# Doppelganger Domain Detection

A Doppelganger Domain is used in spear-phishing. (Its also a pretty terrible 1993 movie with Drew Barrymore). The concept: I register a domain very similar to the one you normally go to. Maybe I replace an 'i' with an 'l'. Maybe its .co instead of .ca. Its particularly insidious since the TLS certificate can be valid, so you see the green icon etc.

A team member at Agilicus recently mistyped our domain. Never fear, chrome to the rescue. See the image above? We were warned. Google had this to [say](https://support.google.com/chrome/answer/99020?p=safety_tip&visit_id=637479130235541029-3002811626&rd=1#safety_tip) about unsafe domains. (Note, in this case the doppelganger is probably not unsafe, merely similar).

The general class of doppelganger detection is complex. You might find than an internationalised-domain name (IDN) uses a character that looks similar to you, but not to a machine. Do you render them in the font of your choice and diff the images? Do you do some span-of-difference letters detection?

One of the best ways, and probably what Chrome is doing, is watch your normal history, and compare that against a new domain you've never been.

But, the absolute best way: teach users to be suspicious. An email with a link? Don't click.