🟢 Active

Cousin Domain Spoofing

With DMARC blocking direct spoofing, attackers register lookalike domains (bigb4nk.com) with valid authentication to impersonate brands.

MITRE ATT&CK: T1566.001

Timeline: The Cat and Mouse

2015 ← Attack emerges → 2018 ← Industry responds → 2020 ← Still effective → Present

The Evolution

Phase Period What Happened
CONTEXT 2012-2015 DMARC adoption blocks direct domain spoofing
ATTACK 2015 Attackers pivot to lookalike domains with valid auth
PEAK 2017-2018 Homograph attacks using Unicode characters
RESPONSE 2018 Brand monitoring services emerge
  2019 ICANN adds homograph restrictions on some TLDs
  2020 Browsers show punycode for suspicious IDN domains
CURRENT Present Still highly effective; fundamental human problem

Key Events with Sources

Date Event Significance Source
2015 DMARC forces pivot Attackers can’t spoof bigbank.com, so register bigb4nk.com DMARC.org
2017 IDN homograph attacks Unicode lookalikes (Cyrillic ‘а’ vs Latin ‘a’) go mainstream Xudong Zheng Research
2018 PhishLabs, RiskIQ monitoring Brand monitoring services detect lookalike registrations PhishLabs
2019 ICANN IDN guidelines Restrictions on mixed-script domains ICANN
2020 Browser punycode display Chrome, Firefox show xn– encoding for suspicious domains Chromium Blog

Overview

Once DMARC reached widespread adoption, attackers couldn’t directly spoof bigbank.com anymore. Their solution: register bigb4nk.com, set up valid SPF/DKIM/DMARC, and send authenticated phishing emails. The authentication passes perfectly—it’s just not the domain users think it is.

The Attack

Why Cousin Domains Work

DMARC answers the question “Is this email really from bigbank.com?” But it can’t answer “Is bigbank.com the domain the user thinks they’re seeing?”

Legitimate:  bigbank.com
Cousin:      bigb4nk.com     ← Character substitution
             biɡbank.com     ← Unicode lookalike (ɡ vs g)
             bigbank.co      ← Different TLD
             bigbank-secure.com ← Added words

All of these can have valid DMARC with p=reject. The authentication is real—it’s just authenticating the wrong domain.

Lookalike Techniques

Character Substitution: | Original | Substitution | Example | |———-|————–|———| | a | 4, @ | bigb4nk.com | | i | 1, l | b1gbank.com | | o | 0 | bigb0nk.com | | e | 3 | banks3cure.com |

Homograph Attacks (Unicode):

paypal.com   vs   pĐ°ypal.com
              ↑
        Cyrillic 'Đ°' (U+0430) vs Latin 'a' (U+0061)

These look identical in many fonts but are completely different domains.

TLD Variations:

  • company.com → company.co, company.net, company.org
  • company.com → company.com.br, company-login.com

Typosquatting:

  • gooogle.com (extra letter)
  • goggle.com (transposition)
  • gogle.com (missing letter)

Attack Flow

1. Attacker identifies target brand: bigbank.com
2. Registers lookalike: bigbank-secure.com
3. Sets up mail server with valid:
   - SPF: v=spf1 ip4:attacker-ip -all
   - DKIM: Signs all outbound mail
   - DMARC: v=DMARC1; p=reject
4. Sends phishing email
5. Email passes all authentication checks
6. User sees "bigbank" and trusts it

Raw Email Headers (Cousin Domain)

Notice how every authentication check passes—because the attacker controls the cousin domain:

Return-Path: <security@bigbank-secure.com>
Received: from mail.bigbank-secure.com (mail.bigbank-secure.com [203.0.113.50])
        by mx.victim.com (Postfix) with ESMTPS id ABC123
        for <employee@victim.com>; Mon, 20 Jan 2025 09:15:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bigbank-secure.com; s=mail;
        h=from:to:subject:date:message-id;
        bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
        b=dGVzdCBzaWduYXR1cmUgZm9yIGV4YW1wbGUgcHVycG9zZXM=
Authentication-Results: mx.victim.com;
        dkim=pass header.d=bigbank-secure.com header.s=mail;
        spf=pass (mx.victim.com: domain of security@bigbank-secure.com
            designates 203.0.113.50 as permitted sender)
            smtp.mailfrom=security@bigbank-secure.com;
        dmarc=pass (p=REJECT sp=REJECT) header.from=bigbank-secure.com
From: "BigBank Security Team" <security@bigbank-secure.com>
To: employee@victim.com
Subject: [Action Required] Verify Your Account Information
Date: Mon, 20 Jan 2025 09:15:20 -0500
Message-ID: <unique-id-12345@bigbank-secure.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8

Dear Customer,

We have detected unusual activity on your account...

Key observations:

  • dkim=pass — Attacker’s DKIM signature is valid
  • spf=pass — Attacker’s server is authorized for their domain
  • dmarc=pass — Everything aligns for attacker’s domain
  • The domain bigbank-secure.com looks legitimate at a glance

Why It’s Effective

  • Authentication passes — SPF, DKIM, DMARC all valid
  • SSL certificates available — Let’s Encrypt issues certs for any domain
  • Quick setup — Domain + hosting in minutes
  • User behavior — People glance at domains, don’t scrutinize
  • Mobile truncation — Email clients often show only display name

Defenses

Brand Monitoring Services

Companies like PhishLabs, RiskIQ, and Bolster monitor new domain registrations for lookalikes:

  • Fuzzy matching against protected brand names
  • Unicode homograph detection
  • TLD variation tracking
  • Alerts when suspicious domains go live

Limitation: Reactive—domains are often used in attacks before detection.

Takedown Services

Once identified, brand owners can:

  • File UDRP complaints (slow, 45+ days)
  • Request registrar suspension (faster, varies)
  • Add to blocklists (immediate but incomplete)

Email Security Lookalike Detection

Modern SEGs analyze sender domains for:

  • Visual similarity to protected brands
  • Recently registered domains
  • Domains mimicking internal nomenclature
  • Unicode/punycode anomalies

Browser Protections

Browsers show punycode for suspicious internationalized domains:

User types: Đ°pple.com (Cyrillic 'Đ°')
Browser shows: xn--pple-43d.com

BIMI (Brand Indicators for Message Identification)

Verified brand logos appear only for legitimate senders with DMARC at enforcement. Absence of logo signals caution for brand impersonation.

Current State

Status: Active

Cousin domain attacks remain highly effective. The fundamental problem—humans are bad at comparing domain strings—has no technical solution.

What Works What Doesn’t
Brand monitoring (detection) Preventing registration
Takedowns (after the fact) User awareness alone
SEG lookalike detection Blocking all similar domains
BIMI (positive indicator) Perfect homograph detection

Detection Guidance

Proactive Monitoring

Register common misspellings of your domain before attackers do:

yourdomain.com
yourdoma1n.com
your-domain.com
yourdomain.co

Email Analysis

Flag emails where:

  • Sender domain is visually similar to known brands
  • Domain was registered recently (< 30 days)
  • Domain uses Unicode characters
  • Display name contains brand but domain doesn’t match

User Reports

Train users to report emails that:

  • Claim to be from brands but URL looks slightly off
  • Create urgency around account security
  • Request credentials or sensitive data
  • Come from domains they don’t recognize

SIEM Queries

email.sender.domain.age_days < 30
AND email.sender.domain.similarity_score > 0.8
AND email.sender.domain NOT IN (known_legitimate_domains)

What Killed It (or Weakened It)

Defense Introduced Impact
Brand Monitoring Services 2018 Automated detection of newly registered lookalike domains
ICANN Homograph Restrictions 2019 Some TLDs restrict mixed-script domains
Browser IDN Display Policies 2020 Browsers show punycode for suspicious Unicode domains
Email Security Lookalike Detection 2021 SEGs flag domains visually similar to protected brands