Domain Impersonation

Domain impersonation is often used by hackers in impersonation or conversation hijacking attacks. Attackers attempt to impersonate the domain of a legitimate business by using techniques such as typosquatting, replacing one or more letters in a legitimate email domain with a similar letter or adding a hard-to-notice letter to the legitimate email domain. In preparation for the attack, cybercriminals register or buy the impersonating domain.

Domain impersonation is a very high-impact attack. The attack relies on the fact that people don’t pay enough attention to every letter in the email domain. It can be easy to miss the subtle differences between the legitimate email domain and the impersonated email domain. For example, an attacker trying to impersonate barracuda.com might use one of these very similar URLs:

• barracada.com
• barrácuda.com
• barrracuda.com

An attacker can also change the Top-Level-Domain (TLD), for example, using .net rather than .com or .co rather than .com

• barracuda.net
• barracuda.co

Hackers invest time and money to register impersonating domains. Attacks that originate from such domains are usually carefully crafted to avoid detection and maximize returns for the attacker.

Domain impersonation attacks are often used in conjunction with account takeover and conversation hijacking. When account takeover takes place, the attacker has access to internal and external conversations between employees, partners, and customers. Using information from compromised accounts, attackers can craft convincing messages from cleverly impersonated domains to trick their victims for monetary gain. For example, they might impersonate a vendor and send a request to change the vendor’s bank account details to yoru accounts payable department.

Domain impersonation has been around for a while. The volume has always been low, but impact and costs are high. The attack is complicated and requires a lot of resources to be implemented. The attacker has to buy the domain that impersonates the legitimate domain. These domains can be expensive, but when executed carefully, domain impersonation attacks can produce high returns on investment for the attacker.

The biggest challenge with domain impersonation is accurately detecting typosquatted domains and differentiating an impersonation attempt from a real website.

First make sure that domain impersonation is part of your security awareness training. Ensuring your employees can recognize these attacks will do a lot to help protect your organization against them.

Second, as scammers adapt their tactics to bypass gateways and filters, it’s important to deploy API-based inbox defense technology that uses artificial intelligence to detect highly targeted attacks like domain impersonation. It uses historical communication data to associate specific conversations, requests, and individuals with specific email domains. So, when a vendor sends an unusual request from the wrong domain, inbox defense detects and blocks it.

Third, monitor new domain registrations for typosquatted domains to make sure your organization is not being used as a launch pad for such attacks. Many organizations also choose to purchase domains that are closely related to their own to avoid potential fraud.

And finally, help employees to avoid costly mistakes by creating guidelines and enforcing procedures to confirm all email requests and wire transfers.