Improvements to Lookalike Domain Identifiers

We've made significant improvements to how we classify brand impersonation and lookalike domains in our threat intelligence platform. Initially, our approach grouped these domains under a broad identifier. However, as we analyzed real-world cases, it became clear that a one-size-fits-all classification wasn't sufficient.

Why the Change?

Lookalike domains serve a variety of purposes—some are clear attempts at phishing, while others are more nuanced, requiring different investigative approaches.

By refining our identifiers, we can provide more precise context and tailored response plans, ensuring threats are addressed appropriately.

New Identifiers for Lookalike Domains

To improve resolution, we've introduced the following CTEM-DOM identifiers:

• CTEM-DOM-1 - Typo-Squatted Domain
  Domains that closely resemble legitimate brand domains due to common misspellings or typos (e.g., brnad.com instead of brand.com).

• CTEM-DOM-2 - Homoglyph Attack Domain
  Domains that exploit visually similar characters to deceive users (e.g., brɑnd.com using an alternate Unicode character for "a").

• CTEM-DOM-3 - Phishing Indicator Domain
  Domains that exhibit characteristics commonly associated with phishing campaigns typically leverage to harvest credentials (e.g. brand-login.com ) .

• CTEM-DOM-4 - Brand Impersonation Domain
  Domains that mimic the naming conventions and structures of well-known brands to deceive users (e.g., brand-support.com).

These updates enhance our ability to detect, prioritize, and respond to threats more effectively, ensuring organizations can swiftly mitigate risks from brand impersonation attacks.