- 624,000 U.S. security brokers recently targeted by FINRA spoofing attempts
- 50,000 fake login pages spoofing 200 brands tracked by researchers earlier this year
- 61% of Global 2000 firms do not use protections like DMARC authentication
Spoofing and domain impersonation still remain one of the biggest problems in cybersecurity, as criminals utilize lookalike domains, common misspellings and other trickery to fuel their criminal activity. For the better part of two decades now, attackers have depended upon spoofing to run phishing campaigns, business email compromise scams, and carry out a range of fraudulent acts. Recent news items offer some powerful evidence of the continued pressure put upon cyber defenders by clever spoofing techniques.
FINRA Spoofed to Sting Financial Orgs
A regulatory alert from Financial Industry Regulatory Authority (FINRA), the non-profit regulatory organization tasked by the U.S. Security Exchange Commision (SEC) to regulate exchange markets and security firms active in the country indicates that it was recently stung by an effective spoof in late November.
"FINRA warns member firms of an ongoing phishing campaign that involves fraudulent emails that include the domain "@invest-finra.org,'" the alert warned. "FINRA recommends that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident."
FINRA oversees more than 624,000 brokers responsible for billions of market events every day, making it a juicy target for convincing spoofing attempts. It had been similarly impersonated by attackers who used a copycat site hosted at finnra.org (note the misspelling) to support a spear phishing campaign run earlier this year.
The FBI is a Recent High-Profile Target
The Federal Bureau of Investigations (FBI) issued a warning in late November that cyber actors have put their shoulders into efforts to spoof legitimate FBI websites, registering dozens of sites recently in what looks like the precursor for a spike in future operational activity against U.S. citizens and businesses.
"Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can easily be mistaken for legitimate websites or emails," the FBI alert explained. " "Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word, or use an alternative top-level domain, such as a "[.]com" version of a legitimate "[.]gov" website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI's mission, services, or news coverage."
Some of the recently registered sites included fbiigovv.com, cyber-crime-fbi.org, fbiusagov.online, and fbiusgov.com.
"The FBI urges all members of the American public to critically evaluate the websites they visit, and the messages sent to their personal and business email accounts, to seek out reliable and verified FBI information."
IRS Spoofing Targets Taxpayers
The U.S. Internal Revenue Service (IRS) is a perennial favorite government agency target for spoofing and impersonation attempts. The latest campaign was detailed by researchers with Abnormal Security a few weeks ago, who found attackers were spoofing IRS domains to target some 50,000 to 70,000 Microsoft Office 365 accounts with phony emails that looked like they came from emails like firstname.lastname@example.org.
The campaign didn't include malware or malicious links, but instead aimed to socially engineer victims into believing they owed a tax debt and that they were under threat of legal action if they didn't make a payment to accounts owned by the attackers.
Fake Login Pages Down to an Art
Cybercriminals have fake login pages hosted at spoofed domains down to an art. According to an analysis released by researchers at IRONSCALES, in the first half of 2020 they identified more than 50,000 fake login pages that spoofed 200 of the world's biggest brands. Nearly 5% of this body of login pages were polymorphic, with one brand's spoof utilizing 300 permutations to keep one step ahead of their security teams.
"The top 5 brands (spoofed) with the most fake login pages closely mirrors the list of brands that frequently have the most active phishing websites," researchers explained.
These spoofed fake sites work well for two reasons, they said. First is that using these sites makes it easier to bypass authentication controls and gateway controls that are generally focused on picking up on malicious payloads or known signatures for malicious links. Second, is the psychological phenomenon known as inattentional blindness, which happens when someone doesn't pick up on an unexpected change happens in plain sight.
"Even people with phishing awareness training are susceptible to inattentional blindness," they explained.
Adoption of Security Controls Over Domains Remains Sluggish
While many domain security measures don't protect brands from clever domain misspellings and cousin domain scams, protections like domain lock and DMARC email authentication can take a bite out of a lot of spoofing activity and domain name hijacking. Unfortunately, most major brands are still sluggish in utilizing these controls.
A study released earlier this year showed that 83% of Global 2000 organizations have not adopted basic registry lock measures, 61% of them don't have DMARC enabled, and the vast majority—97%--do not use DNSSEC.