What is Domain Doppelgänger?
Domain Doppelgӓnger is KnowBe4’s web-based tool that performs searches specific to your organization’s domain and collects data on any potentially harmful domains that the bad guys have registered with malicious intent. Since look-alike domains are a potential attack vector for phishing and other social engineering attacks, you can use this tool to monitor for potentially harmful domains that can spoof your website, email addresses, product, or organization name.
You can sign up for the Domain Doppelgänger analysis here.
Be sure to fill out the form with your work email address. The domain in this email address will be used for the Domain Doppelgӓnger analysis and the report results will be delivered to this email address.
If your organization owns multiple domains and/or subsidiaries that you want to run the Domain Doppelgӓnger assessment for, you'll need to submit additional forms using valid and active email addresses at the additional domains.
After submitting the form, you will receive an email containing your Domain Doppelgӓnger analysis results. The email will contain a PDF report with a summary of the data gathered about your look-alike domains. To fully evaluate the look-alike domains, you'll want to visit the link included in this email.
Analyze Your Results
The Domain Doppelgӓnger analysis searches for all available and purchased domains that are visually similar to your organization's domain, and therefore, fit the criteria of one of our Doppelgӓnger domain Types:
Both the PDF summary and the detailed Domain Doppelgӓnger analysis results include the number of look-alike domains that fall into one or more of the four categories explained below. From the detailed Domain Doppelgӓnger results, you can click on any of these categories to display the results meeting that category's criteria.
Registered Domains: This category represents the number of domain results that have been purchased and registered through a domain name registrar. This number includes both public and privately registered domains.
If these domains were not registered for your organization, there's a possibility they were purchased with the intent to spoof your organization as a starting point for a phishing attack.
Private Domains: This category represents the number of domain results that have been purchased and registered privately through a domain name registrar.
If these privately registered domains were not purchased by your organization, there's a possibility they were purchased with malicious intent. In these scenarios, privately registered domains are typically more difficult to have taken down.
Mail Servers Available: The domains included in this category have the ability to send and receive emails. This is determined by the existence of MX records in the Domain Name System (DNS) records (you can find more information on MX Records in the table below).
If these domains are not owned by your organization, you should consider the threat of phishing attacks from these similar-looking domains.
Web Servers Available: Domains included in this category have a web host, meaning a live site may exist at this web address. This is determined by the existence of NS (Name Server) records in the DNS records (you can find more information on NS Records in the table below).
If these domains are not owned by your organization, we recommend reviewing the information hosted on these sites using a protected, sandbox environment to ensure that your clients or employees are not being fooled by an imposter website.
The detailed Domain Doppelgӓnger results contain data applicable to your domain's look-alikes. See below for an example of the detailed analysis results and an explanation of each column within the data table.
|The results that include this icon are privately registered domains.
Most domain registrars offer private registration to protect the domain owner's privacy and to avoid unwanted solicitation.
Each look-alike domain will have one of the following Doppelgӓnger Types associated with it. The original domain will be signified with Original*:
|A domain name is your address and identity on the Internet. Domain names are associated with and identify one or more IP addresses. They're used in URLs to identify and access web pages.
|The IPv4 address associated with the domain (if applicable).
The IPv4 address is determined from the A record (Address record) included in the domain's DNS (Domain Name System) records.
IP addresses are unique numerical identifiers assigned to every device connected to the Internet which are used to communicate with other devices. Web servers and mail servers are examples of devices that have an IP address.
|The IPv6 address associated with the domain (if applicable).
The IPv6 address is determined from the AAAA record (quad-A record) included in the domain's DNS records.
IPv6 is the successor to Internet Protocol Version 4 (IPv4). Some domains will have IPv4 and IPv6 addresses.
|The name server (NS) for the domain (if applicable).
The name server is determined from the NS record included in the domain's DNS records.
Name servers are typically provided by the domain's web host, and they provide the ability to access web pages by domain name URLs, rather than having to type an IP address.
The results including NS records have web servers available.
|The mail exchanger (MX) server for the domain (if applicable).
Mail exchanger records (MX records) tell the Internet which mail servers accept incoming email for the domain, and where that email should be routed.
The results including MX records have mail servers available.
|Use this link to navigate directly to the ICANN (Internet Corporation for Assigned Names and Numbers) WHOIS website to see the full "WHOIS data" for the domain owner. ICANN searches databases of domain registrars worldwide to provide public access to data on registered domain names.
If a domain is privately registered, the WHOIS information will show information for a proxy company acting on the domain owner's behalf.
|Each result that is a registered domain (private or public) will have a ranking assigned to it. The ranking is based on how many details were gathered about the domain. See the details below for the individual "result detail" points attributed to the ranking.
You can use sorting, search terms, and search filters to display the desired data in the Domain Doppelgӓnger results table. See below for more information.
- Search Filters: You can apply any of these search filters when you submit a term in the search bar. For example, if you want to see all of the look-alike domains that are categorized as Bitsquatting, type "Bitsquatting" into the search bar and check the Type search filter.
- Search Bar: Use the search bar to enter any term you'd like to reflect in the results.
For example, if you know your organization does not use "DNS Made Easy" for any DNS services, you may want to search the term "dnsmadeeasy" and check the NS Record search filter to display the domains having NS Records with this company, in order to further investigate.
If you want to create a new search, clear the search bar to reset your search.
- Sort Arrows: Use the arrows in the column headers to re-sort that column as well as the entire data table.
- Expand Data Arrow: If a row includes an expand arrow, there is more information available for one or more of the following data columns: IPv4, IPv6, NS Record, or MX Record. You'll see the additional information once you've expanded the data row.
- Download CSV: You'll find this button at the bottom of the page, below the data table. You can download a CSV report of all results, or any display of data that you've generated using the search bar and search filters. The CSV report will always reflect the data currently shown in the results table.
- Delete Analysis: If you want to delete your analysis results, you'll use this button at the bottom of the results page.
Once you've reviewed your Domain Doppelgӓnger results, you'll want to test your end users' awareness of the dangers of look-alike domains. Follow the steps below to set up your user assessment.
- From the Domain Doppelgӓnger results page, click the Test your users button, located at the top right of the page.
- Review the domains highlighted in green, located on the left side of the page. These domains were pre-selected for your user assessment, but can be modified as needed.
By default, the selected results are the highest-ranked Doppelgӓnger domains. For an accurate user assessment, ensure these domains are not owned by your organization.
Click on any row of domain data to select or deselect this domain for use in your user assessment. You must select nine Doppelgӓnger domains to use in the assessment before you can proceed.
Using the search bar and search filters, you can search for any specific domain, Doppelgӓnger Type, or Doppelgӓnger Rank from this list of results.
- As you select and deselect the domains, you'll see the assessment's answer options automatically change in the Assessment Preview, shown on the right side of the screen.
By default, Show user assessment results after completion will be checked, as shown below. Leave this enabled if you'd like your users to see how they performed on the assessment.
- Once you've selected the domains you'd like to include, click the Get Assessment Link button at the top right of the page.
- Distribute the assessment link to your end users. We've provided an example email you can use to distribute the assessment and request that your users complete it. You'll find this email at the bottom of this article, here.
Analyzing the User Assessment
All user assessment results are anonymous. You can review the user assessment results in real time by clicking the View Assessment Results button from the assessment confirmation page.
If you've closed this browser page, you'll be able to access your user assessment results from the link in the "Your Domain Doppelgänger results are ready" email you initially received.
Once you've given your employees time to complete the assessment, use this page to view the assessment results.
- Here you can see the total number of assessments that have been completed from the link you've distributed.
- If you need to resend the assessment link or send it to additional users, you'll find the link here.
- The Overall Assessment Results provides an overview of the number and percentage of users who passed or failed the assessment as a whole.
Users must answer all three questions correctly to pass the assessment. Assessments with one or more incorrect answers will count as a failed assessment.
- The Overall Questions Results provides the number and percentage of correct and incorrect responses across all users and all assessment questions.
Each individual question will also show a bar graph representing the percentage of users who answered the question correctly vs. incorrectly.
If you'd like to reset or recreate your user assessment, use the Reset Assessment button in the bottom right corner of the Assessment Results page.
How can I inform my users about the domain assessment?
Below you'll find a customizable email that you can send to your users to distribute the Domain Assessment. The email provides an overview of why it's important to know the difference between safe and unsafe links and requests that the users complete the quiz.
Be sure to modify the sample by adding your organization's name and your unique assessment link.
Cybersecurity attacks are on the rise and [[Company Name]] is determined to stay vigilant and defend our organization against hackers and social engineering attempts.
One major attack method that hackers are using lately is to buy similar-looking website domains so they can launch phishing attacks or gather sensitive information. As one of our employees, you must learn the difference between safe and unsafe links to avoid falling for this kind of attack.
Please take the quiz below to ensure that you can help guard our organization against social engineering attacks. Your quiz results are completely anonymous.
Copy and paste this link into your browser to take the quiz: [[your link here]]
Thank you for helping us build a strong "human firewall" in our organization.
What can I do with this information?
Domain Doppelgӓnger empowers you with the necessary understanding of the risks that may be associated with look-alike domains. This information can help you protect your organization from phishing attacks and help you prevent potential damage to your organization's reputation.
Do your research. Understand the Doppelgӓnger Types and the risks associated with each. Find the domains that have web servers and use a protected, sandbox environment to review what information is hosted on these sites. If you suspect malicious activity or fraudulent intent, reach out to the web hosting company and/or domain name registrar to report the website. You can find this information by looking at the domain's Whois record, linked to each Domain Doppelgӓnger result.
Train your users. Depending on how your users answered the domain assessment questions, they'll be provided with explanations of why their answers were correct or incorrect, but this information must be reinforced. You'll find the "Detecting Domain Doppelgӓngers" PDF on the user assessment overview page, share these helpful tips with your users. You also should immediately enroll your users in security awareness training and phishing campaigns to ensure they have the skills they need to become a strong human firewall for your organization.
Frequently Asked Questions (FAQs)
Q: I haven't received my Domain Doppelgӓnger analysis results, what should I do?
A: If you've submitted your request for the Domain Doppelgӓnger and haven't received it after approximately 2 hours, please check your spam filter. If you cannot find your analysis results there, contact our Support team here.
Q: What Top-Level Domains (TLDs), such as .com, .org., .net, etc., are included in the Domain Doppelgӓnger analysis?
A: The Doppelgӓnger analysis searches for look-alike domains with the same top-level domain as your own.
If feasible for your organization, it would be ideal to own your organization's name in all of the "open" TLDs. See this (external) page for more information on the "open" top-level domains.
Q: I received homoglyph domains in my analysis results. How can I identify the domain names that would need to be registered to own my "homoglyph" look-alike domains?
A: You can use online sources such as https://www.punycoder.com/, to decode the homoglyph domains' Punycode.
Q: I have a .edu (or other limited) domain. Why didn't I receive any Domain Doppelgӓnger results?
A: Certain top-level domains (TLDs) such as .edu, .int, .gov, and .mil, are limited to specific types of institutions, organizations, or government sectors. Legitimacy must be verified before owning these web addresses–making look-alike domains much less likely to exist.
Q: Can I modify the questions in the Domain Doppelgӓnger user assessment?
A: The user assessment questions and answers are designed for end users with basic to moderate cybersecurity knowledge, for the purpose of enhancing awareness of look-alike domains.
If your users' assessment performance is not what you expected, we strongly suggest enrolling them into security awareness training and simulated phishing tests to improve the strength of your human firewall. We can help! If you're not already a customer, contact email@example.com if you'd like more information.