Doppelgänger domain names 1,2 are a subcategory in the larger issue of Typosquatting 3 in the Domain Name System (DNS) 4. A doppelgänger domain is typically correctly spelt but with some manipulation of the dots between host and domain name, for example, www.google.com is different from wwwgoogle.com.

The reasons for registering and running services on doppelgänger domains vary widely with either mischievous or malicious intent. It could be for a lark; to make a political statement; to embarrass or harass, or as part of a broader cyber attack strategy. In all cases, the intent is to re-direct traffic (the web, email etc.) away from the legitimate domain and to the doppelgänger domain.

Regardless of the motivations and intentions of any given doppelgänger, it should be accepted that the Domain Name System allows users to register domain names and that a one character difference between two given domain names makes them both unique and valid within the DNS system. They can then be owned and controlled by two different entities. This technical differentiation does not always sit well with the owner of the original domain, if a doppelgänger domain is being used in “bad faith” or with “malicious intent”. So the Internet Corporation for Assigned Names and Numbers (ICANN), created a Uniform Domain-Name Dispute-Resolution Policy (UDRP) 5 process for the resolution of disputes regarding the registration of internet domain names. Having this formal and legally binding process is a good thing. However wouldn’t it be better to avoid getting into a dispute to start with? Wouldn’t it be better to own and control “all” possible look-a-like domains in the first place?

But registering “all” possible doppelgängers and setting up re-directs to the “real” domain is an impractical and costly strategy: There is currently more than 1,000 top-level domains (TLD) and country code top-level domain (ccTLD), also, in the cases of typosquatting; the larger the number of characters in your domain name the greater the possible number of doppelgänger domains. Which means that many thousands of domains would need to be registered.

A more realistic and cost-effective strategy would be to only register the most likely and most common doppelgänger domains. Here we investigate the prevalence and control of .com doppelgänger domain names and use the knowledge gained to build a recommended list of .com doppelgänger domains that should be pre-emptively registered.

Methodology

This investigation uses the top 5000 .com domains from the Alexa.com 6 daily index of the top one million sites [download link]. All of these domains support some form of on-line presence, store, webmail, search engine, social network or marketing website. Millions of users visit their websites and contact them via email every day.

The definition of a Doppelgänger domain was extended beyond just the manipulation of the dot and included some techniques borrowed from typosquatting by prepending www and www- and TLD/ccTLD squatting by replacing the .com TLD with appropriate ccTLDs’ while keeping the primary assumption that the domain names spelling is identical. This provides a larger, more representative sample of the styles of doppelgänger domain names used and generates more extensive and varied results.

This strategy produced, ten manipulations of the .com TLD with the ccTLD’s .cm, .co, .om and prepends two variations of the optional World Wide Web www protocol identifier, producing 30 candidate doppelgängers for each legitimate domain.
1 [domain] .com (real)
2 [domain] c.co 12 www [domain] c.co 22 www- [domain] c.co
3 [domain] c.om 13 www [domain] c.om 23 www- [domain] c.om
4 [domain] .co 14 www [domain] .co 24 www- [domain] .co
5 [domain] .co.om 15 www [domain] .co.om 25 www- [domain] .co.om
6 [domain] .com.co 16 www [domain] .com.co 26 www- [domain] .com.co
7 [domain] .om 17 www [domain] .om 27 www- [domain] .om
8 [domain] .om.co 18 www [domain] .om.co 28 www- [domain] .om.co
9 [domain] .om.com 19 www [domain] .om.com 29 www- [domain] .om.com
10 [domain] .com.om 20 www [domain] .com.om 30 www- [domain] .com.om
11 [domain] .cm 21 www [domain] .cm 31 www- [domain] .cm

 
.cm Cameroon 7 A local entity/company in Cameroon is required to register a domain name.
.co Colombia 8 Marketed as a global domain, anyone can register.
.om Oman 9 Registrant must have company or trademark registered in Oman

 

For this investigation, we used dig (domain information groper) 10,11 as the primary investigatory tool, and used the value of the domains DNS Start of Authority (SOA) 12 record as a determiner using the following process and logic:

  • A “dig @8.8.4.4 [domain].com SOA” query was sent to the legitimate domain to determine the domains DNS SOA server.
  • For each candidate doppelgänger, A “dig @8.8.4.4 * [domain] * SOA” query was sent to determine whether or not the candidate domain is “resolvable” and therefore exists
  • SOA records were compared with that of the “legitimate” domain’s SOA record. If they matched; it inferred that the domain owner has control over that doppelgänger and if they did not; it inferred that the domain owner does not have control over the doppelgänger and that it could therefore be used for nefarious activities.

For example:

$ dig @8.8.4.4 google.com SOA

$ dig @8.8.4.4 googlec.co SOA

In these two examples, the legitimate domain google.com’s declares its SOA as ns1.google.com v.s. the googlec.co domain declares its SOA as elinore.ns.cloudflare.com. So we determine that the doppelgänger googlec.co exists and that google.com is not in control of it.

Caveat: The assertion of “control” based on the comparison of SOA records does not hold true in all cases! Discerning the “true” owners for each domain would be a long and arduous task and is therefore outside the scope of this investigation. We are making a generalising assumption of control, based on the fact that “most” companies consolidate their DNS services to one set of servers, under one domain and/or one DNS provider. Any that fall outside of this assumption will be outliers and represent a small but extremely hard to define variance in the overall control statistics.

Findings

The prevalence of .com doppelgängers:

dig SOA queries where made for each of the 5000 legitimate .com domains and for each of the 30 candidate doppelgänger domains. Returning a total 9938 SOA records, 5000 for the legitimate domains and 4938 potential doppelgänger domains.

potential doppelgängers
potential doppelgängers

Potential doppelgängers within the .co ccTLD are by far the most prevalent, with a combined total of 4707 (95.32%) of the 4938 found. Whereas the significance of .om 164 (3.32%) and .cm 66 (1.34%) combined pales in comparison. The disparity between them is likely to be due to the registry requirements of the registrars, with a registered company required for the .cm and .om domains versus no registry requirements at all for a .co domain.

.co versus .cm & .om
.co versus .cm & .om

No doppelgängers were found for 1631 of the 5000 domains tested, however, 3369 do have one or more doppelgängers. The distribution of the count of doppelgängers per domain tails off sharply once one doppelgänger exists.

doppelgänger counts per domain
doppelgänger counts per domain

 

The control of .com doppelgängers:

Comparison of the legitimate vs. doppelgänger SOA records, reveals that only very small percentages of doppelgänger domains share the same SOA as their legitimate domain. Which implies that the vast majority of doppelgängers are not controlled by the legitimate domain owners.

control counts
control counts

Nine of the top ten SOA domains that promulgate and control the DNS entries for the doppelgänger domains are domain parking 13 and domains for sale businesses. This implies that the doppelgängers have been registered, but are not necessarily in active use.

soa domains
soa domains

MarkMonitor is a company that provides digital brand protection services, including DNS services, which implies that the legitimate domain owners have engaged with MarkMonitor to register and redirect the doppelgänger domains on their behalf.

Conclusion

Based on a list of the top 5000 .com domains we found that 3369 (67.38%) of them have one or more doppelgänger domain(s) associated with them. We also found that, doppelgängers are prevelant within the .co ccTLD where we found 4707 (95.32%) of all doppelgängers found.

If you are a .com domain owner, or plan to be; a rational and cost effective strategy for registering and redirecting your doppelgänger domains would be to own at least the top five doppelgänger variants within the .co ccTLD, which would cover off 90% of the most likely potential doppelgängers.

  1. [your domain] .co
  2. [your domain] .com.co
  3. www [your domain] .co
  4. [your domain] c.co
  5. www [your domain] com.co

   

Notes

  1. A doppelgänger or doppelga(e)nger is a look-alike or double of a living person … “DoppelgängerWikimedia Foundation, Inc., 30 May 2017. Web 6 Jun 2017
  2. A doppelgänger domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes … “Doppelganger domainWikimedia Foundation, Inc., 6 March 2017. Web 6 Jun 2017
  3. Typosquatting, also called URL hijacking, a sting site, or a fake URL … “TyposquattingWikimedia Foundation, Inc., 23 May 2017. Web 6 Jun 2017
  4. The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network … “Domain Name SystemWikimedia Foundation, Inc., 5 June 2017. Web 6 Jun 2017
  5. Disputes alleged to arise from abusive registrations of domain names (for example, cybersquatting) may be addressed by expedited administrative proceedings that the holder of trademark rights initiates by filing a complaint with an approved dispute-resolution service provider … “Uniform Domain-Name Dispute-Resolution PolicyInternet Corporation For Assigned Names and Numbers, 2017. Web 6 Jun 2017
  6. Alexa is a global pioneer in the world of analytical insight … Alexa Internet, Inc., 2017 . Web 6 Jun 2017
  7. Delegation Record for .CM “CameroonInternet Corporation For Assigned Names and Numbers, 12 July 2012. Web 6 Jun 2017
  8. Delegation Record for .CO “ColombiaInternet Corporation For Assigned Names and Numbers, 09 March 2017. Web 6 Jun 2017
  9. Delegation Record for .OM “OmanInternet Corporation For Assigned Names and Numbers, 29 December 2015. Web 6 Jun 2017
  10. dig (domain information groper) is a network administration command-line tool for querying Domain Name System (DNS) servers … “dig (command)Wikimedia Foundation, Inc., 7 April 2017. Web 6 Jun 2017
  11. Heinlein, Paul. “DiG HOWTO - How to use dig to query DNS name servers.madboa.com, 11 May 2006. Web 6 Jun 2017
  12. A start of authority (SOA) record is information stored in a domain name system (DNS) zone about that zone and about other DNS records … Rouse, Margaret. “Start of Authority recordSearchNetworking, April 2007. Web 6 Jun 2017
  13. Domain parking refers to the registration of an internet domain name without that domain being associated with any services such as e-mail or a website … “Domain parkingWikimedia Foundation, Inc., 23 May 2017. Web 6 Jun 2017