Email Security Blog

Don’t Let Your Customers Be Fooled By Cousin Domains

Agari December 15, 2015 Opinion, Resources
Fallback Featured Image

In the last five years, we’ve all become far too familiar with it – hackers spoofing a company’s domain and therefore tarnishing the brand, bad actors attempting to infect our computers with malware, and criminals sending millions of spam messages.

As if this isn’t enough, now there is a whole group of people working to outsmart companies AND their customers by using cousin domains to fool customers into believing that the cyber criminals are these companies!

What is a Cousin Domain?

Cousin domain: a registered domain name that is deceptively similar to a target name, which can be a domain name or the name of a known entity. The target name is familiar to many end-users, and therefore imparts a degree of trust. The deceptive similarity can trick the user by embedding the essential parts of the target name in a new string (e.g. ‘companysecurity.example’ to attack ‘company.example’), or it can use some variant of the target name, such as replacing ‘i’ with ‘1’. This latter form is sometimes known as a “homograph attack”.)

For computer security people, the problems associated with cousin domains – also referred to as ‘look alike’ domains – are a difficult issue. There are several approaches to prevent these hackers and, while none are perfect, several provide tremendous value.

A Closer Look at Cousin Domains

To illustrate one possible approach, let’s look at and it’s similar domains. (Please note: was selected only as an illustration; they are not an Agari customer.)

An email from any one of these domains might be valid. However, it is likely that both the .org and the .com domains are (or have been) intended to be deceptively similar to the .gov domain, and the .net domain is actively similar for (apparently) satirical reasons. Certainly, to the average user, getting an email from would appear to be valid – and potentially disarming.

Most security professionals can quickly tell the difference between a real and a forged email message from President Obama, but how can it be done programmatically?

How Cybercriminals use Cousin Domains

Let’s say, for the sake of this discussion, that we have a message from the .com domain. The admins of this forged domain have set up proper SPF records and are DKIM signing their message. In fact, they are doing everything they can to look legitimate. And let’s say that you run the brand security team. The bad guy starts by sending an email to your customers, requesting they sign a petition that requires a social security number and a home address (so they can ensure only one signature from each person is recorded). If your customers click, they will be phished.

This is where cousin domain checking comes into play. Real mail from the Whitehouse has certain characteristics. Cyber criminals often “borrow” these characteristics – logos, graphics, style sheets, specific colors, known mail sources, etc. – to make the forged mail look valid, without hosting the content themselves. So, in a message from, we can see links that reference Red Flag! Usually, because these false domains get shut down fairly quickly, we’ll find that the bad actors’ .com domains were recently created or changed. Another Red Flag! There are all kinds of similar characteristics of forged mail that can be identified, but there are some other challenges.

The Benefit of Full DMARC Automation

Assuming you can parse bad mail that isn’t from you and find those messages that are pretending to come from you, and that you know enough about your good mail to make the comparisons, the trick is to do this quickly enough to provide actionable intelligence that lets you shut down the bad domain before your customers start clicking on the (faux) President’s petition.

As it works out, when we put this in front of our team of data scientists and employed some big-data transformations, we found that imitators, like, stand out against the noise of millions of other types of bad email and the data we glean can be made actionable.

Unless they want to end up in the headlines, companies must take the proper steps to prevent cyber criminals from spoofing consumers with cousin domains. Implementing DMARC standards as well as working with security companies who are well versed in industry trends and commonalities are two of the first steps companies can take.

If you’d like to learn more about how Agari can help protect your company’s customers from being fooled by cousin domains, check out Agari Brand Protection™.

Agari Blog Image

June 30, 2017 Todd Weltz

Why are my Google Calendar Invites Blocked by DMARC?

Are you sending Google Calendar invites and not getting replies, or maybe your invitees tell…

Agari Blog Image

January 26, 2016 Patrick Peterson

How to Win the War for Talent

Every business is anxious to hire the right candidates, but whether your most urgent need…

Agari Blog Image

January 6, 2016 Agari

Security Infographic: 7 Ways to Protect Customers

To learn more about how email cyber attacks are impacting businesses – both financially and…

Agari Blog Image

December 21, 2015 Nikki Tyson

Cyber Insurance in 2016 – Ensure You’re Protected

Cyber insurance is a topic that typically flies under the radar when discussing the economics…

Agari Blog Image

December 10, 2015 Agari

Email Scams to Avoid this Holiday Season

With the high volume of email activity the holiday season brings, we’ve been getting a…

mobile image