In the vast landscape of the internet, where millions of websites beckon users with the promise of information, services, and entertainment, there exists a deceptive art known as mimicry. Cybercriminals have mastered the craft of making websites look like trusted counterparts through various forms of spoofing. This article delves into the intricate world of mimicry, exploring different types of spoofing that can fool even the most discerning users.
Character Swapping
One of the most common forms of spoofing involves subtly altering characters in a web address, a technique known as typosquatting. For instance, consider the legitimate website “example.com.” A malicious actor might register a domain like “examp1e.com,” replacing the letter “l” with the numeral “1.” This subtle change often goes unnoticed, leading users astray.
Example 1: Original – google.com > Spoofed – g00gle.com
Example 2: Original – amazon.com > Spoofed – amaz0n.com
Example 3: Original – paypal.com > Spoofed – paypall.com
Shape of Characters
Cybercriminals exploit the visual similarities between characters to create deceptive URLs. This technique involves using characters that resemble the intended ones at first glance. Consider the letter “o” and the number “0” or the lowercase “l” and the uppercase “I.”
Example 1: Original – microsoft.com | Spoofed – m1crosoft.com
Example 2: Original – twitter.com | Spoofed – tw1tter.com
Example 3: Original – linkedin.com | Spoofed – l1nkedin.com
Subdomains
Spoofers may employ subdomains to mimic legitimate websites convincingly. By appending familiar terms to a subdomain, attackers create an illusion of legitimacy.
Example 1: Original – bankofamerica.com | Spoofed – secure.bankofamerica.com
Example 2: Original – apple.com | Spoofed – support.apple.com
Example 3: Original – ebay.com | Spoofed – deals.ebay.com
URL Length
Another clever tactic involves manipulating the length of URLs. Cybercriminals might add unnecessary characters to make the fake URL appear more authentic.
Example 1: Original – netflix.com | Spoofed – netflix-offers-free-trial-login.com
Example 2: Original – reddit.com | Spoofed – reddit-best-content-2024.com
Example 3: Original – cnn.com | Spoofed – cnn-breaking-news-updates.com
Cyrillic Characters (Homograph Attack)
This form of mimicry relies on the visual similarities between characters in different scripts. For instance, using Cyrillic characters that look identical or very similar to Latin characters.
Example 1: Original – apple.com | Spoofed – аpple.com (with Cyrillic “a”)
Example 2: Original – facebook.com | Spoofed – fасebook.com (with Cyrillic “c”)
Example 3: Original – twitter.com | Spoofed – twіtter.com (with Cyrillic “i”)
Hyphenated Variations
In this form of mimicry, scammers add or remove hyphens within domain names, creating deceptive URLs that closely resemble legitimate ones.
Example 1: Original – disneyplus.com | Spoofed – disney-plus.com
Example 2: Original – mastercard.com | Spoofed – master-card.com
Example 3: Original – airbnb.com | Spoofed – air-bnb.com
Double Extensions
Cybercriminals may use double file extensions to disguise malicious files as harmless ones. For instance, a file named “document.pdf.exe” may appear as a PDF but is executable.
Example 1: Original – document.pdf | Spoofed – document.pdf.exe
Example 2: Original – image.jpg | Spoofed – image.jpg.exe
Example 3: Original – report.doc | Spoofed – report.doc.exe
Redirect Spoofing
This tactic involves creating a URL that appears harmless but redirects users to a different, often malicious, website. Users may be initially deceived by the visible URL.
Example 1: Original – newswebsite.com | Spoofed – entertainmentnews.com (redirects to a phishing site)
Example 2: Original – shoppingmall.com | Spoofed – discountshopping.com (redirects to a scam site)
Example 3: Original – techforum.com | Spoofed – techdiscussion.com (redirects to a malware site)
Homophonic Substitution
Mimicking sounds rather than visual appearance, homophonic substitution involves using characters that sound similar to the intended ones.
Example 1: Original – ebay.com | Spoofed – ebae.com
Example 2: Original – google.com | Spoofed – go0gle.com
Example 3: Original – yahoo.com | Spoofed – yahhoo.com
Path Deception
Scammers manipulate the path section of a URL to create a false sense of security. They might mimic legitimate paths or insert fake directory names.
Example 1: Original – website.com/login | Spoofed – website.com/fake-login
Example 2: Original – bankingportal.com/transactions | Spoofed – bankingportal.com/phony-transactions
Example 3: Original – supportcenter.com/help | Spoofed – supportcenter.com/fake-help
Different Top-Level Domain (TLD)
Original – google.com | Spoofed – google.co
Original – amazon.com | Spoofed – amazon.us
Original – microsoft.com | Spoofed – microsoft.co
Original – facebook.com | Spoofed – facebook.us
In this type of spoofing, attackers leverage the familiarity users have with well-known websites and simply replace the common TLDs (like .com) with alternatives such as .co or .us. This subtle change can be easily overlooked by users, leading them to potentially harmful or deceptive websites. Remaining vigilant and checking the full URL is crucial to identifying such spoofing attempts.
Brand Name Variations
Original – cocacola.com | Spoofed – coca-cola.co
Original – nike.com | Spoofed – nike-store.us
Homogeneous Characters
Original – youtube.com | Spoofed – уоutube.co
Original – instagram.com | Spoofed – instаgram.us
Regional Variation
Original – target.com | Spoofed – target-store.co
Original – walmart.com | Spoofed – walmart-shop.us
Non-standard Characters
Original – apple.com | Spoofed – åpple.co
Original – ebay.com | Spoofed – èbay.us
Common Misspellings
Original – linkedin.com | Spoofed – linkdin.co
Original – pinterest.com | Spoofed – pintrist.us
Unicode Characters
Original – amazon.com | Spoofed – amazоn.co
Original – twitter.com | Spoofed – twіtter.us
URL Shorteners
Original – bit.ly/original | Spoofed – bit.ly/suspicious
Fake Protocols
Original – http://example.com | Spoofed – hxxp://example.co
Original – https://secure-site.com | Spoofed – httрs://secure-site.us
IP Address Spoofing
Original – website.com | Spoofed – 192.168.0.1 (using IP instead of domain)