Blog / Defense-In-Depth / Doppelganger Domain Detection

Doppelganger Domain Detection

A Doppelganger Domain is used in spear-phishing. (Its also a pretty terrible 1993 movie with Drew Barrymore). The concept: I register a domain very similar to the one you normally go to. Maybe I replace an ‘i’ with an ‘l’. Maybe its .co instead of .ca. Its particularly insidious since the TLS certificate can be valid, so you see the green icon etc.

A team member at Agilicus recently mistyped our domain. Never fear, chrome to the rescue. See the image above? We were warned. Google had this to say about unsafe domains. (Note, in this case the doppelganger is probably not unsafe, merely similar).

The general class of doppelganger detection is complex. You might find than an internationalised-domain name (IDN) uses a character that looks similar to you, but not to a machine. Do you render them in the font of your choice and diff the images? Do you do some span-of-difference letters detection?

One of the best ways, and probably what Chrome is doing, is watch your normal history, and compare that against a new domain you’ve never been.

But, the absolute best way: teach users to be suspicious. An email with a link? Don’t click.

Leave a Reply

Your email address will not be published.