Threat actors can employ a number of cyber social engineering tactics as part of their corporate phishing, counterfeiting, or hoaxing campaigns. One of the most popular assets utilized in these threat campaigns is a spoofed website, i.e., a website designed by a threat actor to appear to be the legitimate website of a targeted organization.
A website can act as the digital face of a company, and employees and customers alike have become extremely comfortable with transmitting and acquiring information via corporate websites. This level of comfort and trust endures as users may not realize that the Domain Name System (DNS) can easily be manipulated by threat actors seeking to imitate authentic corporate websites.
The Domain Name System provides for countless variations of domain names that could successfully be presented as the legitimate domains of targeted organizations. Such variations of cybelangel.com could include cybel-angel.com, cybelangelc.om, or cybelangell.com. In some industries, the number of look-alike domains has outpaced the number of authentic ones by 400%. Unfortunately, threat actors often go unnoticed when they purchase scores of domains that they believe can masquerade as the real websites of their current or future targeted brands.
Although some threat actors’ domain name registrations are noticed by the targeted organizations, they frequently end up being disregarded. Savvy threat actors help effect this by waiting to initiate a threat campaign until a considerable amount of time has passed since the registration of a domain, lulling the intended target into a false sense of security based on the domain having been inactive.
Consider a classic cyber hoaxing campaign.
Three months in advance of the planned hoax, a threat actor registers a domain name for their forthcoming spoofed website, e.g., bigbrrand.com (intended to imitate BigBrand’s actual corporate website, bigbrand.com). BigBrand’s information security team is made aware of this registration, but the domain is left parked without any content or activity, and so the information security team eventually disregards the incident altogether, prioritizing the more severe cybersecurity incidents they are inevitably inundated with.
After three months of inactivity, a nearly exact copy of BigBrand’s website is suddenly hosted on bigbrrand.com, the only difference being the addition of a fabricated press release describing both an uncovered accounting scandal and the dismissal of one of BigBrand’s executives. The threat actor behind this campaign then impersonates a member of BigBrand’s communications team and distributes the press release to a slew of business journalists. BigBrand doesn’t realize what’s happened until they’re trending on several social media platforms and they’ve experienced a double-digit drop in their share price.
Some organizations endeavor to mitigate DNS impersonation risks by simply buying up all the domain name variations they can think of that could potentially be utilized in a threat campaign. This essentially amounts to a fool’s errand, as both the range of potential variations and the extent of threat actors’ creativity are limitless.
The more effective solution is the consistent identification and ongoing monitoring of domains that might be used to imitate your brand. Ignoring inactive domains that could be used in a threat campaign puts your organization at considerable risk. Although continuous monitoring presents a daunting task for any information security function, enterprises’ complacency is exactly what threat actors depend on for the success of their hoaxing and counterfeiting campaigns.
On behalf of our customers, CybelAngel scans over 200 million domains daily, identifying suspicious registrations and monitoring domain activity. This allows our customers to rest assured that their brands and reputations are being protected, without additional strain on their own resources or bandwidth. To learn more about CybelAngel’s domain threat detection capabilities, contact us today.