Securing Modern Enterprises From Renewed Impersonation Threats
October 20, 2020
Infoblox provides defenses against lookalike domains
Lookalike domains have been one of the many tools used in cyberattacks for many years. But lookalikes were infrequently implemented, while other easy-to-use alternatives remained effective at masking the true destination of a URL from victims. As the effectiveness of old methods declined, cybercriminals have turned to lookalike domains to support renewed efforts to impersonate a user, organization, or brand in an attack.
Wide-ranging lookalike techniques
Generating convincing lookalike domains using sophisticated homograph or homoglyph techniques has been refined through years of attacks impersonating popular brands and large government agencies. The methods for applying these techniques, however, range from the obvious to the obscure.
A lookalike domain could be as simple as using “myorganization.net” to impersonate “myorganization.com” as part of an attack on customers. And, in a world where legitimate domain names are often long and elaborate, attackers are often successful using domain names like “billing-support-login-myorganization.com.” Simply expanding, rearranging, or slightly modifying a domain name can provide attackers with many alternatives.
Character substitution – using homograph or homoglyph techniques – is another common practice in building believable lookalike domains. Most people today are familiar with the concept of single character-substitution, such as replacing the letter “O” with the number “0.” But there are a dozen other Unicode characters that would serve as credible replacements for an “O.”
Unicode is a computing industry standard for the consistent encoding, representation, and handling of the text expressed in most of the world’s writing systems, including foreign languages like Cyrillic, Coptic, Mongolian, and 136 others. In total, there are over 136,000 Unicode characters available today to create viable domain names using letters and symbols. To put that into perspective, there are more than 829 million substitution combination possibilities of Unicode characters for “Infoblox.”
Punycode: Seeing past a lookalike deception
Visibly, these Unicode substitutions usually appear legitimate in e-mail messages, webpages, PDFs, and many other text displays. Even putting your mouse over a link would typically display the deceptive Unicode character. But one way to reveal the true nature of a domain name would be to copy the link and paste it into the address bar of your browser. Pasting the URL into the address bar of Google Chrome, Apple Safari, and recent versions of Microsoft Edge and Internet Explorer will display “Punycode,” a standard designed to represent Unicode characters with the limited ASCII character subset used for international hostnames.
Figure 1
Figure 1 provides several examples to illustrate a deceptive attempt and a revealing Punycode representation. The first two URLs appear identical, although only #1 is the correct “myorganization” domain. The second URL uses a Unicode alternative for the letter “y” to appear legitimate. The third URL is what you would see if you were to cut and paste URL #2 into a browser address bar, revealing the Punycode representation for the maliciously substituted “y.”
It should be noted that there are legitimate reasons for using Unicode character sets in domain names. An internationalized domain name (IDN) is a name that contains at least one character in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Devanagari, Hebrew, or the Latin alphabet-based characters with diacritics or ligatures, such as German. For example, München (the German name for Munich) would be displayed in Punycode as Mnchen-3ya. If a German user were to type in “München” in their browser address bar, they could easily see the same Punycode to help validate the legitimacy of a link.
Targeting employees with third-party lookalikes
Employees are accustomed to using internal portals, systems, tools, and access methods when conducting confidential business for an organization. Their familiarity with these systems makes it difficult for attackers to create credible social engineering scenarios using a lookalike of your own public domain to compromise an employee.
The greater risk to employees would be lookalike domains used in attacks impersonating a business partner or any organization that your business frequently interacts with or controls. As an example, consider the chances of success if your users received an e-mail that appears to come from a nearby restaurant, popular among employees, with a “special discount offer” if they sign up for a membership, download an app, etc.
Lookalike domains support a broad range of human-targeted, socially engineered threats with intent ranging from simply infecting endpoints to gaining network access to a spear-phishing or business e-mail compromise attack focused on key employees with desired information or access. Additional components in these attacks include lookalike websites, e-mail templates, and other indicators of legitimacy.
Protect employees, customers, and brand reputation with Infoblox
Many modern security tools have some defense capabilities to address the risk of lookalike use for attacks impersonating popular brands. But they lack viable options for defending against an attack impersonating an organization outside the Fortune 1000 or large governments. Also, users, despite gains in security education and the availability of tools like Punycode, are an inconsistent and unreliable line of defense.
Infoblox provides lookalike domain defenses for a broad range of threat scenarios. Specifically designed for this latest evolution in the threat landscape, a Custom Lookalike Domain Monitoring service is available for BloxOne Threat Defense Advanced customers, allowing them to submit their organization’s own domain, or domains frequently visited by or controlled by the organization for lookalike protection. The Infoblox Cyber Intelligence Unit (CIU) turns the supplied domains into lists of high-risk lookalike domains for initial assessment and monitoring. Suspicious activity related to these lookalike domains is reported to provide customers with activity visibility and as an advanced warning to help the organization avert a potential network breach or customer threat.
Lookalike techniques provide for more convincing social engineering capabilities in support of increasingly advanced threats. With innovative lookalike defense features and unmatched threat intelligence sharing capabilities, Infoblox can help partners provide solutions that bring the entire enterprise security stack to the next level.
Bob Hansmann, senior product marketing manager for security at Infoblox, has over three decades of experience helping global enterprises and government agencies uplift their cyberthreat prevention, detection, investigation, and response capabilities. Having worked in a number of areas, from threat research and engineering to product management and marketing, Hansmann has helped pioneer many of today’s security industry standards and has a unique perspective on the organizational challenge of balancing security needs with productivity success requirements.
