Fri, Dec 17, 2021
Ransomware and cybercrime have had a major presence in the media this past year with some very prominent attacks happening in 2021 making headlines as well as government-issued executive orders emphasizing the need for stronger cybersecurity. This has resulted in many organizations taking action to bolster their security efforts which can make it difficult for cyber criminals to successfully conduct their attacks. However, as organizations and the security industry grow and adapt so do our adversaries.
With the growing popularity of ransomware and publicized payouts showing huge financial gain (often in the millions), cyber criminals have never been more motivated. Attackers want to gain access to your files; they want to defraud your customers, your supply chain partners and your employees with financial motivation fuelling their efforts. We have seen them adopting much more advanced tactics, techniques and procedures to infiltrate victim networks. Now, more than ever it is important to keep up to date with security trends, safeguards and keep security planning and hardening as a topic of corporate conversation. Often, we see corporations that have a security focus pertaining to their own environment building strong walls around their perimeter. However, there is less concern, thought or controls in place about ways cyber criminals can impact your business without having to even enter or penetrate your network at all.
The likelihood is that your organization has websites or at least has registered web URLs — the names by which we find places on the Internet. I'd venture to guess that as an Internet user, you know that entering "www.amazon.com" in the address bar of a web browser will take you to the e-commerce giant's website home page. But I'd also guess that you don't know Amazon's IP address that you would have to enter to get there. The Internet's Domain Naming System (DNS) handles the translation from the URLs that we know to the IP addresses that the Internet needs to route us to the right place.
Unfortunately, in many cases it has become too easy for a criminal to falsify a process that changes the IP address associated to a URL and redirect not only web traffic but e-mails as well.
As with most problems in security, there is no magic solution. Criminals can register domain names very similar to yours — they can register "samplecOmpany" where the legitimate name is "samplecompany." Or they can register in a different top-level domain — samplecompany.web where the real URL is samplecompany.com. But worse, they can, as noted earlier, fool your domain registrar into changing the IP address of your domain to something they control. Of course, if the domain is "locked" making the change becomes far more difficult. At the very least, every organization should assure that whoever manages their URLs has locked their domains with the appropriate domain registrar.
There are additional steps you can take to prevent the e-mail addresses associated with your URLs from being spoofed and used as the basis for data theft and fraud. These include:
We have responded to many different situations of abuse from similarly named domains. The most common is using the domain to conduct phishing campaigns against the organization's customers. This can result in your clients suffering an attack and could open your organization up to risks of a phishing e-mail or e-mail spam campaign stemming from your clients. We see that a large amount of business e-mail compromises come from an employee clicking on an e-mail from a known and trusted source, not realizing that their customers/clients e-mail had been compromised.
Typically, these types of phishing e-mails are very successful at getting through spam filters because they are coming from an e-mail you normally communicate with and trust — they also typically send the phish on a chain that a conversation was already occurring in to create a false sense of security. These types of attacks are normally stealthy on the compromised victim side too, usually the attacker would add rules to the inbox to prevent the owner of the mailbox from realizing they have been compromised at all. These rules usually direct the e-mail (based on the subject line) to a folder and mark it is as read so that the primary owner of the inbox never sees any of the phishing traffic.
Having your domain spoofed can also result in more successful phishing campaigns against your internal organization opening yourself up to a potential internal compromise. Attackers can use social engineering and open source intelligence to learn things like who your C-suite is and create spoofed addresses to trick your internal employees into clicking on the phish.
The final consideration is the reputational harm that can stem from this type of incident. It can severely tarnish an organization's brand.
Based on the study done, and our experience, we want to stress the importance of looking at these risks, and at least taking the precaution of locking the domains so that they can't be changed or transferred easily. Taking the additional steps in this article can help you to prevent your e-mail from being spoofed.
Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.