What is Domain Doppelgänger? | Excel Office Services

Lauren Ashley

What is Domain Doppelgänger?

Domain Doppelgӓnger is KnowBe4’s web-based tool that performs searches specific to your organization’s domain and collects data on any potentially harmful or “evil twin” domains that the bad guys have registered with malicious intent. Since look-alike domains are a potential attack vector for phishing and other social engineering attacks, you can use this tool to monitor for potentially harmful domains that can spoof your website, email addresses, product, or organization name.

This tool also allows you to assess your users’ ability to recognize safe vs. unsafe domains. Your users are your last line of defense, and therefore it is vital that your users are trained to recognize these potentially harmful domains.

We believe knowledge is power, and by using the Domain Doppelgӓnger tool you can keep a closer eye on the risks of criminals spoofing your brand, product, or organization.

Jump To:
Get started: Request your Domain Doppelgӓnger analysis
First stage: Analyze your results
Second stage: User assessment
How can I inform my users about the domain assessment?
What can I do about this information?
FAQs

Get started: Request your Domain Doppelgӓnger analysis

You can obtain your free Domain Doppelgӓnger analysis by clicking here.
Be sure to fill out the form with your work email address. The domain in this email address will be used for the Domain Doppelgӓnger analysis and the report results will be delivered to this email address.

If your organization owns multiple domains and/or subsidiaries that you want to run the Domain Doppelgӓnger assessment for, you’ll need to submit additional forms using valid and active email addresses at the additional domains.

After submitting the form, you will receive an email containing your Domain Doppelgӓnger analysis results. The email will contain a PDF report with a summary of the data gathered about your look-alike domains. To fully evaluate the look-alike domains, you’ll want to visit the link included in this email. See the next sections for details on evaluating your Domain Doppelgӓnger results and sending the Domain Doppelgӓnger user assessment to your end users.

First stage: Analyze your results

The Domain Doppelgӓnger analysis searches for all available and purchased domains that are visually similar to your organization’s domain, and therefore, fit the criteria of one of our Doppelgӓnger domain Types: Hyphenation, Repetition, Replacement, Omission, Transposition, Bitsquatting, Insertion, Homoglyph, Vowel-swap, Addition, and Subdomain. You can find more information on these result Types in the table below.

Result categories

Both the PDF summary and the detailed Domain Doppelgӓnger analysis results include the number of look-alike domains that fall into one or more of the four categories explained below. From the detailed Domain Doppelgӓnger results, you can click on any of these categories to display the results meeting that category’s criteria.

Registered Domains, Private Domains, Mail Servers Available, and Web Servers Available

Registered Domains: This category represents the number of domain results that have been purchased and registered through a domain name registrar. This number includes both public and privately registered domains.
If these domains were not registered for your organization, there’s a possibility they were purchased with the intent to spoof your organization as a starting point for a phishing attack.

Private Domains: This category represents the number of domain results that have been purchased and registered privately through a domain name registrar.
If these privately registered domains were not purchased by your organization, there’s a possibility they were purchased with malicious intent. In these scenarios, privately registered domains are typically more difficult to have taken down.

Mail Servers Available: The domains included in this category have the ability to send and receive emails. This is determined by the existence of MX records in the Domain Name System (DNS) records (you can find more information on MX Records in the table below).
If these domains are not owned by your organization, you should consider the threat of phishing attacks from these similar-looking domains.

Web Servers Available: Domains included in this category have a web host, meaning a live site may exist at this web address. This is determined by the existence of NS (Name Server) records in the DNS records (you can find more information on NS Records in the table below).
If these domains are not owned by your organization, we recommend reviewing the information hosted on these sites using a protected, sandbox environment to ensure that your clients or employees are not being fooled by an imposter website.

Result details

The detailed Domain Doppelgӓnger results contain data applicable to your domain’s look-alikes. See below for an example of the detailed analysis results and an explanation of each column within the data table.

Domain Doppelgänger: Detailed Results Table

Column Title	Description
	The results that include this icon are privately registered domains. Most domain registrars offer private registration to protect the domain owner’s privacy and to avoid unwanted solicitation.
Type	Each look-alike domain will have one of the following Doppelgӓnger Types associated with it. The original domain will be signified with Original: Hyphenation:* A hyphen (or additional hyphen) is added to the actual domain. A familiar-looking domain with an added hyphen could fool an uneducated user during a phishing attack. Repetition: A single vowel or consonant from the actual domain is repeated consecutively. Hackers often buy such domains for cybersquatting, or more specifically, for typosquatting purposes. An uneducated user could overlook this double letter during a phishing attack, or anyone could accidentally “typo” their way to a malicious website. Replacement: A single vowel, consonant, or number from your domain is replaced with a different letter. Omission: A single vowel or consonant from your domain is omitted or excluded. Transposition: Two letters or numbers from your domain are switched in placement, and all other characters are in the appropriate position. Bitsquatting: These domains use character replacements based on characters that are one “bit” (i.e., 0 or 1) apart when the domain is translated into the binary language used by computers. This attack method consists of buying domains that are likely to be a result of a random memory error, causing a computer to make a binary “typo” during the DNS lookup. For example, KnowBe4 in binary is: 01001011 01101110 01101111 01110111 01000010 01100101 00110100 while CnowBe4 in binary is: 01000011 01101110 01101111 01110111 01000010 01100101 00110100 These examples are only one bit apart in binary language. Therefore, a hacker may buy Cnowbe4.com for the potential of a bitsquatting attack. Insertion: An additional number or letter is added somewhere within your domain. Vowel-swap: A vowel existing in your domain is replaced with a different vowel. Addition: An additional letter is added to the end of your domain name. Subdomain: Your domain is broken by a period, creating an entirely new domain. To the inattentive or untrained eye, this could appear to be a subdomain of your real domain. Homoglyph: Using foreign characters to spell seemingly recognizable domains. Punycode is the system used to convert characters that can’t be written in ASCII (American Standard Code for Information Interchange) into an ASCII encoding. These foreign characters can look very similar to letters in the English alphabet. When hovering over a URL, some browsers do not display these foreign characters as their English equivalent; therefore, further masking these unfamiliar characters.
Domain	A domain name is your address and identity on the Internet. Domain names are associated with and identify one or more IP addresses. They’re used in URLs to identify and access web pages.
IP	The IPv4 address associated with the domain (if applicable). The IPv4 address is determined from the A record (Address record) included in the domain’s DNS (Domain Name System) records. IP addresses are unique numerical identifiers assigned to every device connected to the Internet which are used to communicate with other devices. Web servers and mail servers are examples of devices that have an IP address.
IPv6	The IPv6 address associated with the domain (if applicable). The IPv6 address is determined from the AAAA record (quad-A record) included in the domain’s DNS records. IPv6 is the successor to Internet Protocol Version 4 (IPv4). Some domains will have IPv4 and IPv6 addresses.
NS Record	The name server (NS) for the domain (if applicable). The name server is determined from the NS record included in the domain’s DNS records. Name servers are typically provided by the domain’s web host, and they provide the ability to access web pages by domain name URLs, rather than having to type an IP address. The results including NS records have web servers available.
MX Record	The mail exchanger (MX) server for the domain (if applicable). Mail exchanger records (MX records) tell the Internet which mail servers accept incoming email for the domain, and where that email should be routed. The results including MX records have mail servers available.
WHOIS Link	Use this link to navigate directly to the ICANN (Internet Corporation for Assigned Names and Numbers) WHOIS website to see the full “WHOIS data” for the domain owner. ICANN searches databases of domain registrars worldwide to provide public access to data on registered domain names. If a domain is privately registered, the WHOIS information will show information for a proxy company acting on the domain owner’s behalf.
Rank	Each result that is a registered domain (private or public) will have a ranking assigned to it. The ranking is based on how many details were gathered about the domain. See the details below for the individual “result detail” points attributed to the ranking. Private Registration: +10 points NS Record (Web Server): +10 points MX Record (Mail Server): +10 points IPv4 or IPv6 Address: +10 points Each additional IP Address: +1 point

Result reports

You can use sorting, search terms, and search filters to display the desired data in the Domain Doppelgӓnger results table. See below for more information.

Search filters, search terms, sort columns, expand results

Search Filters: You can apply any of these search filters when you submit a term in the search bar. For example, if you want to see all of the look-alike domains that are categorized as Bitsquatting, type “Bitsquatting” into the search bar and check the Type search filter.
Search Bar: Use the search bar to enter any term you’d like to reflect in the results.
For example, if you know your organization does not use “DNS Made Easy” for any DNS services, you may want to search the term “dnsmadeeasy” and check the NS Record search filter to display the domains having NS Records with this company, in order to further investigate.
If you want to create a new search, clear the search bar to reset your search.
Sort Arrows: Use the arrows in the column headers to re-sort that column as well as the entire data table.
Expand Data Arrow: If a row includes an expand arrow, there is more information available for one or more of the following data columns: IPv4, IPv6, NS Record, or MX Record. You’ll see the additional information once you’ve expanded the data row.

5. Download CSV button 6. Delete Analysis

Download CSV: You’ll find this button at the bottom of the page, below the data table. You can download a CSV report of all results, or any display of data that you’ve generated using the search bar and search filters. The CSV report will always reflect the data currently shown in the results table.
Delete Analysis: If you want to delete your analysis results, you’ll use this button at the bottom of the results page.

Second stage: User assessment

Once you’ve reviewed your Domain Doppelgӓnger results, you’ll want to test your end users’ awareness of the dangers of look-alike domains. Follow the steps below to set up your user assessment.

From the Domain Doppelgӓnger results page, click the Test your users button, located at the top right of the page.

Review the domains highlighted in green, located on the left side of the page. These domains were pre-selected for your user assessment, but can be modified as needed.

By default, the selected results are the highest-ranked Doppelgӓnger domains. For an accurate user assessment, ensure these domains are not owned by your organization.

Click on any row of domain data to select or deselect this domain for use in your user assessment. You must select nine Doppelgӓnger domains to use in the assessment before you can proceed.

Using the search bar and search filters, you can search for any specific domain, Doppelgӓnger Type, or Doppelgӓnger Rank from this list of results.

As you select and deselect the domains, you’ll see the assessment’s answer options automatically change in the Assessment Preview, shown on the right side of the screen.
By default, Show user assessment results after completion will be checked, as shown below. Leave this enabled if you’d like your users to see how they performed on the assessment.
Once you’ve selected the domains you’d like to include, click the Get Assessment Link button at the top right of the page.
Distribute the assessment link to your end users. We’ve provided an example email you can use to distribute the assessment and request that your users complete it. You’ll find this email at the bottom of this article, here.

Analyzing the user assessment

All user assessment results are anonymous. You can review the user assessment results in real time by clicking the View Assessment Results button from the assessment confirmation page.
If you’ve closed this browser page, you’ll be able to access your user assessment results from the link in the “Your Domain Doppelgänger results are ready” email you initially received.

View Assessment Results

Once you’ve given your employees time to complete the assessment, use this page to view the assessment results.

Assessment Overview

1. 1. Here you can see the total number of assessments that have been completed from the link you’ve distributed.
  2. If you need to resend the assessment link or send it to additional users, you’ll find the link here.
  3. The Overall Assessment Results provides an overview of the number and percentage of users who passed or failed the assessment as a whole.
    Users must answer all three questions correctly to pass the assessment. Assessments with one or more incorrect answers will count as a failed assessment.
  4. The Overall Questions Results provides the number and percentage of correct and incorrect responses across all users and all assessment questions.

Assessment Question Overview

Each individual question will also show a bar graph representing the percentage of users who answered the question correctly vs. incorrectly.

Assessment Question Overview

If you’d like to reset or recreate your user assessment, use the Reset Assessment button in the bottom right corner of the Assessment Results page.

How can I inform my users about the domain assessment?

Below you’ll find a customizable email that you can send to your users to distribute the Domain Assessment. The email provides an overview of why it’s important to know the difference between safe and unsafe links and requests that the users complete the quiz.
Be sure to modify the sample by adding your organization’s name and your unique assessment link.

Cybersecurity attacks are on the rise and [[Company Name]] is determined to stay vigilant and defend our organization against hackers and social engineering attempts.

One major attack method that hackers are using lately is to buy similar-looking website domains so they can launch phishing attacks or gather sensitive information. As one of our employees, you must learn the difference between safe and unsafe links to avoid falling for this kind of attack.

Please take the quiz below to ensure that you can help guard our organization against social engineering attacks. Your quiz results are completely anonymous.
Copy and paste this link into your browser to take the quiz: [[your link here]]

Thank you for helping us build a strong “human firewall” in our organization.

What can I do about this information?

Domain Doppelgӓnger empowers you with the necessary understanding of the risks that may be associated with look-alike domains. This information can help you protect your organization from phishing attacks and help you prevent potential damage to your organization’s reputation.

Do your research. Understand the Doppelgӓnger Types and the risks associated with each. Find the domains that have web servers and use a protected, sandbox environment to review what information is hosted on these sites. If you suspect malicious activity or fraudulent intent, reach out to the web hosting company and/or domain name registrar to report the website. You can find this information by looking at the domain’s Whois record, linked to each Domain Doppelgӓnger result.

Business email compromise, a type of phishing scam, is a common threat–especially when your organization has look-alike domains. Firewalls and email filters play their roles in protecting your organization from imposters and spoofed domains, but this is not a catch-all solution. Use the awareness gained from your Domain Doppelgӓnger results and proactively set up the appropriate rules to block mail flow and network traffic to and from these “evil twin” domains.

Train your users. Depending on how your users answered the domain assessment questions, they’ll be provided with explanations of why their answers were correct or incorrect, but this information must be reinforced. You’ll find the “Detecting Domain Doppelgӓngers” PDF on the user assessment overview page, share these helpful tips with your users. You also should immediately enroll your users in security awareness training and phishing campaigns to ensure they have the skills they need to become a strong human firewall for your organization. We can help with this!

You could even craft simulated phishing emails from your look-alike domains to see how vulnerable your users would be if they came in contact with one of these “evil twins”.

Frequently Asked Questions (FAQs)

Q: I haven’t received my Domain Doppelgӓnger analysis results, what should I do?
A: If you’ve submitted your request for the Domain Doppelgӓnger and haven’t received it after approximately 2 hours, please check your spam filter. If you cannot find your analysis results there, contact our Support team here.

Q: What Top-Level Domains (TLDs), such as .com, .org., .net, etc., are included in the Domain Doppelgӓnger analysis?
A: The Doppelgӓnger analysis searches for look-alike domains with the same top-level domain as your own.
If feasible for your organization, it would be ideal to own your organization’s name in all of the “open” TLDs. See this (external) page for more information on the “open” top-level domains.

Q: I received homoglyph domains in my analysis results. How can I identify the domain names that would need to be registered to own my “homoglyph” look-alike domains?
A: You can use online sources such as https://www.punycoder.com/, to decode the homoglyph domains’ Punycode.

Q: I have a .edu (or other limited) domain. Why didn’t I receive any Domain Doppelgӓnger results?
A: Certain top-level domains (TLDs) such as .edu, .int, .gov, and .mil, are limited to specific types of institutions, organizations, or government sectors. Legitimacy must be verified before owning these web addresses–making look-alike domains much less likely to exist.

Q: Can I modify the questions in the Domain Doppelgӓnger user assessment?
A: The user assessment questions and answers are designed for end users with basic to moderate cybersecurity knowledge, for the purpose of enhancing awareness of look-alike domains.
If your users’ assessment performance is not what you expected, we strongly suggest enrolling them into security awareness training and simulated phishing tests to improve the strength of your human firewall. We can help! If you’re not already a customer, contact sales@knowbe4.com if you’d like more information.