similar—through minimal character substitutions, typos (typosquatting), or even homographic attacks—they create the illusion of legitimacy.

• Personalized Messages: With these deceptive domains, criminals send emails that appear to be from trusted sources, increasing the likelihood that recipients will click on malicious links or reveal sensitive information.

Domain names are central to the success of spear phishing attacks for the following reasons:

• Establishing Trust: A domain that closely resembles the legitimate one lends undue credibility to phishing emails.

• Evading Filters: Newly registered domains may not yet have a negative reputation, allowing them to bypass email filters.

• User Confusion: Under pressure, recipients may overlook the subtle differences between a fake domain and the real one, especially if the communication is urgent or supposedly from an authority.

Domain Monitoring with Regular Expressions

Proactive domain monitoring is essential to identify suspicious registrations—whether similar domains, typos, or homographic attacks—as criminals use subtle changes in names to confuse users. If these techniques work, it is because the fraudulent domain needs to be related, somehow, to the company's legitimate domain, which reinforces the importance of monitoring similar domains.

This is done by monitoring domain lists, which can be obtained for free from the main TLDs or acquired via feeds offered by specialized companies. From these lists, updated daily, it is possible to use automated tools with regular expressions (regex) to extract and identify records that have suspicious characteristics, according to the following examples.

Examples of Regex Patterns

• Basic Pattern for Similar Domain: Assuming your legitimate domain is example.com, a regex to capture simple character substitutions can be:

  ^examp[l1]o\.com$

This pattern identifies variations where the character "l" is replaced by "1".

• Detecting Typos and Extra Characters: To identify domains with additional numbers or swapped letters (for example, example123.com or exampelo.com), try:

^examp(?:lo|ol)[0-9]{0,3}\.com$

This expression allows for minor changes in the position of letters or the addition of up to three digits.

• Detecting Homographic Attacks: Although regex has limitations in capturing all homographs (due to the variety of Unicode characters), a simplified approach can be:

^(?:e[xх]emplo)\.com$

In this case, the pattern checks for both the Latin "x" and its Cyrillic homograph ("х") in the central part of the domain.

Email Authentication: Configuring the Environment to Prevent Spoofing

A robust email authentication configuration is critical to prevent attackers from using your brand to send spoofed emails. Spoofing is a widely used technique where the attacker configures their email service to send messages as if they were sent through your domain name. Here are the main protocols and best practices:

• SPF (Sender Policy Framework): SPF allows you to define which IP addresses are authorized to send emails on behalf of your domain.

• DKIM (DomainKeys Identified Mail): Configure DKIM by generating a key pair (public and private). The private key is used to sign outgoing emails, while the public key is published in the DNS, allowing receiving servers to verify the integrity of the message. Detailed guides can be found at dmarcian.

• DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC complements SPF and DKIM, instructing receiving servers on how to handle emails that fail authentication. Tools like DMARC Analyzer help analyze and continuously adjust DMARC policies.

You can use the dig command to query DNS records and check DMARC and DKIM settings. For example, to check DMARC, run:

Bash:

dig txt _dmarc.yourdomain.com

To check DKIM, you will need to know the configured selector (for example, "default"). If this is the case, use:

dig txt default._domainkey.yourdomain.com

If the selector is different, replace "default" with the correct value. These commands will return the configured TXT records, allowing you to confirm if they are appropriate.

Threat Intelligence and Infrastructure Monitoring

In addition to monitoring domain registrations, it is essential to monitor the infrastructure associated with these domains, such as IPs and SMTP servers.

Attackers often register domains just to operate an SMTP server, without developing a website. Monitoring domain records, IP addresses, and SMTP settings can reveal early signs of malicious activity. We recommend mapping the following parameters for each similar domain identified: whether there is a defined IP, whether there are MX (mail exchange) and NS (nameserver) records configured, and which ports are open (80 and 443 for web services or 25, 587, 465 and 2525 for SMTP).

Tools like Axur's Domain Watchdog offer free domain monitoring. These solutions alert you to changes in DNS records or the activation of SMTP services, indicating that a seemingly parked domain may be being prepared for spear phishing campaigns.

What to Do When You Identify an Attack

Document the Evidence

It is crucial to gather as much information as possible to prove the suspicious activity. Among the evidence you should capture are:

• Email Headers: Capture the complete headers of suspicious emails, which contain information about the route, source IPs, servers involved, and other essential clues to trace the origin of the message. This documentation is crucial for internal investigations and possible legal action. To learn how to capture email headers, see the Gmail or Outlook guides.

• Timestamps and Dates: Record the times and dates emails were received, as this helps establish the timeline of the incident.

• Links and Attached Files: Save copies of suspicious links and attached files, as they can be analyzed later to identify malicious content or connections to other attacks.

Documenting this evidence not only helps with internal investigation but also serves as proof in legal proceedings or communication with authorities and partners.

Notify Internal Teams

As soon as suspicious activity is identified, immediately inform the IT and cybersecurity teams. It is important that all employees are aware so that they take precautionary measures and avoid actions that could compromise the company's security. Example of an internal message to employees:

Subject: Security Alert: Verification of Suspicious Emails

Dear employees,

We have identified phishing attempts using fake emails that resemble our official communications. These emails may have slight variations in the domain or contain unusual requests, such as changes to bank details.

We request that you be alert to messages that have discrepancies, such as slightly different domains or unexpected requests for sensitive information, access to certain websites, your passwords, or even money transfers.

If you receive or identify anything suspicious, please forward it immediately to our IT team at security@example.com.

We appreciate everyone's cooperation in maintaining the security of our communication.

Sincerely, [Your Name / Security Team]

This type of communication aims to alert without causing panic, reinforcing the importance of attention and collaboration.

Contact the Domain Registrar/Hosting Provider

If you identify a fraudulent domain being used to impersonate your company, it is important to act quickly. In addition to contacting the domain registrar or hosting provider, you can use Axur's takedown service to expedite the removal of the suspicious domain.

• Registrar vs. Provider: It is generally more effective to contact the domain registrar, as they have direct control over the registration. However, in some cases, the hosting provider can also be contacted to suspend services associated with the domain.

• Legal Basis: In some situations, it may be possible to invoke US legislation, such as the Digital Millennium Copyright Act (DMCA), which, although focused on copyright, demonstrates how legislation can be used to argue against the misuse of domains. This legal basis reinforces the importance of acting even when evidence is scarce, but it is advisable to consult a lawyer to assess the specific case.

Alert Your Customers and Partners

When identity theft spreads and affects external parties, it is crucial to communicate with customers and partners clearly and effectively. Maintain a calm, factual, and informative tone, avoiding alarmism. Briefly explain the situation and provide practical guidance on how to identify legitimate communications from your company. Use official emails, updates on the company website, social media, and, if possible, a dedicated help center to answer questions. Example communication:

Dear customer/partner,

We inform you that we have identified phishing attempts that use domains similar to ours to send fraudulent communications. We reinforce that our official communications are sent only from [your-domain.com]. If you receive any suspicious email, please contact us immediately through [insert contact channel].

We are working to resolve the situation and appreciate your attention and cooperation.

Sincerely, [Your Company]

Review and Strengthen Security Protocols

After containing the threat, it is essential to review and strengthen security protocols. For users of Microsoft or Google email services, the following practices can be adopted:

• Microsoft (Office 365): Use the Security & Compliance Center to configure and monitor security policies, including SPF, DKIM, and DMARC. Microsoft offers detailed guides for implementing these measures, which can be accessed here.

• Google (Google Workspace): In the Google Admin Console, configure SPF, DKIM, and DMARC records to ensure that emails sent on behalf of your company are properly authenticated. More information and guidance can be found at this link.

These settings help prevent spoofed emails from being delivered and ensure that legitimate communications are validated by receiving servers.

Involve Law Enforcement Authorities

While involving the authorities may not result in immediate action in some cases, it is important to report the incident to the police—especially if there is concrete evidence that the attack is ongoing.

Filing a formal report creates a history that can be essential for future investigations. Even if police action does not stop the attack instantly, the record contributes to building a solid case and can help deter criminals.

This measure should only be taken if there is clear evidence that malicious activity is taking place. Reporting to the authorities is a complementary step that, together with other actions, strengthens the company's security posture.

Whale Hunters and Their Harpoons

Spear phishing remains a persistent and evolving threat, especially when attackers use similar domains to impersonate trusted entities. By combining proactive domain monitoring, robust implementation of email authentication protocols (SPF, DKIM, DMARC), and continuous monitoring of infrastructure and threat intelligence, organizations can significantly reduce their risks.

The incident we faced at Axur in April 2023 serves as a practical example of how a domain can quickly evolve from a parked state to an active threat. With free tools like Domain Watchdog and a technical and proactive approach, it is possible to anticipate and neutralize these threats before they cause damage to employees, suppliers, or customers.

Frequently Asked Questions (FAQ)

Q: What is spear phishing?

A: Spear phishing targets specific individuals or organizations, using personalized messages to trick them.

Q: How can I recognize a deceptive domain name?

A: Look for subtle misspellings, character substitutions, or homographs (characters that look alike).

Q: What is typosquatting?

A: Typosquatting uses common misspellings of legitimate domain names to trick users.

Q: What are SPF, DKIM, and DMARC?

A: These are email authentication methods that help prevent spoofing and ensure email legitimacy.

Q: What should I do if I receive a suspicious email?

A: Don't click on any links or attachments. Report it to your IT department or security team.

Q: How can businesses protect themselves from spear phishing?

A: Monitor for suspicious domains, implement email authentication, educate employees, and use threat intelligence platforms.

Q: What is the role of threat intelligence in combating spear phishing?

A: Threat intelligence provides insights into attacker tactics and helps organizations proactively defend against emerging threats.

Q: What are some tools for monitoring domain registrations?

A: Tools like Axur's Domain Watchdog can help you monitor for suspicious domain registrations.

Q: How can I learn more about cybersecurity best practices?

A: Consult resources from organizations like NIST (National Institute of Standards and Technology) and SANS Institute.