How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks

People tend to associate typosquatting domains only with phishing-related activity, but in reality, these domains are used in a wide variety of attacks. Attackers use these domains in attacks such as brand impersonation, BEC scams, and ransomware campaigns.

Areas of typosquatting in BEC scams

  • Business email compromise scams primarily target company employees or those responsible for transferring funds.
  • For these scams, attackers use spoofed emails, emails with typosquatting domains, or compromised email accounts of executives, employees, and business partners to make fraudulent payment requests.
How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks
BEC attack process
  • BEC scams are carried out by financially motivated attackers. In 2020 alone, the FBI Internet Crime Complaint Center IC3 received 19,369 complaints of BEC scams, resulting in over $1.86 billion in losses for businesses and individuals. The total number of losses due to these scams is increasing every year.

Attackers use email addresses with typosquatted/lookalike domains to take advantage of busy employees and can simply hover over an email address and won’t notice any difference if only one or two characters are different.

Since the majority of BEC scam emails do not contain any malicious links or attachments. This allows such emails to easily pass spam and malware filter protections.

Attack scenario

The attackers acquire a domain name similar to that of the target company name and use the email addresses of the acquired domain to send BEC fraudulent emails.

For example, if a company employee’s legitimate email address is [email protected]the attacker can acquire examplec0mpany.com and use the email address [email protected] in fraudulent campaigns.

How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks
A typosquatted domain email address used for the BEC scam

The email address looks very familiar to the company employee email address, but when you look closely the letter “o” in the company domain name has changed to zero “0”.

TIP: Protect your employees and customers with a proactive monitoring and withdrawal service.

FREE DOMAIN RISK REPORT: Click here for a free report assessing your company’s typosquatting threat landscape.

Domains of typosquatting in ransomware attacks

  • Ransomware is a type of malware that encrypts data on a victim’s computer and demands payment in exchange for the decryption key. Some ransomware variants also exfiltrate sensitive data from systems before encrypting all important documents and files and threaten to make the data public if the ransom is not paid.
  • Global ransomware costs are expected to exceed $265 billion by 2031. The average ransom paid by infected companies in 2021 was $570,000. Meanwhile, the actual loss is higher because the ransom payment does not include downtime, lost data, mitigation costs, and reputation loss due to ransomware.

One of the most common Ransomware distribution tactics is sending emails that contain malicious attachments or malicious URLs in the body of the email. In highly targeted campaigns, attackers use email addresses using company typosquatting/lookalike domains to appear more legitimate and trustworthy to unsuspecting employees.

How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks
Ransomware attack process using email as delivery method

Attack scenario

An attacker uses the email address of a similar/typosquatted domain to send the email with a malicious attachment to employees of the target company.

The attacker can send malicious executables disguised as documents, legitimate office documents containing malicious macros, or malware stored in an archive in the hope that someone will open them.

How Attackers Use Typosquatting Domains for BEC and Ransomware Attacks

Instead of attachments, the attacker can also try to send emails containing a link to the malicious executables hosted on the company’s typosquatting/look-alike domain.

If the spam or rules-based filter fails to detect these incoming emails as suspicious, the employee may end up opening the email and running the attachment.

Upon successful execution, the employee’s machine will be infected and all important files and documents will be encrypted. Or in the other case, the attacker can use this infected machine to gain a foothold in the corporate network and try to infect important servers and other machines on the network.

If the attackers are successful, it can cause the entire company’s operations to be halted until the decryption key is acquired by paying the ransom or until the backups are restored.

TIP: Protect your employees and customers with a proactive monitoring and withdrawal service.

FREE DOMAIN RISK REPORT: Click here for a free report assessing your company’s typosquatting threat landscape.

Steps to protect against such attacks

For users

  1. Be skeptical, vigilant and only open emails from trusted senders.
  2. Do not download or open untrusted email attachments.
  3. Carefully review the email address for typos in the email domain name and URLs in the email content.

For companies

  1. Employees should receive periodic security awareness training to identify and deal with different types of scams, attacks and their consequences.
  2. Report malicious typosquats to global blocklists and then to your SIEM/SOAR platforms; acquire high-risk typosquatting domains.
  3. Notify your partners and vendors of high-risk typosquatting domains and active MX records.
  4. Continuously monitor new and active typosquatting MX servers. Bolster’s typosquatting monitoring solution can help. Click on here for a demo.

About Us

This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai – a free URL scanner to detect phishing and scam sites in real time.

If you are interested in advanced research and discovering new scams or working with cutting edge AI, come work with us at Bolster Research Labs. View open positions here

*** This is a syndicated blog from the Security Bloggers Network of Reinforcement Blog written by Nikhil Panwar. Read the original post at: https://bolster.ai/blog/typosquatting-domains-bec-ransomware-attacks/


Source link