<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>When attackers try to fool you, they often start with domains that look nearly identical to the real thing. You’ve probably seen it in phishing attempts: an email that looks like it’s from your bank or a well-known brand, but the sender’s address is just a little off. “paypai.com” instead of “paypal.com.” At a glance, most people won’t notice. That’s exactly what attackers are counting on.</p> <!--more--><p>To spot these tricks, security researchers use a method called <span><strong>Levenshtein distance</strong></span>. It sounds complex, but it’s simply a way of measuring how similar two domain names are, and it’s one of the tools ThreatSTOP uses to proactively protect you. &nbsp;Read on for this basic technique in computing.</p> <h3><strong>What Is Levenshtein Distance?</strong></h3> <p>Levenshtein distance measures how many edits it would take to turn one word into another. Edits can be:</p> <ul> <li> <p>Adding a character</p> </li> <li> <p>Removing a character</p> </li> <li> <p>Replacing a character</p> </li> </ul> <p>Examples:</p> <ul> <li> <p>google.com<span> → </span>gooogle.com<span> (one extra “o”)</span></p> </li> <li> <p><span>netflix.com</span> → <span>netfli.com</span> (one missing “x”)</p> </li> <li> <p><span>paypal.com</span> → <span>paypai.com</span> (an “l” swapped for an “i”)</p> </li> </ul> <p>Attackers also rely on <span><strong>Unicode “homograph” domains</strong></span>—for example, swapping Latin letters with visually identical Cyrillic characters. ThreatSTOP normalizes these to punycode before scoring. That means <span>раураl.com</span> (with Cyrillic “р”) still shows a Levenshtein distance of 1, and is proactively blocked.</p> <p>These one-edit domains are designed to deceive. ThreatSTOP makes sure they don’t get the chance.</p> <h3><strong>Why It Matters to You</strong></h3> <p>Attackers know people skim quickly. A single swapped letter is enough to trick someone into clicking, entering credentials, or downloading malware. Traditional blocklists may miss these variations, but similarity scoring closes that gap.</p> <p>ThreatSTOP’s Security, Intelligence, and Research team applies this method to:</p> <ul> <li> <p>Catch phishing domains early—before they’re widely reported</p> </li> <li> <p>Stop attackers from impersonating your brand</p> </li> <li> <p>Protect employees from accidentally visiting malicious sites</p> </li> </ul> <h3><strong>Regex vs. Levenshtein: Better Together</strong></h3> <p>You may be familiar with regex (regular expressions). Regex is excellent at spotting known threats and exact patterns, but it struggles when attackers invent unpredictable twists.</p> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Technique</strong></p> </th> <th> <p><strong>Best At…</strong></p> </th> <th> <p><strong>Not Great When…</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Regex</p> </td> <td> <p>Quickly spotting known, exact threats</p> </td> <td> <p>Attackers use creative, never-before-seen variations</p> </td> </tr> <tr> <td> <p>Levenshtein</p> </td> <td> <p>Detecting subtle, unknown variations fast</p> </td> <td> <p>You only want to match exact patterns</p> </td> </tr> </tbody> </table> <p>&nbsp;</p> <p>Think of regex as a guard checking IDs against a list, while Levenshtein is the detective who notices suspicious behavior. Used together, they provide the strongest coverage.</p> <h3 style="font-weight: bold;">Let's make it visual</h3> <p>Here's a simple visualization of how Levenshtein distance works, comparing the legitimate domain "paypal.com" and a sneaky impostor "paypai.com":&nbsp;</p> <p><img src="https://2548414.fs1.hubspotusercontent-na1.net/hubfs/2548414/undefined-Aug-31-2025-08-46-01-0914-PM.png" data-hsprotectunselectable="on" loading="lazy" width="366" height="378"></p> <p>The number at the bottom right corner (1) means there’s just one edit separating these domains-very suspicious!&nbsp;</p> <h3><strong>ThreatSTOP’s Approach</strong></h3> <p>We’re rolling out similarity-based detection in a controlled way to deliver clear value.</p> <ul> <li> <p><span><strong>Protective DNS (DNS Defense Cloud and DNS Defense):</strong></span> Our platforms automatically stop access to malicious look-alike domains before a user ever reaches them.</p> </li> <li> <p><span><strong>IP Defense:</strong></span> When phishing infrastructure is tied to IP addresses, our protections ensure your firewalls, routers, and cloud controls proactively block it.</p> </li> </ul> <p>You can expect:</p> <ul> <li> <p><span><strong>Simple activation:</strong></span> No complex setup.</p> </li> <li> <p><span><strong>Clear visibility:</strong></span> See exactly why a domain was flagged.</p> </li> <li> <p><span><strong>Control:</strong></span> Opt in to evaluate, and opt out if needed.</p> </li> </ul> <p>This feature is experimental today, but already proving powerful in real-world testing. Your feedback helps us refine accuracy while keeping false positives low.</p> <p>&nbsp;</p> <h3><strong>Staying Ahead of Subtle Tricks</strong></h3> <p>The message is simple: attackers thrive on subtle changes, but ThreatSTOP’s protections remove that advantage. By using domain similarity scoring alongside proven threat intelligence, we stop phishing campaigns before they succeed. Helping you stay protected without adding complexity to your security stack.</p> <p>For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our <a href="/threatstop-platform" rel="noopener" target="_blank">product page</a>. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! <a href="https://admin.threatstop.com/register?hsLang=en" rel="noopener" target="_blank">Get started with a Demo today!</a></p> <p><strong>Connect with Customers, Disconnect from Risks</strong></p> <h3><strong>MITRE ATT&amp;CK Framework Mapping</strong></h3> <p>&nbsp;</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2;"> <thead> <tr> <th> <p><strong>Threat Activity</strong></p> </th> <th> <p><strong>ATT&amp;CK Technique ID</strong></p> </th> <th> <p><strong>Category</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Phishing with look-alike domains</p> </td> <td> <p>T1566.002</p> </td> <td> <p>Initial Access: Spearphishing Link</p> </td> </tr> <tr> <td> <p>Credential harvesting through fake login pages</p> </td> <td> <p>T1056.003</p> </td> <td> <p>Collection: Web Portal Capture</p> </td> </tr> <tr> <td> <p>Command and Control over malicious domains</p> </td> <td> <p>T1071.004</p> </td> <td> <p>Command and Control: Application Layer Protocol (DNS/HTTP)</p> </td> </tr> <tr> <td> <p>Data exfiltration via crafted domains</p> </td> <td> <p>T1048.003</p> </td> <td> <p>Exfiltration: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</p> </td> </tr> <tr> <td> <p>Brand impersonation for malicious campaigns</p> </td> <td> <p>T1585.001</p> </td> <td> <p>Resource Development: Domains</p> </td> </tr> </tbody> </table> <p>&nbsp;</p></span>