BLOG

Don’t Lose Customers Because of Your Website

Since the dawn of phishing way back in the 90s, one of the tactics phishers have used to deceive their victims is a domain name that is, at a glance, the same as the domain of the target site. For example, attackers who are building a phishing campaign to target customers of www.alluresecurity.dream.press may go out and register a very similar domain, such as www.aliuresecurity.com orwww.ailuresecurity.com or www.alluresecurlty.com. They all look convincing enough to pass for the real domain name. Capital “i” looks a lot like lower case “L”. Because these domains are so convincing, monitoring new DNS registrations for look-alikes (or “typosquatting domains,” as they’re often called) has become a tactic that nearly every corporate security team employs. Free and effective tools like dnstwister are easy to use and accessible to all. Any organization can and should identify these potential attack domains and take action, right at registration time.

Unfortunately (or fortunately for the hacker), it doesn’t require a convincing-looking domain to make a successful phishing campaign. Late last year, McAfee published the results of a survey on phishing. Their key finding: 37% of American respondents admit that they don’t check an email sender or retailer’s website for authenticity. This means that attackers can put up their phishing sites anywhere they want. And they are doing exactly that; taking advantage of the fact that many people don’t do their diligence before clicking on links and conducting business online.

The researchers at Allure Security see the evidence of attackers bypassing domain monitoring every day. A spoof bank login hosted on a coffee shop’s website; a fake online dating login hosted on a ballet studio’s website, a malicious webmail login page hiding behind a beauty salon’s site. The list goes on – and these are just the ones where an attacker compromised someone else’s legitimate web domain to host their attack. We also see many instances where attack sites are hosted on short-lived domains with random looking names that appear to have no other purpose beyond hosting spoof brand pages.

Protecting your brand from today’s phishing attacks that target your customers requires a detection strategy that extends beyond domain monitoring. It’s critical to be able to find phishing and other brand spoof sites that don’t just imitate your domain name. Here are some tips on how to do that:

1. Know your content. For someone to spoof your site, they’ll need your content. Logos, taglines, text, background images, headers, footers, custom fonts – all those things go into building a realistic-looking phishing site. Use tools that can monitor the internet for your content being scraped and used in unauthorized spots.
2. Know your usage patterns. Often times, the tools attackers use to scrape your content behave very differently from a normal browser when they access your site. Examine your logs for evidence of unusual access, especially where your key visual content is accessed outside of a normal page load pattern. That’s a sign someone is pulling together what they need to spoof your site. Unusual referrers can also be a source of valuable intelligence.
3. Examine new domains. It’s easy to get a list of new domains from tools like https://www.whoisxmlapi.com/. Regularly examine the list and make sure there aren’t sites popping up that are duplicating your content.
4. Automate the process. Use techniques to hide some identifiers in your content that you can easily build an automated scanning process to detect. Consider using the metadata tags in your images to store values you can easily find with a simple script (which will make examining the volume of new domains much more manageable). There are several free tools that can help, here’s a useful list: https://0xrick.github.io/lists/stego/
5. Get proactive. The research team at Allure Security have developed a new technique that identifies when your site is spoofed and run on a server without your authorization. Our system tracks access to attack sites by both attackers and victims – so you know who hit the site and when. That opens the door for you to be proactive about protecting the victims – and gives us great threat intelligence on the phishers. 

Phishing has become firmly established as the most prevalent attack vector on the internet. Until now, attackers have had an edge. We’ve been willing to blame the victims for clicking the wrong links. Mostly because there wasn’t another option. But thanks to innovative thinkers, like Artificial Intelligence Professors Sal Stolfo and Shlomo Hershkop, enterprises now can take back control. 

It’s time for businesses to be more proactive about protecting their customers from these attacks. Victimized customers have been asking for years, “How did brand x let this happen to me?” Phishers rely on the trust your customers have in your brand. When that trust is violated, customers will be looking for someplace else to take their business. Going beyond domain monitoring to detect and shut down spoof sites gives you an opportunity to turn that frustration into long-term loyalty. Having the ability to shut down phishing attempts when your customers are targeted will instead have them saying, “Thank goodness brand x has my back.”

Contact us to learn more about how you can go beyond domain monitoring to protect customers and keep your brand’s reputation intact.