This is a guest blog, authored by Matthew Gardiner, Director of Enterprise Security Campaigns at Mimecast
Domain fraud is a widespread problem for organizations of all sizes. The practice begins with the purchase of a domain by a cybercriminal that closely resembles the genuine web and email domain of an organization they wish to impersonate, and then using that to conduct multiple forms of fraud. They could, for example, send fake invoices from a sender email address that appears genuine. Alternatively, these fraudulent domains can help to trick customers into exposing their login credentials or personal details to attackers.
Unfortunately, coming up with and registering a fraudulent domain is extremely easy. Anyone can buy a domain and have it up and running very quickly. And with the internationalization of domain names and the use of puny code, there is no shortage of ways to simulate the legitimate domain that is being spoofed. And unfortunately, it’s highly unlikely the cybercriminal will be asked many questions from the domain registrar when they go to register it. The registrar isn’t the police force of the internet! Additionally, tracking these registrations has gotten more difficult since the enactment of GDPR; the regulations caused the removal of public details of the person or entity that was registering the domains, making it near impossible to tell who or what organization owned a specific domain.
Mimecast and Digital Shadows Partnership
With this attack type backdrop in mind, the new integration jointly developed by Mimecast and Digital Shadows was designed to stop just such tactics. Here’s how, the Digital Shadows service continually identifies when new potentially impersonating domains emerge, and provides a risk score based on contextual information such as whether the domain is hosting content as well as providing full screenshots, source code, and details of DNS and MX records, including a full history of the WHOIS registration.
With this integration, these insights go immediately into the Mimecast service, where customers area able to block emails coming from spoofed domains as well as block outbound web traffic by using Mimecast Web Security. This integrated capability is particularly useful to help combat business email compromise attacks – where a cybercriminal may pretend to be an employee or business partner to try and receive a wire transfer or rip off login credentials. Spotting a fake domain early also means that takedown actions can be taken with registrars to get a fake site or email sender removed from the Internet.
How to Combat Domain-Based Web and Email Fraud
Early detection tied with automated prevention means everything when trying to defend against domain-based frauds, which can move and change incredibly quickly . This new joint capability gives organizations a strong new weapon against attackers by identifying and blocking malicious domains faster than ever before.