Home > CAPEC List > CAPEC-631: SoundSquatting (Version 2.11)  

CAPEC-631: SoundSquatting

Definition in a New Window Definition in a New Window
Attack Pattern ID: 631
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering.

+ Attack Steps
  1. Determine target website: The adversary first determines which website to impersonate, generally one that is trusted, receives a consistent amount of traffic, and is a homophone.

    Research popular or high traffic websites which are also homophones.

  1. Impersonate trusted domain: In order to impersonate the trusted domain, the adversary needs to register the SoundSquatted URL.

    Register the SoundSquatted domain.

  1. Deceive user into visiting domain: Finally, the adversary needs to deceive a user into visiting the SoundSquatted domain.

    Execute a phishing attack and send a user an e-mail convincing the user to click on a link leading the user to the SoundSquatted domain.

    Assume that a user will unintentionally use the homophone in the URL, leading the user to the SoundSquatted domain.

+ Alternate Terms

Term: Homophone Attack

+ Attack Prerequisites
  • An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Low

+ Methods of Attack
  • Spoofing
  • Analysis
  • Social Engineering
+ Examples-Instances


An adversary sends an email, impersonating the popular banking website guaranteebanking.com, to a user stating that they have just received a new deposit and to click the given link to confirm the deposit.

However, the link the in email is guarantybanking.com instead of guaranteebanking.com, which the user clicks without fully reading the link.

The user is directed to the adversary's website, which appears as if it is the legitimate guaranteebanking.com login page.

The user thinks they are logging into their account, but have actually just given their guaranteebanking.com credentials to the adversary. The adversary can now use the user's legitimate guaranteebanking.com credentials to log into the user's account and steal any money which may be in the account.

Related Vulnerabilities

SoundSquatting vulnerability allows an adversary to impersonate a trusted domain and leverages a user's confusion between the meaning of two words which are pronounced the same into visiting the malicious website to steal user credentials.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Adversaries must be able to register DNS hostnames/URL’s.

+ Solutions and Mitigations

Authenticate all servers and perform redundant checks when using DNS hostnames.

Purchase potential SoundSquatted domains and forward to legitimate domain.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Depending on the intention of the adversary, a successful SoundSquatting attack can be leveraged to execute more complex attacks such as cross-site scripting or stealing account credentials.
+ Technical Context
Architectural Paradigms
+ References
[R.611.1] Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens and Wouter Joosen. "Soundsquatting: Uncovering the Use of Homophones in Domain Squatting". Trend Micro. <https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-soundsquatting.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017