Cybercriminals Expand Use of Lookalike Domains in Email Attacks


Cybercriminals have ramped up their use of lookalike domains to facilitate a variety of targeted email-based social engineering and financial fraud scams, according to a new report by BlueVoyant.

These attacks are particularly challenging to detect and enable attackers to extend the types of organizations and individuals who are targeted in such scams.

The researchers found that threat actors target a range of critical sectors via such domains, including finance, legal services, insurance and construction.

Lookalike domains are designed to closely resemble authentic domains, using subtle alterations to appear legitimate to victims.

Common approaches include the use of visually similar characters, such as replacing an “o” with a “0” or an “I” with a “1”, and incorporating terms closely related to the client’s brand.

Additionally, the use of different top-level domains (TLDs) allows the domain name to be almost exact copies of the original, but with a different TLD.

Attacks that leverage lookalike domain scams typically begin with the registration of a domain that closely resembles a well-known brand. After securing the domain, the attackers set up email servers to facilitate the distribution of deceptive communications.

They will then compile a list of potential victims, often using information gathered from public sources, previous data breaches or social media. This information allows them to tailor their communications to specific organizations and individuals.

Finally, social engineering emails will be sent to the targets from the lookalike domain, using a range of tactics to deceive recipients into providing sensitive information, authorizing payments or clicking on malicious links.

Threat Actors Conducting Variety of Lookalike Campaigns

The report highlighted several recent campaigns leveraging lookalike domains. In one case, threat actors set up a domain that impersonated a financial institution.

The email campaign used a subject line that referenced a substantial financial transaction and was addressed to multiple recipients, mimicking typical business communication. The sender’s name and contact details were fabricated to match those of an actual employee to appear more legitimate.

The email contained an attachment, which was intended to provide “updated account details” and prompt the recipient to process a payment.

The tactic was designed bypass usual checks around financial transactions by persuading recipients to engage with the email content.

Other commonly observed tactics utilizing lookalike domains include:

  • Invoice scams. The impersonation of legitimate vendors or service providers to send fake invoices that are designed to divert payments to the scammer’s account
  • Executive impersonation. These emails impersonate trusted figures within an organization, such as executives, making urgent requests for sensitive information and unauthorized fund transfers
  • Account takeover. Impersonating a company and requesting clients or partners verify sensitive information and make account changes, with the aim of taking over user accounts or stealing credentials
  • Recruitment scams. The impersonation of companies or recruitment agencies to advertise fake job openings, requesting personal information such as social security numbers or bank details
  • Phishing. These scams involve directing targets to a fraudulent website that closely mimics a legitimate one, with the purpose of capturing a range of sensitive information such as login credentials and credit card numbers

The researchers said the use of lookalike domains enable attackers to extend the risk of these scams beyond the usual circles of victims. This includes the targeting of third-party companies working with a client or individuals seeking employment.

“The variety of scams, which often involve other tactics in the same scheme, such as phishing, further complicates the landscape and requires comprehensive solutions to combat these multifaceted threats,” they wrote.

How to Tackle Lookalike Domain Attacks

The report noted that detecting lookalike domains is a significant challenge, particularly when client names are generic or consist of initials.

The researchers urged organizations to understand the evolving use of lookalike domains, deploy rigorous monitoring to identify them and work with registrars and hosting providers to expedite takedown requests when legitimate activity is detected.

Client education is another important component of tackling these threats, such as providing comprehensive resources and reports.

Organizations should also maintain effective communication channels to allow clients to promptly report any suspicious activity.



Source link

Leave a Comment