By Mark Barrett
Last year was a big year for online fraud. Throughout 2017, a total of $172 billion was stolen from consumers globally via some form of cyber crime[1]. Online fraud itself is nothing new and has posed a risk to brands for a number of years. However, what’s changing are the techniques used to steal customer data, and the methods used to blur the boundaries between what’s genuine and fake.
Increased use of domains names
In the past, phishing sites traditionally relied heavily on hijacking a third-party websites, but phishing brand-specific domain names are fast becoming a preferred option. This is largely due to retail registrars selling names so cheaply, they have become an effective and low cost way to create an attack. Research conducted by the Anti-Phishing Working Group reported in 2016 over 195,000 domains were registered and used for the purpose of phishing[2]. Some top-level domains (TLDs) are also more prone to abuse by spammers, where over 48% of all active domain names registered in the TLD are identified as bad, due to less stringent registration policies in favor of greater domain sales volume.[3]
Hackers are also exploiting the Internationalized Domain Name system to create cloned sites where the domain name used can appear to mirror its genuine counterpart. This is done by taking advantage of visual similarities in different alphabets—one example is the Latin letter “a” and the Cyrillic character “а.” The issue is more widespread than many realize; recent research discovered that over 125 different brands ranging from luxury goods to financial services have been targeted by these kinds of domain registrations[4].
Availability of SSLs
Secure sockets layer (SSL) is an extra layer of protection for domain names—it’s a way of encrypting the web traffic between the website user and the data server. Most web browsers display a green padlock icon in the URL bar to indicate the website is protected by SSL; the “s” in HTTPS is also an indicator of SSL. Any official banking or eCommerce website will almost always have an SSL certificate, but as with domains names, SSLs must be renewed remain valid.
These digital certificates are also more accessible than they once were. It’s not hard to find online providers that offer SSL certificates with little validation for no cost, making them an effective way of adding an additional seal of legitimacy to fraudulent websites. Additionally, search engines are downgrading non-SSL encrypted sites, and fraudsters are quick to adapt. The prevalence of SSL certificates in use on phishing websites is surprising, with figures estimating that over 14,000 certificates have been issued to sites targeting the PayPal brand alone. In 2016, less than 3% of phishing sites used SSL certificates, but by Q3 2017, nearly 25% were encrypted with SSLs[5].
Many internet users understandably feel safe when they see the familiar green padlock or HTTPS in their URL bar—which is the reassurance SSLs were intended to provide—but given the increased use of SSLs on fraudulent sites, SSLs no longer indicate a user is visiting a legitimate website.
Executives are the new bait
Fraudsters have traditionally tried to imitate brands rather than people. More recently, though, bad actors have begun to impersonate key individuals at organizations—particularly executive teams and board members. Websites like LinkedIn® and various other B2B database sites make it fairly easy to find names and job titles of individual employees, which when used in tandem with social engineering, can be used to solicit access to sensitive corporate information or company funds through the use of bogus phishing emails. Imitating executives is called spear phishing, and many company employees fall for the fraud because emails are written with proper grammar, mimic language their CEO would use, feature a close copy of the company logo, and are written as urgent requests few employees will question. The financial cost of such attacks can be immense. The FBI estimated that from October 2013 to February 2016, loss from this kind of fraud amounted to over $5.3 billion globally[6]. Executive impersonation can be far more public than just emails too—a number of brands are starting to find that their CEOs and executives are being impersonated on social media sites as well.
Social media and “twishing”
Social networking has exploded over the last 10 years and sites like Facebook® and Twitter® have provided a huge opportunity for brands of all sizes to promote and grow their name. Unfortunately this has also caught the attention of fraudsters. Many people now prefer talking to their bank on social media rather than calling them when they have an issue or question. But if they start a conversation with the wrong account—for example, with fraudulent “@customer-support” instead of official “@customersupport”—they could end up unknowingly passing sensitive information to a cyber criminal.
Phishing on social media, also known as “twishing,” has now become a potential big risk to brands. Estimates suggest there has been a 100% increase in phishing incidents which have made use of social media networks[7]. Creating fake accounts on social media sites is even quicker and easier than registering a domain, so it’s no surprise that this is becoming a favored attack vector for those looking to steal customer information.
Online fraud is clearly a much bigger risk to brand owners than it was 10 years ago. The fall in price and greater availability of domain names and SSL certificates means that phishing websites and emails are harder to discern from what’s genuine.
With new attack vectors such as social media and the highly-targeted use of individual employees, it’s never been more important to have a comprehensive anti-phishing solution in place that can monitor and enforce against threats targeted at your brand.
We’re ready to talk. Find out how CSC Brand Monitoring services can help you get secure against online fraud.
References:
[1] https://www.technologyreview.com/the-download/610043/hackers-stole-172-billion-from-people-in-2017/
[2] http://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf
[3] https://www.spamhaus.org/statistics/tlds/
[4] https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/
[5] https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/
[6] https://securityledger.com/2017/05/fbi-business-email-compromise-is-a-5-billion-industry/
[7] https://www.informationsecuritybuzz.com/articles/phishing-via-social-media-100-percent-now-preferred-vector/