Going phishing: countering fraudulent campaigns

Where there is online activity there is phishing. The nature of phishing attacks has changed vastly since the original ‘Nigerian Prince’ scams, where mass emails were sent to individuals’ personal email addresses, supposedly from a rich foreign royal figure offering high sums of money. All that was needed was the recipient’s bank account details.

These phishing attempts were relatively unsophisticated, used untargeted ‘spray and pray’ approaches and had common telltale signs of a scam email – random email addresses, poor spelling and grammar, and a high sense of urgency.

These days, phishing has developed into a much more sophisticated attack vector, with fraudsters seeking a bigger catch by impersonating genuine businesses and organisations, especially financial institutions (the target of approximately one-third of all attacks) and, owing to the covid-19 pandemic, medical and healthcare organisations. The bigger the catch, the higher the stakes – both for the phisher and the target.

The bad actors initiating the attacks go to great lengths to impersonate the target organisation. They use convincing replicas of emails using the brand’s logo, corporate colour schemes, fonts, etc; purchase lookalike domains that include the brand name; set up bogus websites; and even impersonate high-profile individuals from the company.

Phishing can occur across multiple online channels, including by email, text message, social media and paid search. Regardless of the channel, most phishing scams require the target to click a link to a bogus website, either to harvest personal credentials or to plant malicious content, such as malware or ransomware. The end goal is the same – to extort money from the recipient or brand.

The current phishing landscape

Phishing is on the rise and has arguably been accelerated by the covid-19 pandemic. Covid-19 lockdown measures have left us more reliant on the Internet than ever before.

The rise in working from home has had an enormous effect on online security owing to the surge in remote access to corporate systems, the growth in communication software use (eg, Zoom and Microsoft Teams) and the increase in e-commerce activity. As with most major world events, the pandemic has generated an environment in which bad actors can take advantage of a range of covid-19-related hooks to commit cybercrime and fraud – preying on people’s vulnerabilities to make a quick buck.

Statistics from APWG show that phishing reached an all-time high in July 2021, with over a quarter of a million attacks in a single month, and with the number of attacks in 2021 double that of early 2020. Between Q1 and Q3 in 2021, the number of brands experiencing a phishing attack increased by 75%.

CSC’s research found nearly half a million covid-19-related domain registrations throughout 2020 and 2021. Many were set up with mail exchanger records – a prerequisite for launching an email-based phishing attack.

In monetary terms, news outlets reported that covid-19-related scams cost US victims nearly $500 million as of July 2021. Online fraud in the United Kingdom rose by a third during the pandemic, resulting in an estimated loss of over £750 million by UK banking customers because of scams in the first half of 2021.

Phishing has also been identified as the primary vehicle for delivering malware payloads, with the aim of infiltrating host systems to harvest data. Phishing scams designed for malware distribution usually start with a URL link sent via email or social media that contains a combination of domain names registered using key terms. Victims clicking the links are taken to a fake website, and a malware payload is simultaneously launched. The bad actors can then get access to sensitive personal or organisational information, which they can then use to extort money.

Social engineering tactics are very popular when it comes to online fraud. One of the fastest growing phishing methods that uses social engineering techniques is business email compromise (BEC). This is where, most commonly, phishers impersonate a senior figure within an organisation, sending an urgent email to more junior members of staff urging them to transfer funds, purchase gift cards or set up a new (bogus) supplier.

Arguably one of the reasons for BEC’s increased popularity as an attack vector is its high yields for the perpetrator. By mid-2021, the average amount requested in wire transfer BEC attacks was $106,000 – a year-on-year increase of 120%.

Gift cards are also a popular request in BEC scams: around two-thirds of BEC phishing attacks request gift cards. This is arguably for two reasons:

• the lower monetary amount is less conspicuous to the victim, with requests tending to be from $1,000 to $1,500; and
• certain gift cards can be used by the scammers to purchase cryptocurrency, which has a more attractive pay-off because of its flexibility.

Risks to brands

One of the most prevalent risks to brands is revenue loss. Reputational damage may also be incurred. A 2021 survey showed that 61% of consumers would lose trust in their favourite brands if they fell victim to a phishing attack impersonating that brand.

In the same survey, a third of people said that not taking responsibility for cyberattacks leveraging their brand was one of the biggest factors in losing trust in the brand. It is the responsibility of brands to keep their customers safe from such attacks to maintain their reputation and, therefore, continue to attract consumers.

Phishing is often a gateway action that is used to infiltrate systems to launch bigger, more serious attacks, including malware and ransomware attacks, domain name system (DNS) hijacking and so forth. These present even bigger risks to organisations as they can completely take down entire internal systems and processes run by application programming interfaces, as well as outward-facing channels such as websites and mobile apps.

A study by the Ponemon Institute found that organisations spend $3.86 million per cybersecurity incident. This is a hefty enough sum for larger institutions, but for start-ups and small and medium-sized enterprises, this sum could cripple their businesses entirely.

Combatting phishing

While email spam filters and staff online security training are useful to lessen the likelihood of a phishing email either coming through or being opened, these are the final attempts to thwart phishing attacks, and they are not preventative: the attack has already been launched, and there is a risk that it will not be caught by a filter or that someone will mistake it for a genuine email and comply with the bad actor’s instructions. It’s important to combat the attack much earlier in the process by looking at where phishing attacks start.

Research shows that phishing and related malware attacks most commonly occur from a compromised or hijacked legitimate domain name, a maliciously registered and confusingly similar domain name or via email spoofing. Bad actors buy a domain that is usually only one letter different to a genuine domain, use domain names that include a brand name plus a related keyword or, in some cases, pick up domains that have been accidentally lapsed. They then use these as the basis for setting up their attack.

Domain spoofing tactics can vary, and bad actors use a variety of methods to impersonate a brand’s domains, including:

• fuzzy matches – substituting one Latin character for another, for example an ‘i’ for an ‘l’, an ‘s’ for a ‘5’, etc. Using CSC’s main URL to illustrate, a fuzzy-match spoofed domain might be cscgl0bal.com;
• homoglyphs (IDNs) – substituting a Latin character for a character from another alphabet, such as the Cyrillic alphabet (eg, csçglobal.com);
• cousin domains – registering domains under other extensions, such as country-code top-level domains (eg, cscglobal.jp);
• keyword matches – using a related or popular keyword alongside the brand name (eg, cscglobalcovid.com); and
• homophones – using soundalike misspellings of the brand name (eg, siesiglobal.com).

There are instances where phishing attacks use domains that do not reference a brand name at all. CSC can identify these via a plethora of detection tactics, including spam traps, honeypots, abuse-box feeds and information from web server logs.

Technology-based detection tools, such as CSC’s Correlation Engine, are useful as they can use machine learning and artificial intelligence to identify patterns and trends and compare findings to previously identified malicious domains.

This said, the overall point remains that to effectively nip a phishing attack in the bud, it is best to start at the source – the domain name.

Fraud protection best practices

CSC recommends a multilayered approach to secure domains. By doing so, threat vectors can be eliminated at multiple levels.

No single measure will be 100% effective in combatting every attack, so having multiple levels of advanced domain security will enable a higher percentage of threats to be mitigated with each tactic.

Domains can be secured at multiple levels using the following advanced security tactics:

• Domain name system security extensions (DNSSEC) – a compromised DNS can result in web traffic being redirected to a fake site, even if the user navigates to the correct web address. DNSSEC validates each step of the domain look-up process, preventing DNS spoofing, side-channel attacked DNS attacks and cache poisoning.
• Registry lock – prevents the making of any unauthorised changes to domains at the registry level. This is especially important in phishing, where a bad actor may try to hijack a genuine domain.
• Digital certificates and certificate authority authorisation (CAA) records – while digital certificates ensure a secure environment for customers to visit or purchase things from a brand’s official website, around 80% of phishing sites also have secure sockets layer encryption enabled. This means that a HTTPS is no longer a guaranteed sign of a genuine site. Having CAA records ensures that bad actors cannot issue certificates for a hijacked domain with an unapproved certificate authority, making them less likely to be able to complete their planned attack.
• Domain-based message authentication, reporting and conformance (DMARC), sender policy framework and DomainKeys identified mail – these are email authentication protocols to ensure that any emails received are coming from where or whom they say they are, preventing phishing attacks such as BEC, spear phishing and whaling.

It is also a good idea to have a proactive monitoring and enforcement programme in place. Proactive monitoring means that an organisation can spot and take down maliciously registered domains before they can be used by bad actors to launch a phishing attack. Additionally, holistically combining domain monitoring, brand protection and fraud protection tactics means companies can get a 360-degree view of their digital asset landscape.

By way of example, CSC’s DomainSec^SM platform provides companies with advanced domain security intelligence and combines machine learning, artificial intelligence and clustering technology to identify leading indicators of compromise. Using DomainSec, CSC can build links between seemingly unrelated infringements, allowing CSC to prioritise targets for takedown and carry out bulk takedowns of sites owned by the same fraudulent registrant.

Final word

The above suggestions are only achievable by working with a single enterprise-class provider. Consumer-grade providers simply do not have the full gamut of advanced security protocols or domain security intelligence needed to provide the best protection for an enterprise from serious threat vectors such as phishing.

On top of this, it is a harsh truth that some consumer-grade domain registrars proliferate typosquatting, domain name auctioning services – often infringing upon other brand names – and name spinning (the sale of variations of branded domain names).

All these activities propagate phishing attacks. Enterprise class providers have the technology, accreditations and operational processes to ensure the highest level of security and protect brands from phishing and other cyberattacks.