If you have a department in your organization that monitors your company web traffic, you may not believe what you see next. We all know that Russian traffic to your website or server is usually a bad thing. If you use Google Analytics or any another type of analytics tools for your website, check them now. We are going to describe the latest variant of domain spoofing. And It doesn’t just require you to have a website.

Russian spammers have been using referrer spamming techniques on browser add-ons and websites for quite some time. Referrer spam is a specific variation of web traffic known as “ghost traffic.” The spammer essentially sends phantom visitors to your website’s Google Analytics account in order to make it appear as if someone visited your website from that referrer URL. Although referrer spam can ruin your analytical data it will not harm your website or affect your website’s SEO or rank on Google search results. This is simply spam that wants to get your attention and I probably have done that so far. Read on.

This new spammer technique will utilize various tactics in order to make it look like your website received referrer traffic from lifehacker.com even though it really came from lifehacĸer.com. Didn’t see the difference there? Look again.

Lifehacker.com

Lifehacĸer.com

Now do you see it? How about this?

Google.com

ɢoogle.com

Notice the letter K and letter G? They are known as “small capitals.” These variations of letters and other Unicode characters can be used as valid characters in the registration process of domain names on the Internet. This type of registration has been available for the past six years, so it’s surprising that not until recently people thought to use alternative Unicode-based spelling to register domain names for malicious purposes.

There are several reasons why spammers and hackers use this technique. It is becoming more and more common to manipulate visitors into thinking they are on a legit website or just display ads to those users. Here are some additional reasons this technique is used and so successful.

– Referrer spammers want to promote a malicious website and get you to visit the webpage or discover it online through other shared malicious websites.

– Referrer spammers want to boost their ranking on Google results by creating more backlinks. They do this by logging requests into your website’s access log, which is then crawled by Google’s indexing bots and seen as a backlink to the spam site.

– Get you to click links and install malware. These domains look and feel just like the real thing to the average user. It would be easy to mistaken these domain’s as a real one compared to a mismatched or misspelled domain that is much easier to identify.

Think about it, this could be the beginning of a very new and scary type of domain spoofing. What other types of URLs can be spoofed into looking like the real thing? When providing your users with security awareness training on browser security, make sure you are identifying this new risk. Once again, we are seeing hackers adapt and becoming more and more thrifty with their attacks. If these malicious sites are linked to ransomware or other malicious links, it could leave you dealing with a very costly problem soon. Stay ahead of the curve and educate your employees about this new risk and how to protect against these fake URLs.