Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
If you are involved in running a modern business, chances are you lean on a variety of third-party services to support your day-to-day operations.
Third-party services can be great for helping you with marketing, invoicing, or customer services, but they also come with their own risks. The more third parties you rely on, the more vulnerabilities your brand - and your customers - are exposed to.
Threats like spoofed email domains or malicious emails can be especially damaging, as they rely on using your brand’s reputation to scam their victims. Domain and website spoofing attacks are on the rise and have resulted in $1.3 billion in losses around the world in just a single year, according to the 2019 Thales Access Management Index.
How domain spoofing attacks work
Domain spoofing is a common type of phishing scam where an attacker uses a company’s domain to impersonate the business or its employees. It’s important to understand the distinction between domain spoofing attacks and scams that use cousin domains. ‘Spoofing’ involves using the exact same domain of an email while hiding its real address. On the surface, the email will look legitimate because it’ll have the correct address.
Cousin domains are a bit more obvious: they use misspelled or misplaced characters in an email address or website address to trick the user into thinking its legit. This isn’t really spoofing in the technical sense; it’s more of a social engineering attack designed to fool people into thinking the domain is the same. Domain spoofing attacks come in two main flavours
This type of spoofing attack uses forged email headers to hide the true source of the email message. To the recipient, the email looks like a legitimate message from a company or organisation they trust. But behind the scenes, the emails are being sent by the attackers. The purpose of email spoofing is to trick recipients into opening or corresponding with a message, usually with the intention of getting users to share confidential information or download malware-carrying attachments.
Website spoofing is the act of creating a fake copy of a legitimate website, with the goal of misleading users and gaining their trust. Website spoofing typically uses cousin domains to trick users. The spoof website will usually look almost exactly like the target website, complete with genuine-looking login pages, branding, logos and graphics. It will sometimes even mimic the URL, with a few misspelled or misplaced characters sprinkled in (aka cousin domains or look-alike domains).
The goal is the same: to trick users into giving up confidential information like logins, passwords or credit card details. More advanced methods of website spoofing make use of a cloaked URL. By using domain forwarding or inserting control characters, the URL may look genuine while hiding the true address of the fake website.
How to prevent domain spoofing attacks
When it comes to emails, domain spoofing on inbound mailflow can be stopped very effectively by modern cybersecurity safeguards. Cousin domains in emails can also be detected early, though it tends to be less accurate. Dealing with cousin domains can be a bit trickier because of the human factor. It’s easy to miss a misspelled URL or be fooled by a dodgy email or a fake website. Most people see the ‘handbag’ icon and SSL encryption on their browser and assume the site is secure, but these signs don’t tell you anything about the authenticity of the website itself.
Advanced email protection and web security services can block user access to known malicious websites or websites considered inappropriate for business use. Web security gateways can inspect an address to make sure it’s genuine by first checking it against advanced threat intelligence and the company’s own policies.
For defending against email spoofing, a well-rounded threat protection service should include sophisticated threat protection that uses DNS authentication services like SPF/DKIM/DMARC to evaluate domains and filter out suspicious emails. It should also be able to leverage threat intelligence and detection engines to block users from clicking on malicious links within an email message. For even more advanced security, a service that scans all inbound emails in real-time to check for fake headers, domain similarity, sender spoofing and suspicious email content is highly recommended.
Don’t forget your human firewall
While domain registration monitoring and security services can be powerful tools, training employees to spot spoofing early (hopefully before data is stolen) is still one of your best defences against any sort of spoofing attack. Most scammers rely on human error to get what they want. Don’t give them that chance. Basic cyber hygiene practices, combined with regular employee training, can go a long way in protecting you and your organisation from all sorts of phishing scams and spoofing attacks. Updating your humans and your cybersecurity practices are the key to staying unspoofed and untroubled by scammers. Good luck!