Ransomware and cybercrime have had a major presence in the media this past year with some very prominent attacks happening in 2021 making headlines as well as government-issued executive orders emphasizing the need for stronger cybersecurity. This has resulted in many organizations taking action to bolster their security efforts which can make it difficult for cyber criminals to successfully conduct their attacks. However, as organizations and the security industry grow and adapt so do our adversaries.
With the growing popularity of ransomware and publicized payouts showing huge financial gain (often in the millions), cyber criminals have never been more motivated. Attackers want to gain access to your files; they want to defraud your customers, your supply chain partners and your employees with financial motivation fuelling their efforts. We have seen them adopting much more advanced tactics, techniques and procedures to infiltrate victim networks. Now, more than ever it is important to keep up to date with security trends, safeguards and keep security planning and hardening as a topic of corporate conversation. Often, we see corporations that have a security focus pertaining to their own environment building strong walls around their perimeter. However, there is less concern, thought or controls in place about ways cyber criminals can impact your business without having to even enter or penetrate your network at all.
The likelihood is that your organization has websites or at least has registered web URLs — the names by which we find places on the Internet. I'd venture to guess that as an Internet user, you know that entering "www.amazon.com" in the address bar of a web browser will take you to the e-commerce giant's website home page. But I'd also guess that you don't know Amazon's IP address that you would have to enter to get there. The Internet's Domain Naming System (DNS) handles the translation from the URLs that we know to the IP addresses that the Internet needs to route us to the right place.
Unfortunately, in many cases it has become too easy for a criminal to falsify a process that changes the IP address associated to a URL and redirect not only web traffic but e-mails as well.
As with most problems in security, there is no magic solution. Criminals can register domain names very similar to yours — they can register "samplecOmpany" where the legitimate name is "samplecompany." Or they can register in a different top-level domain — samplecompany.web where the real URL is samplecompany.com. But worse, they can, as noted earlier, fool your domain registrar into changing the IP address of your domain to something they control. Of course, if the domain is "locked" making the change becomes far more difficult. At the very least, every organization should assure that whoever manages their URLs has locked their domains with the appropriate domain registrar.
There are additional steps you can take to prevent the e-mail addresses associated with your URLs from being spoofed and used as the basis for data theft and fraud. These include:
- Monitor similar domain registrations. You can see if similar domain names to yours have been registered. Unfortunately, given the virtual shutdown of the "whois" Internet service that for the prior 20 years enabled anyone to find out who registered a domain name, finding out who registered similar sounding or spelled domains may be very difficult and time consuming. Given the number of top-level domains (TLDs) now in place — more than 1,500 — proactively grabbing all of the domains that could cause problems for you is probably unrealistic.
- To help deal with e-mail sent out with forged addresses to make them appear to have been sent by your organization, consider implementing what is called "Domain Keys Identified Mail" (or DKIM). This involves setting parameters on your actual domain that attach a digital signature to your outgoing e-mail traffic that can be used by the recipient's servers to determine that it came from you. This is done by the server accessing the public key of the encrypted signature and using it to show that the signature is authentic. It is very helpful, but like all other cybersecurity measures it works best in conjunction with other protective tools to form multiple levels of protection. A recent study found that only 11 per cent of the domains examined had implemented DKIM protection.
- The study found that most organizations were using the "Sender Policy Framework" (SPF) service. This service enables your organization to digitally publish a list of the IP addresses of servers that you have authorized to send mail messages from your organization. This is done through the DNS, and you have to provide a specially formatted line of code to implement it, but a knowledgeable e-mail administrator or your person dealing with the URL registrar should know how to do it. Note that this list of authorized servers can also contain third parties who you have authorized to send e-mails on behalf of your URL.
- SPF and DKIM are also important as part of a more comprehensive solution called "DMARK." This is a more comprehensive solution — also implemented through DNS — that encompasses both SPF and DKIM. The details of DMARK are beyond the scope of this article, but it is something that you should consider.
- Many companies have registered URLs that they aren't using. Some may have been registered simply to prevent a competitor or criminal enterprise from registering it. Some may have been registered for potential future use and be based on a service or product name. While they are, from your viewpoint, inactive, they are nonetheless at risk. For inactive sites, you should make sure that the registrar shows them to be domain-locked. You can also put SPF, DKIM and DMARK entries into the record used by the DNS that indicate that the URL is not sending out any authorized e-mail and is, in fact, not in active use.
We have responded to many different situations of abuse from similarly named domains. The most common is using the domain to conduct phishing campaigns against the organization's customers. This can result in your clients suffering an attack and could open your organization up to risks of a phishing e-mail or e-mail spam campaign stemming from your clients. We see that a large amount of business e-mail compromises come from an employee clicking on an e-mail from a known and trusted source, not realizing that their customers/clients e-mail had been compromised.
Typically, these types of phishing e-mails are very successful at getting through spam filters because they are coming from an e-mail you normally communicate with and trust — they also typically send the phish on a chain that a conversation was already occurring in to create a false sense of security. These types of attacks are normally stealthy on the compromised victim side too, usually the attacker would add rules to the inbox to prevent the owner of the mailbox from realizing they have been compromised at all. These rules usually direct the e-mail (based on the subject line) to a folder and mark it is as read so that the primary owner of the inbox never sees any of the phishing traffic.
Having your domain spoofed can also result in more successful phishing campaigns against your internal organization opening yourself up to a potential internal compromise. Attackers can use social engineering and open source intelligence to learn things like who your C-suite is and create spoofed addresses to trick your internal employees into clicking on the phish.
The final consideration is the reputational harm that can stem from this type of incident. It can severely tarnish an organization's brand.
Based on the study done, and our experience, we want to stress the importance of looking at these risks, and at least taking the precaution of locking the domains so that they can't be changed or transferred easily. Taking the additional steps in this article can help you to prevent your e-mail from being spoofed.
Talk to a Kroll Expert
Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll expert today via our 24x7 cyber incident hotlines or our contact page.