Fake lies matter: Brand impersonation attacks
While a great deal of news articles, white papers, and security solutions are focused on 0-days and vulnerabilities, the core vulnerability of all of our information technology is people. Our entire tech stack makes it easy for users to make mistakes because the fundamental problem is that there is no good way to authenticate anyone or anything online. In 1993, a comic in the New Yorker famously said, "On the Internet, nobody knows you’re a dog", and not much has changed in 28 years.
One of the key ways attackers get an initial foothold into organizations is by tricking users to compromise themselves, often using brand impersonation. A recent study stated that there were 88 instances where malicious mobile apps attempted to impersonate TikTok. The reason, people share TikTok videos, it’s immensely popular, and it has a trusted brand-name, so people feel safe.
“Give a man a 0-day, he’ll pwn for a day. Teach a man to phish, he’ll pwn for a lifetime.” -- @theGrugq
At the enterprise level, these forms of brand impersonation matter. An attacker doesn’t need to impersonate a business partner, they just need to find something one employee will access or download and go from there. That being said, many of the brand impersonation attacks directed at enterprises are of the specific partners that enterprise uses.
Probably the most famous case is the impersonation of the IT provider of the Democratic National Committee which lead to a series of breaches of various political organizations during the 2016 election. The Russians, in part, used the MIS Department name (transposing the r and t) to trick their victims into what ultimately became a large and public breach of organizations involved in the 2016 election. Typo squatting is an effective technique to fool users, especially when combined with spear-phishing to elicit some action on the part of the victim.
Any communication that requests you take some sensitive action (installing software, anything regarding financial transactions or PII, information regarding employment and/or benefits, or takes you to a logon page) should be examined closely for typo-squatted domains. Other popular tricks include adding dashes, replacing "/" characters with a "." and the use of internationalized characters.
Most organizations use some form of single-sign on or centralized authentication services. Each employee should memorize the URL (at least the hostname portion) so they can ensure when they are being required to enter credentials, that those credentials are going towards the trusted authentication service and not to cyber-criminals.
Specific roles in any organization should also be aware of special risks they face. Anyone in accounts receivable has likely seen fake purchase order or invoices that are sent their way… and who doesn’t like receiving money. Many organizations are operating in such a way as to minimize any and all friction when it comes to receiving money. Attackers know this so they will use our motivations, current events, and emotions to try to encourage us to skip warning signs and fully go through the chain of compromise.
Anyone operating in network/system administration or security are also prime targets. These users often have privileged access and compromising those individuals makes it more straightforward to take over an entire organization. The brands useful to attack people in finance/accounting however are different than the ones you’d use against IT support staff. Though specific roles face unique threats, anyone with a login in an enterprise environment can be targeted to gain a foothold.
Organizations can take proactive measures to counter these socially engineered attacks by following these practices:
- Block known phishing or bullet-proof hosting networks at the perimeter.
- Create a reliable feed of brand impersonation hostnames that can be blocked in your DNS server.
- Actively manage your endpoint and security data to detect or quickly respond to the impacts from brand impersonation attacks.
- Proactively monitor security and network logs for indicators of brand impersonation so the attack can be disrupted before the adversary takes full control and the options become more limited.
- Conduct constant security awareness training to employees so they’re hyper-vigilant for suspicious threats and phishing attacks.
John Bambenek is Principal Threat Hunter at Netenrich. He is a respected global cybersecurity expert and threat researcher. For over twenty years, John has advised Fortune 500 companies and government agencies on threat intelligence, incident response, and SOC operations. He investigated major cyber threats and criminal organizations while coordinating with US and foreign law enforcement entities. John is currently an incident handler at the SANS Internet Storm Center and President of Bambenek Consulting. Previously, he led security research and threat intelligence at ThreatSTOP, Fidelis Cybersecurity, and SANS Institute. He is an admired industry speaker, known for presenting at RSA, BlackHat, Defcon, Shmoocon, and various SANS conferences.