Lookalike domains – technically known as homograph attacks are sinister. Haven’t heard of them before? asks Steve Malone, director of security product management at email security product company Mimecast.
This threat is a type of impersonation attack where an email address or website URL looks genuine but it’s not. It’s designed to trick people into clicking on malicious links or to fool them into transferring money or sharing sensitive information. Worryingly, these attacks are growing more common. Recent research by Vanson Bourne and Mimecast found that more than 85pc of respondents had seen impersonation fraud in the past 12 months, and 40pc had seen an increase in this type of attack in the same period. In the UK, 36pc of respondents had seen an increase in impersonation fraud asking to make wire transactions, and 36pc had seen an increase in impersonation fraud asking for confidential data.
Despite this growth, many organisations do not have a cyber resilience strategy in place to help them detect, prevent and recover from these types of attacks.
Homograph attacks are difficult to detect – by both the user and regular email security systems. To create these lookalike domains, attackers use non-Western character sets or special characters found in Greek, Cyrillic and Chinese, to display letters which, to the naked eye, look identical to the western alphabet. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. According to one domain name checker, there are 117 possible Mimecast domains that can be misrepresented with just one character from a non-English alphabet.
These subtle changes are likely to go unnoticed by users. In the UK, only 23pc of respondents are completely confident that employees could spot and defend against impersonation attacks, which easily and often slip through an organisation’s security systems. Only 16pc of UK respondents are confident that their organisation’s security defences could defend against impersonation fraud asking for confidential information, falling to 13pc for fraud asking to make wire transactions. This is because the emails themselves don’t contain malware and the URLs often have legitimate (read: stolen) security certificates.
Website URLs aren’t the only avenues for impersonation attacks; email address impersonation is also on the rise. These types of attacks are designed to trick users such as finance managers, executive assistants and HR representatives into transferring money or disclosing information that can be monetised by cybercriminals. The email appears to come from someone they trust – a C-suite executive or a third-party supplier that they regularly do business with – and therefore wouldn’t think twice about responding to.
Brits reported that, in the past 12 months, cybercriminals have attempted to impersonate finance teams (38pc), third-party vendors (22pc), a member of the C-suite (29pc), as well as HR, sales, operations, legal and marketing team members (between 13pc and 5pc). Again, these emails do not contain malware, which means they can go undetected by most email security systems. Social engineering attacks such as these rely on our inability to spot anomalies in URLs and email addresses – and the fact that we believe we’re communicating with someone we know.
Know what to do
Cybercriminals have figured out that they can bypass security systems by switching from malware-laden attacks to malware-less impersonation attacks. Now, social engineering meets technical means to put us in the middle of the next evolution of cyber-attacks. Here are some measures organisations can implement to guard against these types of attacks.
•Education. When users know how social engineering and spoofing attacks work and then understand they shouldn’t click on links in emails, breach incidents can be drastically reduced. Users should be encouraged to physically type an address into a browser rather than click on a link in an email, even if it was supposedly sent by someone they know and trust. Education and awareness will always be the most important defence mechanisms.
•Protection. Email security systems are getting better at stopping malware which enter the network through dodgy files and attachments, but few are effective against impersonation attacks. Organisations need a solution that can deep-scan all inbound emails and inspect for header anomalies, domain similarity, sender spoofing and the existence of keywords and suspicious impersonation emails. These can then be blocked, quarantined, or delivered as flagged to alert the receiver of potential risk.
•Resilience. Having the right threat protection in place is just one part of a robust cyber resilience strategy. Organisations also need to be able to adapt their strategies to stay ahead of attacks, while having the durability to continue with business as usual in the event of an attack, and the recoverability to ensure data and emails are always accessible.
•Oversight. Often, lax security on a third-party supplier’s side provides an entry point into an organisation’s network. Enterprises should continuously evaluate and manage the security and privacy policies of their suppliers and include security in their service level agreements. They should also perform on-site security assessments with new suppliers before sharing sensitive information.
•Visibility. Organisations need to know who their vendors are and who has access to company information, and for what reasons. This is even more important now that the EU’s General Data Protection Regulation has come into force and will affect all UK organisations when the Protection of Personal Information Act is finalised.
Almost a fifth (15pc) of UK organisations have suffered data loss because of email-based impersonation attacks in past 12 months. These organisations also reported reputational damage (15pc), direct financial loss (11pc), lost market position (10pc) and loss of customers (7pc).
Email continues to be the number one threat to organisations globally and accounts for 96pc of all incidents that organisations face. Clearly, there is an urgent need to work towards a higher standard of email security. Cybercriminals have evolved their attack methods. It’s time the security strategies organisations use to protect their users and their businesses evolve as well.
