{"id":7950,"date":"2025-09-02T12:00:00","date_gmt":"2025-09-02T17:00:00","guid":{"rendered":"https:\/\/www.threatstop.com\/blog\/the-simplest-science-behind-domain-similarity"},"modified":"2025-09-02T12:00:00","modified_gmt":"2025-09-02T17:00:00","slug":"the-simplest-science-behind-domain-similarity","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/02\/the-simplest-science-behind-domain-similarity\/","title":{"rendered":"The Simplest Science Behind Domain Similarity"},"content":{"rendered":"<p>When attackers try to fool you, they often start with domains that look nearly identical to the real thing. You\u2019ve probably seen it in phishing attempts: an email that looks like it\u2019s from your bank or a well-known brand, but the sender\u2019s address is just a little off. \u201cpaypai.com\u201d instead of \u201cpaypal.com.\u201d At a glance, most people won\u2019t notice. That\u2019s exactly what attackers are counting on.<\/p>\n<p><!--more--><\/p>\n<p>To spot these tricks, security researchers use a method called <span><strong>Levenshtein distance<\/strong><\/span>. It sounds complex, but it\u2019s simply a way of measuring how similar two domain names are, and it\u2019s one of the tools ThreatSTOP uses to proactively protect you. &nbsp;Read on for this basic technique in computing.<\/p>\n<h3><strong>What Is Levenshtein Distance?<\/strong><\/h3>\n<p>Levenshtein distance measures how many edits it would take to turn one word into another. Edits can be:<\/p>\n<ul>\n<li>\n<p>Adding a character<\/p>\n<\/li>\n<li>\n<p>Removing a character<\/p>\n<\/li>\n<li>\n<p>Replacing a character<\/p>\n<\/li>\n<\/ul>\n<p>Examples:<\/p>\n<ul readability=\"0\">\n<li readability=\"-1\">\n<p>google.com<span> \u2192 <\/span>gooogle.com<span> (one extra \u201co\u201d)<\/span><\/p>\n<\/li>\n<li readability=\"-1\">\n<p><span>netflix.com<\/span> \u2192 <span>netfli.com<\/span> (one missing \u201cx\u201d)<\/p>\n<\/li>\n<li readability=\"-1\">\n<p><span>paypal.com<\/span> \u2192 <span>paypai.com<\/span> (an \u201cl\u201d swapped for an \u201ci\u201d)<\/p>\n<\/li>\n<\/ul>\n<p>Attackers also rely on <span><strong>Unicode \u201chomograph\u201d domains<\/strong><\/span>\u2014for example, swapping Latin letters with visually identical Cyrillic characters. ThreatSTOP normalizes these to punycode before scoring. That means <span>\u0440\u0430\u0443\u0440\u0430l.com<\/span> (with Cyrillic \u201c\u0440\u201d) still shows a Levenshtein distance of 1, and is proactively blocked.<\/p>\n<p>These one-edit domains are designed to deceive. ThreatSTOP makes sure they don\u2019t get the chance.<\/p>\n<h3><strong>Why It Matters to You<\/strong><\/h3>\n<p>Attackers know people skim quickly. A single swapped letter is enough to trick someone into clicking, entering credentials, or downloading malware. Traditional blocklists may miss these variations, but similarity scoring closes that gap.<\/p>\n<p>ThreatSTOP\u2019s Security, Intelligence, and Research team applies this method to:<\/p>\n<ul readability=\"0\">\n<li readability=\"-1\">\n<p>Catch phishing domains early\u2014before they\u2019re widely reported<\/p>\n<\/li>\n<li readability=\"-1\">\n<p>Stop attackers from impersonating your brand<\/p>\n<\/li>\n<li readability=\"-1\">\n<p>Protect employees from accidentally visiting malicious sites<\/p>\n<\/li>\n<\/ul>\n<h3><strong>Regex vs. Levenshtein: Better Together<\/strong><\/h3>\n<p>You may be familiar with regex (regular expressions). Regex is excellent at spotting known threats and exact patterns, but it struggles when attackers invent unpredictable twists.<\/p>\n<table>\n<thead>\n<tr>\n<th>\n<p><strong>Technique<\/strong><\/p>\n<\/th>\n<th>\n<p><strong>Best At\u2026<\/strong><\/p>\n<\/th>\n<th>\n<p><strong>Not Great When\u2026<\/strong><\/p>\n<\/th>\n<\/tr>\n<\/thead>\n<tbody readability=\"5.5\">\n<tr readability=\"9\">\n<td>\n<p>Regex<\/p>\n<\/td>\n<td readability=\"6\">\n<p>Quickly spotting known, exact threats<\/p>\n<\/td>\n<td readability=\"6\">\n<p>Attackers use creative, never-before-seen variations<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7.5\">\n<td>\n<p>Levenshtein<\/p>\n<\/td>\n<td readability=\"6\">\n<p>Detecting subtle, unknown variations fast<\/p>\n<\/td>\n<td readability=\"5\">\n<p>You only want to match exact patterns<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Think of regex as a guard checking IDs against a list, while Levenshtein is the detective who notices suspicious behavior. Used together, they provide the strongest coverage.<\/p>\n<h3>Let&#8217;s make it visual<\/h3>\n<p>Here&#8217;s a simple visualization of how Levenshtein distance works, comparing the legitimate domain &#8220;paypal.com&#8221; and a sneaky impostor &#8220;paypai.com&#8221;:&nbsp;<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png?resize=366%2C378&#038;ssl=1\" data-hsprotectunselectable=\"on\" loading=\"lazy\" width=\"366\" height=\"378\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity-2.png 183w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png 366w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png 549w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png 732w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png 915w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/the-simplest-science-behind-domain-similarity.png 1098w\" sizes=\"auto, (max-width: 366px) 100vw, 366px\"><\/p>\n<p>The number at the bottom right corner (1) means there\u2019s just one edit separating these domains-very suspicious!&nbsp;<\/p>\n<h3><strong>ThreatSTOP\u2019s Approach<\/strong><\/h3>\n<p>We\u2019re rolling out similarity-based detection in a controlled way to deliver clear value.<\/p>\n<ul readability=\"1.5\">\n<li readability=\"0\">\n<p><span><strong>Protective DNS (DNS Defense Cloud and DNS Defense):<\/strong><\/span> Our platforms automatically stop access to malicious look-alike domains before a user ever reaches them.<\/p>\n<\/li>\n<li readability=\"3\">\n<p><span><strong>IP Defense:<\/strong><\/span> When phishing infrastructure is tied to IP addresses, our protections ensure your firewalls, routers, and cloud controls proactively block it.<\/p>\n<\/li>\n<\/ul>\n<p>You can expect:<\/p>\n<ul readability=\"0.5\">\n<li readability=\"-1\">\n<p><span><strong>Simple activation:<\/strong><\/span> No complex setup.<\/p>\n<\/li>\n<li readability=\"-1\">\n<p><span><strong>Clear visibility:<\/strong><\/span> See exactly why a domain was flagged.<\/p>\n<\/li>\n<li readability=\"0\">\n<p><span><strong>Control:<\/strong><\/span> Opt in to evaluate, and opt out if needed.<\/p>\n<\/li>\n<\/ul>\n<p>This feature is experimental today, but already proving powerful in real-world testing. Your feedback helps us refine accuracy while keeping false positives low.<\/p>\n<h3><strong>Staying Ahead of Subtle Tricks<\/strong><\/h3>\n<p>The message is simple: attackers thrive on subtle changes, but ThreatSTOP\u2019s protections remove that advantage. By using domain similarity scoring alongside proven threat intelligence, we stop phishing campaigns before they succeed. Helping you stay protected without adding complexity to your security stack.<\/p>\n<p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our <a href=\"https:\/\/www.threatstop.com\/threatstop-platform\" rel=\"noopener\" target=\"_blank\">product page<\/a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! <a href=\"https:\/\/admin.threatstop.com\/register?hsLang=en\" rel=\"noopener\" target=\"_blank\">Get started with a Demo today!<\/a><\/p>\n<p><strong>Connect with Customers, Disconnect from Risks<\/strong><\/p>\n<h3><strong>MITRE ATT&amp;CK Framework Mapping<\/strong><\/h3>\n<table>\n<thead>\n<tr>\n<th>\n<p><strong>Threat Activity<\/strong><\/p>\n<\/th>\n<th>\n<p><strong>ATT&amp;CK Technique ID<\/strong><\/p>\n<\/th>\n<th>\n<p><strong>Category<\/strong><\/p>\n<\/th>\n<\/tr>\n<\/thead>\n<tbody readability=\"10\">\n<tr readability=\"6\">\n<td readability=\"5\">\n<p>Phishing with look-alike domains<\/p>\n<\/td>\n<td>\n<p>T1566.002<\/p>\n<\/td>\n<td readability=\"5\">\n<p>Initial Access: Spearphishing Link<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td readability=\"5\">\n<p>Credential harvesting through fake login pages<\/p>\n<\/td>\n<td>\n<p>T1056.003<\/p>\n<\/td>\n<td readability=\"5\">\n<p>Collection: Web Portal Capture<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td readability=\"5\">\n<p>Command and Control over malicious domains<\/p>\n<\/td>\n<td>\n<p>T1071.004<\/p>\n<\/td>\n<td readability=\"5\">\n<p>Command and Control: Application Layer Protocol (DNS\/HTTP)<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td readability=\"5\">\n<p>Data exfiltration via crafted domains<\/p>\n<\/td>\n<td>\n<p>T1048.003<\/p>\n<\/td>\n<td readability=\"5\">\n<p>Exfiltration: Exfiltration Over Unencrypted\/Obfuscated Non-C2 Protocol<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td readability=\"5\">\n<p>Brand impersonation for malicious campaigns<\/p>\n<\/td>\n<td>\n<p>T1585.001<\/p>\n<\/td>\n<td readability=\"5\">\n<p>Resource Development: Domains<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.threatstop.com\/blog\/the-simplest-science-behind-domain-similarity\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When attackers try to fool you, they often start with<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[30,62,590,215,216,61],"tags":[593],"class_list":["post-7950","post","type-post","status-publish","format-standard","hentry","category-dns","category-dns-security","category-machine-learning","category-passive-dns","category-pdns","category-protective-dns","tag-machine-learning"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Threat Stop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/threatstop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns\/\" rel=\"category tag\">DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dns-security\/\" rel=\"category tag\">DNS Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/machine-learning\/\" rel=\"category tag\">Machine Learning<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/passive-dns\/\" rel=\"category tag\">Passive DNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pdns\/\" rel=\"category tag\">PDNS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/protective-dns\/\" rel=\"category tag\">Protective DNS<\/a>","tag_info":"Protective DNS","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7950"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7950\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}