“Hey Security, Impersonators Keep Spoofing our Domains and Websites”

A security professional receives disturbing news from their company's customer experience team. Dozens of customer calls are flooding the call centers, and the complaints are alarming: customers are  losing control of the online accounts they have with the company. Some say the website domain looked just as expected from  the brand. Others claim the domain looked nothing like what they had previously experienced. 

Recently, the company made headlines with a highly anticipated product announcement coupled with a celebrity-driven promotional campaign. While the news generated a huge boost in website traffic, it also  piqued the interest of cybercriminals who began building internet infrastructure – domains and phishing pages – that looks just like the real brand.

Stories like this are increasingly common. As organizations shore up the defenses of their owned digital properties, opportunistic threat actors often choose the path of least resistance and spoof those properties – and without the right tools, impersonation scams can be lucrative without ever having to cross a target’s perimeter.

In part one of this three-part blog series, we discussed the value threat intelligence contributes to improve brand protection and decision making. Here in part two, we’ll talk about the role intelligence plays in protecting your brand’s domain.

Download the Guide: 6 Steps For Protecting Your Company’s Domain Name

Uncovering Domain Impersonations with Cyber Intelligence

Let’s say the security pro in our example above purchased domain protection to combat phishing and domain typosquatting. It’s likely they would find many more domains and phishing pages attempting to steal customer and employee credentials. These credential harvesting scams can lead to many bad situations for customers and the company. Criminals sell collections of stolen customer credentials in the Underground Economy (AKA The Deep and Dark Web). Employee credentials will be used to attempt to remotely access company resources. Often the criminals sell those legitimate credentials to other criminals called “initial access brokers.” These brokers then sell the credentials to the threat actor who plans to steal intellectual property from the organization and/or extort victims to unlock data or keep sensitive information private

Customers expect the brands they support to look out for them. A 2021 global consumer survey revealed nearly half of respondents trust the company less after receiving scam messages. Another study estimates that 1.5 million phishing sites are created every month. All of these lookalike domains and phishing websites threaten the trust your company has built with your customers. 

Domain protection is a start (and a common starting point for many organizations seeking to build a threat intelligence program). Now is the time to get more proactive about detecting and disrupting threat actor infrastructure. This is where maturing your threat intelligence program comes in.

Addressing  Phishing and Domain Typosquatting with Threat Intelligence

Security leaders make a lot of decisions to protect the company’s intellectual property and are increasingly relied upon for decisions to ensure customer trust. How does the security pro know which domains and URLs they can ignore and which are likely part of a transnational criminal organization or state threat actor’s infrastructure? Questions like this are where the added context from threat intelligence improves decision making, protects customers, and increases costs to the threat actors.

When we find impersonations of our customers’ domains, we often get questions and requests like these:

• Can you analyze this phishing kit for us?
• Can you find if any of our customers or employees entered credentials into this phishing website?
• Who is the threat actor building these phishing websites?
• What malware or exploits does this webpage mimicking our website have?

Domain typosquatting isn’t just for unsophisticated malicious hackers anymore. Remember, threat actors choose the lowest cost, lowest risk tactics and tools to achieve their goals. Typosquatting and phishing tactics work often enough and are incredibly cheap. 

Threats to Critical Infrastructure

For example, in one of several indictments, the U.S. Department of Justice revealed Russian military intelligence officers created domain names mimicking the organizations they were targeting. In Figure 1 below, the state threat actors created these domains to target a strategic supplier of nuclear reactors to US electric generation companies and the international organization that polices the use of performance enhancing drugs and treatments. So while it wouldn’t have been wrong for those organizations to request an immediate takedown of the fraudulent domains, the better decision, based on threat intelligence, would have been to immediately alert law enforcement and limit the company’s users from interacting with the risky domain. Threat intelligence gives defenders the information necessary to make better, risk-informed decisions.

Domain “Investing”

On the other end of the spectrum, many domain typosquats require no action on the part of the security leader at the moment of discovery. For example, if when shopping for a new power tool, you inadvertently mistyped BlackandDecker.com, you might end up on this parking page (Figure 2). There are  countless scammers that make a living registering domains that look like a brand but never host any content. These “domain investors” typically attempt to extort a “finder’s fee” from the company that is anywhere from 100 to 1000 times the cost to register a new domain. Threat intelligence helps identify these scammers’ patterns of life. With this intelligence, a company can safely ignore these extortion attempts and add the domains to their registrar’s secondary buy list. Such a list will buy the domain in question for the normal price after the scammer inevitably fails to re-register the domain for another year. Taking control of the typosquatted domain prevents threat actors from exploiting it.

The same intelligence-driven strategy should be used for assessing the threat of a phishing page. Separating widespread phishing for financial gain from state-nexus narrowly targeted phishing is challenging but worth the efforts to best protect customers and your company and raise costs for the threat actors. By submitting an intelligence request for information (RFI), an intelligence firm can analyze a phish kit to assess the probable intent of that particular threat actor. Further Underground Economy research will often reveal the sellers of the phish kit. Identifying the phish kit’s origin can aid  threat attribution efforts and support monitoring for changes to the phish kit code to ensure detection rules are updated.

Compromised Credentials are Commonplace

Your employees and customers will inevitably have compromised credentials, whether they were phished or not. Threat actors routinely seek out credentials at breached organizations to enable further intrusions, remote access, and data theft. These credential databases are divided and sold in the Underground Economy. Monitoring for compromised account credentials helps identify employee and customer accounts most at risk for takeover. Preventing customer account takeover is a great way for companies to maintain customer trust.

How to Sell TI Value to Your C-Suite

Let’s be real: Gaining more budget for threat intelligence (or virtually anything perceived as a cost center) is challenging. The challenge to increase intelligence investment is compounded  by the fact that it’s inherently difficult to measure ROI. However, we can calculate fraud from customer account takeovers and breach costs from employee account takeovers. By monitoring for compromised account credentials and forcing password resets to exposed accounts, we can see a decline in customer fraud and employee account takeovers, thereby saving the company more than it spends on maturing its threat intelligence program. Additionally, through the visibility gained via threat intelligence, we may discover an intrusion in process and can begin containing and eradicating the threat prior to a data breach.

When threat intelligence identifies domain impersonations or phishing scams related not to a state threat actor (vs. a financially motivated criminal actor), the impact will be even greater.Threat intelligence can unravel an adversary’s campaign to degrade critical infrastructure or meddle in elections. Regardless of the company size, security leaders can help defend their customers, employees, and broader communities from both criminal and state threat actors by integrating threat intelligence in their security and trust strategies.

How Threat Intelligence Enhances Your Customers’ Experience

CISOs are increasingly responsible for protecting their organization’s ‘trustworthiness’ in the marketplace. Customers and employees are increasingly frustrated by the relentless borage of fraudulent emails and text messages impersonating brands. You may not see the impersonators in your logs, but that doesn’t mean consumers aren’t interacting and communicating with the fraudulent infrastructure. Put simply, threat intelligence provides deeper visibility into how threats abuse your brand outside your corporate perimeter, helping to ensure customer and employee trust. 

So when your customer experience team alerts you to another phishing campaign targeting your customers, consider an intelligence-driven strategy that protects them and your brand’s reputation. Cybersecurity can help preserve loyalty to your brand. After all, it costs more to gain new customers than it does to retain existing ones.

In the final post in this series, I will expand the discussion around threat intelligence and corporate security requirements necessary to protect an organization’s people – particularly their executives and VIPs.