The lookalike domains attackers will use against your brand are mostly predictable from a small set of mutation rules like bit flips, vowel swaps, IDN homographs, and missing dots. Free tools can enumerate them for you, and Certificate Transparency logs can flag new ones when they appear in the wild.

Generating Domain Variations Used in Phishing - illustration

When orchestrating phishing attacks, scammers sometimes register domain names similar to those of the targeted organizations, in the hopes of exploiting victims’ typos or inattention. Therefore, it’s a good idea to keep an eye on your company’s domain name variations and perhaps preemptively register some of them. Let’s take a look at how domain name variations could be generated by you as well as the attackers.

Experimenting With Domain Name Variations

The command-line tool dnstwist by Marcin Ulikowski provides a convenient way for generating domain name variations using a range of techniques. The easiest way to install it is via pip:

pip install dnstwist[full]

You can also install dnstwist through your operating system’s package manager (apt, dnf, brew) or run it as a Docker container. The [full] extras pull in optional libraries like ssdeep and tlsh, which dnstwist uses to compare the HTML of copycat domains against the real site.

Once installed, run the tool as dnstwist <domain>, optionally adding --format csv if you’d like the output in a comma-separated values format. For instance, here’s how I used dnstwist to see variations of my domain “zeltser.com”:

dnstwist

When dnstwist notices that one of the generated names is registered, it shows details about it, such as the IP address that corresponds to it and its likely geographic location. If you invoke dnstwist with the --whois parameter, the tool will also perform Whois queries for each active domain and display when its record was created and updated.

Domain Name Variation Techniques

We can look at the algorithms implemented by dnstwist to understand what approaches adversaries could use for generating domain name variations. These include the following approaches:

  • Bitsquatting, which anticipates a small portion of systems encountering hardware errors, resulting in the mutation of the resolved domain name by 1 bit. (e.g., xeltser.com).
  • Homoglyph, which replaces a letter in the domain name with letters that look similar (e.g., ze1tser.com), including Unicode characters from other alphabets in an IDN homograph attack (e.g., Cyrillic “е” substituted for Latin “e”).
  • Repetition, which repeats one of the letters in the domain name (e.g., zeltsser.com).
  • Transposition, which swaps two letters within the domain name (e.g., zelster.com).
  • Replacement, which replaces one of the letters in the domain name, perhaps with a letter in proximity of the original letter on the keyboard (e.g, zektser.com).
  • Omission, which removes one of the letters from the domain name (e.g., zelser.com).
  • Insertion, which inserts a letter into the domain name (e.g., zerltser.com).

A good supplement to dnstwist is the command-line tool URLCrazy by Andrew Horton, which implements the following techniques in addition to some of the methods outlined above:

  • Missing dot, which removes a dot from the domain name (e.g., zeltsercom.com).
  • Singularization or Pluralization, which adds or removes “s” at the end of the domain name (e.g., zeltsers.com).
  • Vowel swap, which replaces a vowel within the domain name (e.g., zultsur.com).
  • Wrong TLD, which replaces the top-level domain suffix (e.g., zeltser.ca).

One of the nice features of URLCrazy is its attempt to rank the popularity of the generated active domains according to Google search results. Installing this tool, as outlined on its website, requires having Ruby on your system, which is easy to obtain.

urlcrazy

If you don’t want to install software locally to generate names, a hosted version of dnstwist is available at dnstwist.it, which applies the same fuzzing algorithms in your browser.

You can also watch Certificate Transparency logs to spot lookalike domains as attackers register TLS certificates for them. Services such as crt.sh make these logs searchable.

Exploring Name Variations for Pen Tests and Defense

Adversaries (and penetration testers) can employ numerous approaches to generating domain names that, at a quick glance, will appear similar to the targeted organization’s domain. Potential victims in the organization might also reach attackers’ systems residing at these domains by making a typo.

If you’re defending your organization from phishing and related attacks, keep an eye on your domain name’s variations. Either register some of them yourself or make sure you’re notified when a risky name pops into existence, possibly as a precursor to an attack.

Related Articles

Build a Decoy MCP Server to Catch AI Agent AttackersPlant Honeytokens to Detect Intrusions

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.