Most of the largest companies in the UK have been targeted by brand-spoofing attacks, according to a new report.
The study, carried out by Anomali Labs, found that 81 companies in the FTSE 100 had potentially malicious domain registrations against them in the past three months. The suspicious domain registrations and potentially compromised accounts could be used as part of an attack, said the report's authors.
The report, titled, “The FTSE 100: targeted brand attacks and mass credential exposures”, found that the total number of registered malicious domain names discovered was 527, meaning each company had an average of five domains per organisation.
The largest source of suspicious domains were registered using a Chinese address. The second most were from the US and the third most were from Panama. The industry sectors hardest hit with suspicious domain registrations is Financial Services with 376, with Retail at 175 and Critical Infrastructure at 75.
“There are a lot of employees that use their work email and password on sites outside of their work. Many of the sites they go to off-hours were likely compromised in a way that allowed the credentials to end up on the dark web,” the report's authors said.
“Often large dumps of credentials are obtained by adversaries performing web application attacks such as SQL injection, command injection or by compromising a website and logging all user logins. In addition, they may be obtained by gaining access to an organisation's internal network and then pivoting around until a large database or file share is discovered and compromised.”
Orlando Scott-Cowley, cybersecurity strategist at email security firm Mimecast, told SCMagazineUK.com that malicious domain registrations are growing alongside the popularity of whaling email attacks where fraudsters pretend to be the CEO to trick employees to send money or personal data.
“Organisations should register variations of their domain that could be used by whalers and also look at domain monitoring services as part of their email security strategy,” he said.
Richard Cassidy, technical director EMEA at Alert Logic, told SCMagazineUK.com that threats such as the ones outlined by the report are very difficult to monitor, “given that only minute changes to URLs are required to make it a success with a well-designed branded feel; for users who may land on them, unless close attention is paid to the URL and layout, it can be nigh on impossible to realise what is happening, until it's too late.”
“The onus for protection sits on both sides of the proverbial technology fence, with a dollop of common sense vigilance in online transactions,” he said, adding: “Organisations need to implement better 'Threat Intelligence' capabilities, working to trawl domain registrations for spoofed or typo-squatted registrations, in addition to maintaining a 'watch-list' of know hives of activity."