How-to: Spot Domain Spoofing

Image: Information Security by Renjith Krishnan, FreeDigitalPhotos.netDomain spoofing is a cunning way to lure the unwary to fake web-sites set up by cyber-criminals to impersonate real sites. These are usually the shop-front to elaborate phishing scams set up you steal your account information, financial data, even your entire identity.

Say you receive an email from your bank asking you to go to a page on it’s site and update your details. For one thing, reputable financial institutions never do this, but let’s look into this further.

The link in the message leads us to a fake site impersonating your bank, where you are invited to enter your data. This relies on the fake site not only looking like the real thing, but having a spoof web address, or URL, close enough to the real thing to catch the unobservant.

All socially well adjusted and well-educated people want to act responsibly to communications from officialdom and organisations with which we have real-life relationships. It is no different on the Internet. We want to believe what our eyes are telling us is genuine, the more so the busier we get. We want to deal with these chores quickly and efficiently. We don’t proof-read what we’re seeing. This is the psychology the cyber-criminals rely on.

What is Domain Spoofing?
Let’s take my website as a quick example to explain domain spoofing. is the domain on which it is hosted. is a domain plus a folder. Folders are suffixed to the right of the domain address.
It’s a simple hierarchy like the one on your computer hard-drive. C;\ is the root (domain), Progam Files the folder structure C:\Program Files.

Where it gets interesting is the sub-domain. In the Domain Name System used on the Internet, is the parent. Sub-domains are added as a prefix to the left of the domain. Hence:

  • is a sub-domain of So far, so safe
  • is a sub-domain plus a web-page. Still safe.

Back to the spoofing scam. Lets say my bank’s official site is; That’s it’s proper domain name with the right top-level domain (the .com portion).

In the phishing email you see a link that is This is the phishing website, where the is a sub-domain of which has NOTHING to do with the official mybanksite.

Therefore: is a phishing page. It belongs to the sub-domain under, which is not mybanksite at all!

The spoof domain attempts to look innocuous using the, your eye is drawn to the thing you expect to see, the part containing

Not only does the phishing URL look very similar to the real one, but smart criminals may even be including actual page content and actual links to unsecured pages on the official site they spoof (typically advice or general information pages in front of any security layer).

So what do we look for? The last dot or period in the address before any slashes. Hence in:
the last thing before the / is the .kz; that’s the top level domain. The alarms bells should ring right away – my bank is a .com!

Then also as the domain name is nothing like your bank! Counting back the periods from right to left, is nothing but a sub-domain on someone else’s site. Take the mouse away from that link and move away now! AJS

Note: Internet Explorer 8 onward helps in identifying the main domain by graying out the sub domain and the directory structure.

Image: Information Security by Renjith Krishnan,

2 thoughts on “How-to: Spot Domain Spoofing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s