Russian Hacking Ring Spoofs Domain Names In BEC Scams
By: Jim Stickley and Tina Davis
March 11, 2022
As the price of corporate cyberattacks continues to rise, business email compromise (BEC) has taken a prominent spot among hackers, and for good reason. Thanks to the success of BEC strikes, they now rival ransomware as one of the most common and successful cybercrimes overall. Last year, the FBI reported BEC cost U.S. businesses $1.7 billion, a price tag likely to increase this year. Nigerian hackers have long been the source for BEC attacks, but security experts found a Russian hacking group called “Cosmic Lynx” is now a prolific source for these scams. This group uses domain name spoofs as a “foot in the door” tactic, primarily against Fortune 500 and Global 2000 companies.
Domain name spoofs, especially those against top businesses in the world, ultimately help BEC campaigns. These domain spoofs take a company’s domain name and make a subtle change to it that most users don’t notice. The spoofed web page that comes up closely mirrors the real web page in its design, including company logos and other graphics. From there, BEC can occur, such as when a wire transfer is sent. Often this is a result of an email sent, impersonating the identity of top-level company executives who appear to ask for the wire transfers and other payments from trusting employees. Other forms of this include websites that mimic vendors and suppliers. The phishing email directs unsuspecting victims to the spoofed website and the details of a transaction or login information is pilfered.
Any information and payments received from this type of attack go directly into a hacker’s hands or account, just one reason BEC and domain name spoofs work so well together. But for the enterprise victim, their reputation, consumer trust, and company revenue are all at risk. All the more important to always pay close attention to any email message that asks for payment or wire transfer and ask for verification from the requestor by voice, new and separate email message, or from an in-person visit before completing any such transaction.
All, however, is not lost because there’s a new sheriff in town called domain assurance service that can help detect these phony websites. Domain assurance services are anti-phishing measures. They prevent cybercriminals from using spoofed domain names for BEC attacks, including highly effective spear phishing lures, by purchasing up names that look similar to the company’s or that may be a result of someone making a typo in the domain name (typosquatting).
Keeping spoofed domains out of a cyberattack limits the objectives of these scams, making them far less likely to be successful. Companies using domain assurance receive alerts when fraudulent emails using the company domain name get used. Email intelligence on attackers is provided and domain name-spoofed websites can be taken down.
As always educating everyone in the company on identifying phishing attempts is the key to keeping your organization’s information and money where it belongs and not in the hands of hackers.
FBI RECOMMENDATIONS FOR END USERS
- Enable multi-factor authentication for all email accounts.
- Verify all payment changes and transactions in person or via a known telephone number.
- Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
FBI RECOMMENDATIONS FOR IT ADMINISTRATORS
- Prohibit automatic forwarding of email to external addresses.
- Add an email banner to messages coming from outside your organization.
- Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
- Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
- Enable alerts for suspicious activity, such as foreign logins.
- Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
- Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
- Disable legacy account authentication.