Brand abuse is more than a marketing problem — it’s a security challenge that threatens the entire organization and all its stakeholders. The volume, location, and sophistication of impersonations make it difficult for security teams to tackle alone. In recent years, ZeroFox has observed a trend towards more sophisticated campaigns that rely on a combination of look-a-like domains, fake accounts on social media, fraudulent mobile apps and fake customer support services. As impersonation tactics become increasingly complex, this has opened the door for specialization and created new opportunities for services. With interwoven impersonations across the digital threat landscape, it can be difficult for security teams to know where to focus their efforts. ZeroFox recently published a whitepaper on impersonations and brand abuse. In this post, we’ll review a few impersonation attack examples security teams should be aware of and how to address them.
Impersonation Attack Example #1: The Spoofed Domain
The online presence maintained by organizations often serves as the first point of contact with consumers. Malicious, spoofed domains offer hackers endless possibilities, including phishing, vishing, ad fraud and malware. An actor can use a malicious domain to establish pre-attack infrastructure or to gain initial access to an organization. In every case, one thing remains constant: the actor is using your legitimate name to drive traffic to malicious activity.
This impersonation attack example begins by identifying a target, typically an organization with name recognition, like a well-known financial institution, and registering a domain name similar to that target. This could be a slight variation of the brand name with a common misspelling, an abbreviation of the name or a homoglyph that may go undetected. Once the domain is registered, the adversary will likely register with known bulletproof hosting providers In order to avoid detection and take down.
Once hosted, the actor typically takes two paths: leaving the domain benign, to at least temporarily reduce the possibility of detection, or building a campaign around it. Actors rely on domains for web-based, email-based and multichannel campaigns. If the actor’s goal is primarily email phishing, they may choose to leave the domain as a parked page to reduce the likelihood of detection and appearance of weaponization. If the criminal also wants to direct people to the web page, to steal credentials or distribute malware for instance, they’ll copy content from the organization’s legitimate domain to look credible. This includes the logo, brand colors, layout of the site and even the code to ensure similarities.
How to Stop Domain Impersonations
Actors rely on both unarmed benign domains as well as actively weaponized domains to conduct impersonations. It is impossible to know if, or when, a hacker may switch a domain from benign to weaponized, and once they do, it may be too late to take action before the site can reach your customers. The vast extent of this impersonation attack example makes them difficult to tackle manually. Without automation, it can be difficult to find domains impersonating your brand, particularly if they aren’t using a direct name match. Relying on an external provider for both the identification and takedown of the malicious domain can help navigate complex processes.
Impersonation Attack Example #2: The Fake Account
Perhaps the most widely known impersonation attack example is the fake social media profile. While security teams may not traditionally think of social media accounts as “assets” they provide real value in engaging with customers and building awareness and therefore require protection like all other digital assets. Affecting everyday people and businesses alike, fake accounts on social media provide lucrative opportunities for hackers because they are quick and free to set up and immediately provide an audience – the legitimate network of the real account. As with corporate social media impersonations, hackers create fraudulent social media accounts tied to high-profile individuals within a financial institution in order to target employees and consumers alike. Once created, these profiles can be used to phish, steal information and gain access to internal systems.
Hackers also look for other influential members of an organization to target employees with, such as HR professionals. In doing so, they are able to influence employees to share PII, sensitive information and even gain access to internal systems.
How to Manage Fake Accounts on Social Media
For impersonation attack examples like social media accounts outside your direct control, timely awareness and response is key to mitigating damage. Early warning of impersonations, attempted account takeovers or of physical threats to executives, awareness of attack planning via dark web chatter, advertisement of breached data or stolen credentials, all provide real-time situational awareness based on indicators that allow organizations to take quick remediation actions. Ultimately, it’s important to think about moving beyond your security perimeter and focus on assets that give you visibility and remediation capability into digital platforms such as social media. This will allow you to understand the scope of the threats at play and prevent harm rather than just reacting to it.
Impersonation Attack Example #3: The Fraudulent App
As mobile banking technology has improved, hackers have found a window of opportunity in banking malware on mobile devices. Hackers create apps with similar names, imagery and descriptions to legitimate mobile banking apps in order to trick unsuspecting users. These apps are typically offered on less regulated stores such as Google Play and third party stores. The targets of this impersonation attack example tends to be users that either cannot access the official app store or don’t speak the primary language of the targeted financial institution’s customer base.
How to Address Fraudulent Mobile Apps
Addressing fraudulent mobile apps requires that you first make sure your own legitimate apps are clearly distinguishable and easy for customers to find. Placing app download links on websites, on social media, in email signatures and other places where consumers may engage with the financial institution helps ensure they access the correct app. Monitoring third-party app stores is critical to quickly identifying fakes.
Learn about other impersonation attack examples
Want a more in-depth look at impersonation attack examples and techniques? Download ZeroFox’s latest whitepaper on impersonations and brand abuse targeting financial services. To learn more about ZeroFox’s impersonation detection and remediation capabilities, check out our webpage here.