By Simon Eyre, Drawbridge CISO
Today’s hackers constantly look for additional ways to capitalize on cyber security shortfalls and compromise sensitive data and information. Our clients report that social engineering attacks involving typo-squatting techniques are on the increase. Many businesses fail to realize how easily they can fall victim to this type of attack – but as real world instances rise, now is the time for businesses to evaluate their security posture to protect against what could be a significant threat.
Typo-squatting is a technique used in social engineering attacks that exploits gaps in human perception when reading website domains. Threat actors can spoof an email domain such as ‘@company.com’ with a similar domain such as ‘@cornpany.com’ to capitalize on unassuming victims and request access to critical company data or even wire transfers by impersonating a trusted company party. Typo-squatting is frequently used in conjunction with targeted phishing attacks as attackers illicitly monitor compromised email accounts and use fraudulent typo-squatting domains to impersonate trusted contacts.
How can you protect your employees from falling victim to a typo-squatting scheme? Here are five steps your business can take today to protect your critical data:
- Determine if the identified domains are being used for malicious purposes. It’s critical to identify these domains and report them as soon as possible. If you discover these types of domains, follow the steps outlined below.
- Consider notifying internal employees that the identified domains exist. The identified domain may be used to launch phishing attacks against your employees, so quickly notifying internal teams can help avoid multiple employees from accessing the same domain.
- Evaluate if you should notify external contacts that the identified domain exists. If you think the identified domain could be used to impersonate the firm, you should notify critical external contacts, so they too do not become targets of similar campaigns.
- Blacklist these domains within the firm’s spam filter. Protecting your employees is a top priority, so quickly request your IT department blacklist these domains.
- If applicable, implement an external sender tag for inbound email. Work with your IT team to ensure employees can quickly identify inbound email impersonating the firm.
Formalize Your Response
Once you have identified a domain is being used for malicious purposes, you can take immediate steps to respond and prevent future use. Note this is general guidance and depending on your situation, you may need to involve your legal team as well.
- Take screenshots of the infringing site to gather evidence
- Locate the website’s host (using a site such as https://lookup.icann.org/)
- Draft the Takedown Notice. This should include:
- Your name and contact details or that of your authorized agent (mailing address, phone number, and email where you can be reached)
- URLs where the infringing content can be found so that the service provider can locate it
- URLs where your original content can be found
- Brief description or explanation of your original content
- A statement made in good faith confirming that the use of your content is not authorized by yourself, your agent or the law and that you request that the content be removed
- A sentence requesting that the online services provider inform the infringer (website owner) and ask them not to use or publish your content again
- A statement regarding the accuracy and truthfulness of the information that you are submitting in this notice as well as confirming under penalty of perjury that you are authorized to act on behalf of the owner of an exclusive right that is allegedly being infringed
- Physical or electronic signature by yourself, as the copyright owner, or your authorized agent
Many companies have a general understanding of typo–squatting and likely cover it during annual cybersecurity training – but that’s not enough to eliminate the threat. Not all businesses conduct this type of training, and for those who do, an annual reminder as part of a multi-topic training course is likely not enough to keep it top of mind.
Traditionally adequate technical controls aren’t enough to protect your business against these rapidly changing attack vectors. Firms need proactive employee training, active, continuous risk monitoring (such as domain name monitoring) and cyber programs that are constantly tested using real-world scenarios to ensure they can mitigate breaches and stay one step ahead of threat actors.
Contact Drawbridge if you have any questions regarding the guidance above or would like to learn how our solutions can help protect your business from social engineering and other cyber-attacks.