Improvements to Lookalike Domain Identifiers
We've made significant improvements to how we classify brand impersonation and lookalike domains in our threat intelligence platform. Initially, our approach grouped these domains under a broad identifier. However, as we analyzed real-world cases, it became clear that a one-size-fits-all classification wasn't sufficient.
Why the Change?
Lookalike domains serve a variety of purposes—some are clear attempts at phishing, while others are more nuanced, requiring different investigative approaches.
By refining our identifiers, we can provide more precise context and tailored response plans, ensuring threats are addressed appropriately.
New Identifiers for Lookalike Domains
To improve resolution, we've introduced the following CTEM-DOM identifiers:
-
CTEM-DOM-1 - Typo-Squatted Domain
Domains that closely resemble legitimate brand domains due to common misspellings or typos (e.g.,brnad.com
instead ofbrand.com
). -
CTEM-DOM-2 - Homoglyph Attack Domain
Domains that exploit visually similar characters to deceive users (e.g.,brɑnd.com
using an alternate Unicode character for "a"). -
CTEM-DOM-3 - Phishing Indicator Domain
Domains that exhibit characteristics commonly associated with phishing campaigns typically leverage to harvest credentials (e.g.brand-login.com
) . -
CTEM-DOM-4 - Brand Impersonation Domain
Domains that mimic the naming conventions and structures of well-known brands to deceive users (e.g.,brand-support.com
).
These updates enhance our ability to detect, prioritize, and respond to threats more effectively, ensuring organizations can swiftly mitigate risks from brand impersonation attacks.