Phishing Beyond the Perimeter: How Cybercriminals Weaponize Domain Squatting
May 16th, 2019
Phishing is the oldest trick in the cybercriminal playbook, dating back to the early days of the internet. But it remains effective, even in today’s more digitally-savvy world, and despite organizations investing heavily in staunch security solutions.
A Pew Research Center survey found that just over half of all respondents could correctly identify a phishing attack, even when prompted to do so. An AT&T survey found that nearly a third of security professionals surveyed consider phishing to be the threat that worries them the most. Despite advancements in phishing defense systems, attacks continue to be successful: IntSights observed a 297 percent increase in retail phishing websites last October.
So, how do hackers continue to successfully pull off this well-documented form of cyberattack?
Identifying Phishing Attacks at the Source
The problem with phishing attacks is they both originate and manifest well beyond the targeted organization’s perimeter, which cybersecurity teams cannot control. Hackers often use methods like domain squatting to dupe unwitting customers and employees into divulging their personally identifiable information (PII) or credentials under false pretenses, or making them unknowingly download a malicious file from an ostensibly legitimate site. This practice is common in phishing emails, including some so intricately designed that they contain numerous legitimate links alongside a malicious one.
Phishing takes place across other channels, as well – like social media – adding to the complexity of protecting against phishing. Brand and executive impersonation are common methods cybercriminals use to carry out phishing attacks, oftentimes targeting customers who may lack the awareness and/or security protections that employees have.
A new tool that you can find for sale across dark web black markets are phishing kits, which are software programs that essentially templatize the entire process of building a phishing site. With these kits, hackers do not need to have technical skills to run intricate phishing campaigns, so the barrier to entry has been substantially lowered, and the process of weaponizing a phishing campaign is streamlined even for novice hackers.
Monitoring Domain Permutations and Malicious IP Addresses
Monitoring any and all permutations of your domains is a crucial step to thwarting a successful attack, but this can be time consuming. Phishing campaigns are set up in stages, so tracking their changes over time is critical. Phishers will register a domain and can squat on it for weeks or months before they run a phishing attack. That’s why organizations must go beyond simply monitoring for domain permutations to identify key signs of weaponization. This might include:
- Assets being uploaded to domain
- MX or A record changes
- Changes in associated IPs
- Presence of forms
- And more...
Attackers often upload organizations' digital assets on their cloned domains and activate MX records to serve as launching points for targeted email attacks. In most cases, an MX record going live on a phishing domain indicates an attack is imminent, and cybersecurity teams must move quickly to thwart it (we’ll share more about this later in a future blog post).
One way to identify a potentially malicious domain is by checking its IP address. If it is hosted on a known malicious IP, it can be assumed that the domain’s similarity to the legitimate domain is no mere coincidence, and is almost certainly an indicator of a malevolent threat actor planning an attack.
Leveraging External Threat Intelligence to Identify and Block Phishing Attacks
Cybersecurity teams have a lot on their plate. Endpoint security is always top-of-mind, as this serves as the first line of defense against hackers and other cybercriminals. But in today’s increasingly digitized world, the battle needs to be fought beyond an organization’s perimeter. Security teams cannot control when, where, or how cybercriminals launch attacks against their organizations. But they can proactively identify threats and shut them down at their source, reducing the risk of successful phishing attacks. External threat intelligence can help organizations transform their cybersecurity from reactive to proactive.
This is the first entry in a three-part blog series, Phishing Beyond the Perimeter, that will break down how cybercriminals orchestrate their attacks, what sources to monitor for potential threats against your organization, and how to take down a phishing attack at the source. Subscribe to the IntSights blog to get the rest of the series – and much, much more – delivered directly to your inbox.
Want to learn more about how threat intelligence bolsterings cybersecurity solutions? DownloadThe Evolution of Cyber Threat Intelligence: 2019 SANS CTI Survey.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.