Watch Out for the Black Sheep of the family: Defending Yourself Against Cousin Domain Attacks

Image: Ant on Adobe Stock Images

Matteo Socci, one of our Junior IP Counsels, explains what are cousin domain attacks and what can you do to prevent falling victim to them? 

In the ever-evolving world of cybersecurity, new threats and attacks are constantly emerging, and cybercriminals are always finding creative ways to exploit vulnerabilities. One such threat that has gained traction in recent years is the so-called cousin domain attack. Cousin domain attacks are a type of domain spoofing or impersonation attack that can deceive unsuspecting users and organizations, leading to potential data breaches, financial losses, and reputational damage. In this article, we will explore what cousin domain attacks are, how they work, and what you need to know to protect yourself and your organisation.

What is a Cousin Domain Attack?

Cousin domain attacks involve the use of domain names that are similar or closely related to legitimate domain names in order to trick users into believing they are interacting with a trusted entity. These cousin domain names are intentionally designed to resemble legitimate domain names, often through slight misspellings, substitutions, or additions of characters. For example, a legitimate domain name like <example.com> could be spoofed using a cousin domain name like <examp1e.com> or <exampl3.com>.

As with most cybersecurity threats, the main aim of cousin domain attacks is to dupe users into handing over sensitive information (e.g., bank details etc.), spreading malware, conducting phishing campaigns, or perpetrating financial fraud. These attacks can target individuals, businesses, or even government organisations, and can be promoted through various communication channels, including email, various connected websites, social media, and other online platforms.

Examples of how cousin domains work

As mentioned above, the aim of these fake websites is to trick users into believing they are visiting a legitimate website and therefore share their sensitive information. Below we have provided some examples of what cousin domains may look like:

• Typosquatting: In a typosquatting cousin domain attack, cybercriminals register domain names that closely resemble legitimate domain names but contain slight misspellings or variations. For example, if a company's legitimate domain name is <example.com>, the cybercriminals may register <exampie.com> or <examplee.com>. Unsuspecting users who receive a message from an email address connected with the cousin domain name (such as from accounts.payable@examplee.com instead of accounts.payable@example.com) might believe that the message is genuine, and fall victim to phishing, malware distribution, or other malicious activities.
• Homoglyph Attack: In a homoglyph attack, cybercriminals register domain names that contain characters that are visually similar to legitimate characters but are encoded differently. For example, they may use the Cyrillic "а" instead of the Latin "a", or the Greek letter "ο" instead of the Latin letter "o". This can make the cousin domain appear virtually identical to the legitimate domain, making it difficult for users to detect the difference.
• Combo Attack: In a combo attack, cybercriminals combine multiple techniques, such as typosquatting, homoglyphs, or adding or removing characters, to create cousin domain names that closely mimic legitimate domain names. For example, they may register a domain name like where they combine a misspelling and a hyphen to create a cousin domain that appears similar to the legitimate domain . This can be used to conduct spear-phishing attacks or other types of social engineering attacks.
• Different top-level domains (TLDs): This involves using a different TLD than the legitimate domain name. For example, if the genuine domain name is <com>, the attacker might register <test.net> or <test.org>. These TLDs are less common than .com and may be missed by users who are not paying close attention.
• Reverse Attack: In a reverse attack, cybercriminals register a legitimate-looking domain name and then create subdomains or subdirectories that mimic the names of legitimate departments or services within a company. For example, they may register <com> and then create a subdomain like <hr.legitimatecompany.com> or a subdirectory like <legitimatecompany.com/payroll>. This can be used to trick employees or customers into divulging sensitive information or downloading malware.

These are just a few examples of the various types of cousin domain attacks that can occur, and cybercriminals are constantly coming up with new techniques and tactics to deceive users. To protect your business against cousin domain attacks, it’s important to closely monitor your business’s online presence. 

What are the dangers of cousin domain attacks

Cousin domain attacks pose significant dangers to individuals, businesses, and organisations. Some of the risks associated with these attacks can include:

Data Breaches: Cousin domain attacks can lead to data breaches, where sensitive information, such as usernames, passwords, credit card numbers, or personal data, is stolen by cybercriminals. This can result in financial losses, reputational damage, and legal liabilities, especially if the breached information belongs to customers or employees.

Financial Losses: Once victims fall for the deception and provide their information or take other desired actions, cybercriminals exploit this information for their nefarious purposes. They may use the stolen information to commit financial fraud, gain unauthorized access to accounts, conduct identity theft, or sell the information on the dark web.

How to protect yourself against cousin domain attacks?

As cousin domain attacks continue to be a prevalent threat, it is crucial for companies to take proactive measures to protect themselves and their customers, rather than reacting when it is too late. Here are some best practices that organisations can implement to defend against cousin domain attacks:

• Domain Monitoring: Keep an eye on new domain registrations that could be used for impersonation purposes. Regularly monitor and audit domain names that are similar or closely related to your legitimate domain names and look out for domain names that include misspellings, substitutions, or additions of characters that could be used in cousin domain attacks.
• Domain Registration: Registering variations of your legitimate domain names and common misspellings to prevent cybercriminals from using them for malicious purposes. This includes registering different TLDs such as .com, .net, .org, and country-specific TLDs, to prevent cousin domain attacks that use similar domain names with different TLDs.
• Employee Education: Educate employees about the risks of cousin domain attacks and provide training on how to identify suspicious emails, websites, or other communications. Remind employees to be cautious when clicking on links or downloading attachments from unfamiliar sources and to double-check the domain names in emails or websites.
• Email Authentication: Implement email authentication protocols such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to verify the authenticity of incoming emails and prevent email spoofing.
• Website Security: Ensure that your organisation's website and web applications are secure by using HTTPS encryption/SSL certificates, regularly updating software and plugins, and implementing strong authentication mechanisms, such as multi-factor authentication (MFA) for user accounts.
• Incident Response Plan: Develop an incident response plan that includes procedures for handling cousin domain attacks. This should include steps for identifying and mitigating cousin domain attacks, as well as communication protocols for notifying employees, customers, and law enforcement if a cousin domain attack occurs.
• Brand Protection: Invest in brand protection services that can help monitor and enforce your brand's online presence, including, but not limited to, identifying and taking down cousin domain names that are being used for impersonation or phishing purposes.
• Legal Actions: If you do identify cousin domain infringing on your rights, employ professional law enforcement firms to investigate and take the appropriate legal action.