Brand Impersonation

Brand Impersonation

By:
Mitch Pope
Published:
2025-03-01
Remote Design Team

Spot the Difference: Domain Twists

Sometimes all it takes is a tiny domain twist, one extra letter, to fool a busy finance rep into sending $50,000 to cybercriminals.

Cybercriminals know that most of us read with a "mental autocorrect" on, meaning our eyes can skip right over small changes in domain names. To show you just how easy it is to get tricked, here’s a little "spot the difference" game. Look at each pair below and see if you can spot the real versus the imposter. Some will be obvious; others might fool you at first glance!

  1. amɑzon.com vs. amazon.com
    • Fake twist: Replacing the letter "a" with a similar-looking character from another alphabet.
  2. go0gle.com vs. google.com
    • Fake twist: Swapping the letter "o" for the digit "0."
  3. mıcrosoft.com vs. microsoft.com
    • Fake twist: Inserting a Turkish "ı" (without the dot) instead of a standard "i."
  4. netflx.com vs. netflix.com
    • Fake twist: Simply removing one letter ("i").
  5. faceboook.com vs. facebook.com
    • Fake twist: Adding an extra "o" in the middle.
  6. linkedn.com vs. linkedin.com
    • Fake twist: Dropping the "i" to make it appear the same at first glance.
  7. paypa1.com vs. paypal.com
    • Fake twist: Replacing the letter "l" with the digit "1."
  8. twittter.com vs. twitter.com
    • Fake twist: Adding an extra "t."
  9. appIe.com vs. apple.com
    • Fake twist: Using a capital "I" in place of a lowercase "l."
  10. youtubе.com vs. youtube.com
    • Fake twist: Replacing "e" with a Cyrillic "е" (looks almost identical but is a different character).

Phishing: An Old Trick With a 2025 Makeover

Phishing is still the king of domain-based threats, but attackers are continually reinventing it.

A real-world example? A combosquatting domain like wellsfargointernet[.]com might look close enough to the real deal to fool busy customers. The site copies the official Wells Fargo layout, redirecting clicks to a counterfeit login page that harvests credentials.

Malware Distribution: Disguised Downloads and Deadly Payloads

Cybercriminals aren’t just interested in tricking you with bogus login screens; they also use lookalike sites to host malware in plain sight. For instance, a domain like microsoft-msteams[.]com can appear legitimate enough to fool anyone looking for the official Teams software.

The twist? Visitors are greeted by a cleverly orchestrated sequence, often kicked off by a malicious ad embedded in search results. After landing on a phony page, complete with a staged Cloudflare or "Update Required" prompt, they’re urged to click a "Fix It" button. Behind the scenes, that button quietly copies a snippet of PowerShell code into the clipboard, setting the stage for the real attack. All it takes is a quick press of Windows+R, a paste, and an Enter keystroke to launch an unseen download that fetches and installs malware.

The next phase unfolds under the radar. Once the file executes, it typically calls home to a command and control (C2) server and relays key information about the compromised system, such as the operating system, user privileges, or other installed software. From there, the malware can go on to deploy info-stealers, remote access trojans, or any number of additional payloads aimed at gathering credentials, tracking user activity, or spreading laterally across networks.

This "copy/paste to infect" approach echoes the growing trend of social engineering attacks that focus on persuading people to perform seemingly innocuous actions. In many cases, these campaigns originate from malicious ads targeting common search terms, making it easy for anyone, from casual home users to rushed corporate employees, to land on a well-crafted imposter domain. By the time the infected machine starts pinging the C2 server, the stage is set for data exfiltration, credential theft, or deeper infiltration into an organization’s network.

Reward Scam

Another emerging scheme promises enticing rewards like a free music subscription or concert tickets and funnels unsuspecting visitors through a quiz that appears to gather feedback on songs. An example is spotifypay[.]app, which specifically targets Brazilian users.

The site walks them through simple questions about their listening habits, but regardless of the answers, participants are declared winners. At that point, they are prompted to provide personal information, including their name, email address, phone number, and PIX identifier (a popular Brazilian payment method). While the page claims it needs these details to deliver the reward, it appears to be a data-harvesting operation destined to exploit users’ personal information for further fraudulent activities.

False Billing Scam: The Netflix Twist

Taking a page from the re-bill scam playbook, threat actors are now leveraging Netflix’s brand to coerce users into handing over sensitive information. One notable example is the domain mon-espace-netflix[.]com, which appears to target French-speaking audiences (likely in France or Canada) by mimicking the official Netflix login environment.

The hook? An alarming message claiming the user’s account is "temporarily suspended" due to billing issues, creating a sense of urgency to "fix" the problem within two days.

While the initial wave of activity steals Netflix credentials, the real goal emerges in the second stage: harvesting personal and credit card details under the guise of restoring service. This tactic is further enabled by Netflix’s lack of mandatory two-factor authentication, allowing cybercriminals to quickly reuse or sell stolen logins.

By leveraging fear of losing access to a favorite streaming service, these scammers effectively push users to provide not just their login information but also their financial data. All under the false pretense of an overdue subscription charge.

Malware Distribution: The Hidden Microsoft Teams Trap

A similar combosquatting domain, microsoftteamsi[.]com, has been spotted hosting a malicious file masquerading as the official Teams installer.

While the URL might look convincing at a glance, unwary visitors who download the fake setup are, in reality, retrieving a Trojan designed to hijack user credentials and evade antivirus detection.

After execution, this malware phones home to its command-and-control server with key system details, allowing attackers to deploy spyware, keystroke loggers, or even ransomware behind the scenes.

The end result? Compromised accounts, stolen data, and a high risk of lateral spread within corporate networks—all from a single, deceptively familiar domain.

IOCs

Malware/Phishing URLs

wellsfargointernet[.]com
microsoft-msteams[.]com
spotifypay[.]app
mon-espace-netflix[.]com
microsoftteamsi[.]com

How to Detect Brand Impersonation with Monids

Our platform simplifies the process of catching suspicious domains before they cause harm. Here’s how you can monitor your brand names or key terms on Monids:

  1. Search for New Domains:
    Head over to the “Search Domains” page and enter your brand name or associated keywords. Our search will scan recently registered domains, helping you spot potential lookalikes or typo-twists early.
  2. Create an Alert:
    Navigate to “My Alerts,” then click on “Create Alert.” Enter your main brand keyword (e.g., “paypal”), choose Full or Fuzzy match, and optionally add extra Include or Exclude keywords to fine-tune your results.
  3. Enable Fuzzy Matching:
    If you’re worried about subtle character swaps (like “paypa1.com”), set the alert to Fuzzy. Monids automatically detects near-miss domains that replace or remove letters, so even minor twists don’t slip under the radar.
  4. Receive Real-Time Notifications:
    Once your alert is active, we’ll email or Slack you (depending on your Alert Preferences) the moment a suspicious domain surfaces. You can review the domain details and screenshots on the “Alert Events” page.
  5. Investigate and Takedown:
    If a newly registered lookalike domain is malicious, use our Takedown or Blacklisting features to neutralize it. We’ll coordinate with registrars and industry watchdogs, ensuring fraudulent sites come down quickly.

By setting targeted alerts and monitoring them regularly, you can stay one step ahead of cybercriminals who rely on brand confusion and user oversight.