What are cousin domains and why are they used in phishing?

Cousin domains (or lookalike domains) are slightly altered versions of legitimate brand domains, often used by phishers to trick recipients into believing emails or websites are authentic. Examples include misspellings, character substitutions, or added words (e.g., micros0ft.com instead of microsoft.com ).

How can I proactively identify potential cousin domains targeting my brand?

You can implement proactive domain monitoring to identify newly registered lookalike domains. Consider defensively registering common variations to prevent attackers from acquiring them. Tools and services exist specifically for this type of domain watch.

Do email authentication protocols (DMARC, SPF, DKIM) help against cousin domains?

While email authentication like DMARC, SPF, and DKIM primarily protect your exact domain, a strong DMARC policy (p=quarantine or p=reject) makes it harder for malicious cousin domains to impersonate your primary sending patterns. They also ensure legitimate emails are properly authenticated, training recipients and mail servers to trust only authenticated mail.

Where should I report cousin domains used in phishing attacks?

You should report phishing sites using cousin domains to anti-phishing organizations like APWG.org , Phishtank, and Google Safe Browsing . Also, report the domain to its registrar or hosting provider through their abuse channels. This can lead to quick suspensions.

How important is employee and customer education in preventing these attacks?

Educate your employees and customers on how to identify suspicious emails. Train them to scrutinize sender email addresses, hover over links before clicking, and recognize common phishing tactics like urgent requests or unusual attachments. Promote an internal culture of reporting suspicious emails immediately.

What steps can be taken to combat phishing attacks using cousin domains? - Compliance - Email deliverability - Knowledge base

Phishing attacks continue to evolve, with threat actors constantly finding new ways to trick recipients. One particularly insidious method involves the use of cousin domains, also known as lookalike domains. These are domain names that are intentionally misspelled or slightly altered versions of legitimate brand domains, designed to appear authentic at first glance. They leverage human error and inattention to bypass standard security measures and steal sensitive information.

The danger of cousin domain phishing lies in its subtlety. Users might glance at an email from rnicrosoft.com instead of

microsoft.com and assume it is legitimate, leading to compromised credentials or data breaches. Combating these attacks requires a multi-faceted approach, combining robust technical measures with ongoing user education.

Understanding the threat of cousin domains

Cousin domains are often created by replacing or adding characters, using homoglyphs (characters that look similar, like 'l' and '1'), or transposing letters. For example, yourdomain.com might be mimicked by youurdomain.com or y0urdomain.com. These subtle changes can easily go unnoticed by busy individuals, especially when embedded in seemingly legitimate emails.

The primary goal of these attacks is typically to steal credentials, deploy malware, or conduct business email compromise (BEC) scams. A common scenario involves phishing emails that look like they're from a trusted source, such as a company's HR or finance department, asking recipients to click on a link to update information or view an invoice. The link then leads to a malicious website hosted on the cousin domain, which looks identical to the legitimate site.

One of the reasons these attacks are so persistent is the ease with which attackers can register new domains. Once one cousin domain is identified and blocked, another can quickly take its place. This rapid rotation makes it challenging to rely solely on blacklisting (or blocklisting) known malicious domains, as the attackers can always stay one step ahead. The impact on an organization can be severe, ranging from financial losses and data breaches to significant reputational damage.

Proactive defense strategies

A crucial first step in combating cousin domain attacks is proactive domain monitoring. This involves regularly scanning for domain names that are similar to your legitimate ones. Automated tools can help identify newly registered domains that incorporate your brand name or common typos. Once identified, you have several options, including defensively registering these lookalike domains yourself to prevent malicious actors from acquiring them. This preemptive measure can significantly reduce your attack surface.

Implementing and enforcing strong email authentication protocols are also fundamental. DMARC, SPF, and DKIM work together to verify that incoming emails are legitimately from your domain and haven't been tampered with. While these protocols primarily protect your exact domain, a strong DMARC policy with a p=reject or p=quarantine policy can still offer some protection against emails from subdomains or cousin domains that attempt to mimic your sending patterns. Moving to a reject policy should be a priority once you're confident in your email streams.

Proactive steps

Defensive registration: Register common misspellings and variations of your domain before attackers can.
DMARC implementation: Configure DMARC with a strong policy (quarantine/reject) for your primary domains.

Reactive measures

Domain takedowns: Initiate UDRP or similar legal processes to reclaim malicious domains.
Blacklist submission: Submit detected cousin domains to URL blacklists (or blocklists).

In addition to these technical controls, having a clear strategy for preventing your domain from being blacklisted due to such attacks is essential. This includes consistent monitoring of email sending reputation and promptly addressing any signs of misuse. Regular audits of your DNS records and email sending infrastructure can also help identify vulnerabilities that attackers might exploit.

Reactive measures and reporting

When a cousin domain phishing attempt is discovered, immediate action is crucial. While legal action like a UDRP (Uniform Domain-Name Dispute-Resolution Policy) can eventually lead to the takedown of a malicious domain, this process is often slow and expensive, and attackers can simply register new domains. A more practical approach involves rapid reporting to various entities. This includes reporting the phishing site to anti-phishing working group (APWG) and other security organizations like Phishtank or OpenPhish. These organizations often feed data to internet service providers (ISPs) and browser vendors, which can lead to the site being blocked or flagged by browsers.

Another critical step is to report the malicious domain to its registrar or hosting provider. Most reputable registrars and hosting companies have abuse departments that will take action against domains used for phishing, often suspending them quickly once sufficient evidence is provided. Identifying the registrar can usually be done through a WHOIS lookup. Additionally, submitting the phishing URL to Google Safe Browsing can ensure major browsers warn users before accessing the malicious site. While this won't remove the site, it will make it much harder for attackers to succeed.

I often advise clients to create a dedicated page on their official website to warn customers about active phishing campaigns, detailing the lookalike domains being used and providing clear instructions on what to do if they receive a suspicious email. Transparent communication about these threats can significantly reduce the number of potential victims and maintain customer trust. This also empowers your audience to become an extension of your defense, reporting suspicious emails they receive.

Employee education and awareness

While technical solutions are vital, the human element remains the weakest link in the security chain. Comprehensive employee training and ongoing awareness campaigns are paramount to combating phishing attacks that use cousin domains. Education should focus on teaching employees how to identify suspicious emails, particularly by scrutinizing sender email addresses, not just display names.

Training should cover common tactics used by phishers, such as urgent language, requests for sensitive information, and links to unfamiliar websites. Employees should be taught to hover over links to reveal the true URL before clicking and to report any suspicious emails immediately through a dedicated internal channel. Regular simulated phishing exercises can also help reinforce training and identify areas where more education is needed.

It is also beneficial to remind clients and customers to exercise caution. Public communications, such as on your website or social media, can reinforce the message that your organization will never ask for sensitive information via email or send emails from specific domains. This helps them recognize when something looks off, even if the cousin domain is cleverly crafted. This collective vigilance is key to building a resilient defense against these pervasive threats.

Views from the trenches

Best practices

Implement continuous domain monitoring to detect newly registered lookalike domains promptly and take action.

Enforce strict DMARC policies (p=reject) for all your email-sending domains to prevent unauthorized use.

Educate all employees on how to spot phishing attempts, focusing on scrutinizing sender addresses and link authenticity.

Establish a clear and easy reporting mechanism for suspicious emails within your organization.

Common pitfalls

Relying solely on legal takedowns for malicious domains, which are often slow and not scalable.

Ignoring the human element and not providing sufficient, regular phishing awareness training to staff.

Having a DMARC policy of p=none, which offers no protection against spoofing and impersonation.

Failing to communicate active phishing campaigns to employees and customers, leaving them vulnerable.

Expert tips

Proactively register common typo squatting variations of your primary domain to prevent their malicious use.

Leverage URL blacklists (or blocklists) and reporting platforms to get malicious domains flagged quickly by mail providers.

Consider a phased approach to DMARC implementation, starting with p=quarantine before moving to p=reject.

Collaborate with security teams to ensure a unified approach to email security and incident response.

Expert view

Expert from Email Geeks says relying on domain takedowns isn't very effective because attackers can rotate cousin domains much faster than the legal process allows. Instead, focus on notifying relevant parties and possibly getting the domains added to blocklists.

2023-09-14 - Email Geeks

Marketer view

Marketer from Email Geeks says communicating internally and externally about ongoing phishing campaigns is crucial. This helps manage brand perception by highlighting that the organization is famous enough to be impersonated, which subtly frames the issue.

2023-09-14 - Email Geeks

Building a robust defense

Combating phishing attacks that leverage cousin domains is an ongoing battle that demands vigilance and a layered defense strategy. It is not enough to simply implement email authentication protocols for your primary domains. Proactive domain monitoring, quick reporting of malicious domains to relevant authorities and blacklists (or blocklists), and continuous employee education are all indispensable components of an effective defense.

By understanding how these attacks work and implementing a comprehensive strategy, organizations can significantly reduce their risk of falling victim to phishing scams and protect their brand reputation. Remember, stopping these attacks is a shared responsibility, requiring both technological safeguards and human awareness to protect sensitive information and maintain trust in digital communications.