DATA SOURCES
Look-alike Domains
Permutation strategies
5 min
flare applies over a dozen fuzzy match algorithms to identify potential impersonators to maintain high fidelity and reduce "noise," we generally focus on single strategy permutations, with specific high risk exceptions (such as combining a typo with a tld swap) strategy example description addition example1 com example2 com examplez com add a letter to the end of the word bitsquatting exampme com exampke com exampie com what results when a single bit is flipped in the binary representation of a letter, often used for malicious purposes hyphenation e xample com ex ample com exam ple com insert a hyphen into various positions insertion exampmle com exampqle com exarmple com insert an extra letter in the word omission exampel com exmple com remove a letter plural examples com add an s to the end of the word to make it plural repetition examplee com eexample com exxample com repeat one letter twice in the word replacement exampke com exanple com ezample com replace a single letter with another letter in the alphabet subdomain ex ample com exam ple com split the original domain into a subdomain separated by transposition exampl com xeample com move a letter one direction to the right inside the word vowel swap eximple com replace vowels with other vowels homoglyph exampie com exarnple com replace letters with similar looking characters from other alphabets cyrillic exampie com exampie com replace a letter with a nearly identical looking character from the cyrillic alphabet dictionary example login com login example com examplelogin com loginexample com insert a word into the domain according to a dictionary (suffix/prefix with or without ' ') tld swap example ca swap the original tld (e g , com) with a different tld (e g , ca) subdomain swap example pages dev example1 pages dev exampme pages dev e xample pages dev examples pages dev exampel pages dev examplee pages dev exampke pages dev ex ample pages dev eximple pages dev example login pages dev loginexample pages dev use the original domain string (and various permutations) as a subdomain of a different root domain short domain logic for domains of 3 characters or less (e g , abc com ), flare excludes certain strategies; insertion, omission, replacement, transposition, plural, addition, bitsquatting or vowel swaps this prevents the system from flagging thousands of legitimate, unrelated three letter businesses high risk dictionary terms one of the most common tactics in phishing is the use of keywords appended to a brand name to create a sense of legitimacy or urgency flareβs dictionary strategy specifically monitors for these additions instead of looking for random character strings, our engine matches your domain against a curated list of high risk prefixes and suffixes this helps identify "social engineering" domains designed to trick employees or customers into performing specific actions to maintain the highest detection accuracy, the dictionary list is updated periodically based on emerging threat trends observed across our global telemetry the following terms are monitored rh , hr , profile , login , account , portal , payments , admin , pages , corp formatting variations our dictionary engine is designed to catch multiple variations of how these words are attached to your identifier suffixes example login com or examplelogin com prefixes login example com or loginexample com if you would like a term to be added to the list please reach out to flareβs support team subdomain swapping & platform impersonation in addition to traditional domain registrations, attackers frequently leverage legitimate "software as a service" (saas) and hosting platforms to host phishing pages this is known as subdomain swapping because these platforms often provide free ssl certificates and carry a high reputation, malicious subdomains can easily bypass basic email filters and look legitimate to the untrained eye currently we only support cloudflare pages, pages dev , which are popular hosting sites for phishing pages we do this for the following permutation types; dictionary, addition, bitsquatting, insertion, omission, pleural, repetition, replacement, transposition, vowel swap certstream only strategies some strategies are possible to use with certstream only, since they would be prohibitively expensive to generate and check against dnstwist since we get incoming certificates, we can employ these strategies to compare with the incoming domain and produce additional matches strategy example description starts with example com example something com similar to dictionary, but does not rely on a dictionary for the comparison this only runs for domains of 4 characters or more ends with example com something example com similar to dictionary, but does not rely on a dictionary for the comparison this only runs for domains of 4 characters or more