Introducing Elfin

–The homoglyph domain variant finder–

While we wait for our anti-phishing technology to improve (see Veerless) it seems like it would be proactive for companies to try acquire some of the cheap domains that look similar to theirs.

There are a couple of ways to do ‘lookalikes’:

Case Study - Cloudflare.com

The reverse whois lookup for registrar : “CLOUDFLARE, INC.” returns all of these.

So they went to the length of purchasing “clloudfllare.com” however that isn’t nearly as great of an attack as “cIoudflare.com” (notice that is actually an uppercase “i” in the second letter of the domain, the horrible thing about the more common webfonts like Arial is that they have little or no tracking, high kerning and they are often sans-serif. So it’s very tricky to spot these frauds.

Here’s an example of the one’s that Elfin found that cloudflare should look into - https://elfin.josephkirwin.com/search?q=cloudflare.com

Conclusion

Services like MarkMonitor can be very expensive and actually not comprehensive in acquiring all the domains that attackers may use to phish your customers. Instead I implore you to go try elfin (it’s free ††) and see what homoglyph domain variants it can find for you!

https://elfin.josephkirwin.com

†† - note, you still need to purchase the domains yourself, but they’re usually pretty cheap compared to the cost of phishing :D