WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Recently, we’ve released a few articles on typosquatting, Getting Started with Domain Monitoring Part I, and Part II and a solutions guide for Domain Monitoring to give everyone a sense of the threats presented when it comes to domains. As there are many. For the frequent readers of our blogs, some of you may have been asking yourselves, “OK, Digital Shadows (now ReliaQuest), what’s with all of the domain talk lately?” Glad you asked!
We followed one of the principles of doing good threat intelligence by diving into our data, which you can read all about in our new research report. For the approximately four months we analyzed, there were over 175,000 alerts to analyze. This ended up showing us that, on average, every month, about 90 alerts showed up per client. That translates into nearly 1,100 domains per year.
The guiding thoughts behind our impersonating domains research was to see if we could find trends supporting media or community reporting or uncover some exciting threads of our own. In this blog, we’ll dive into the few surprises throughout the analysis and research alongside some of the usual suspects you see or hear elsewhere in the security community.
The concept of spoofing domains and impersonating brands is not new. At least, it shouldn’t be. Many sharp researchers and security companies in this space have written various papers, articles, and blogs over the years, and probably ad nauseam at this point.
We need to talk about it because it still matters. After all, it’s still something every adversary does. It’s why phishing is still the best lowest-tech attack vector and why every year, domains are still getting spoofed. They do it because IT (clap emoji) WORKS (clap emoji).
On the internet, domains and brands go together like peanut butter & jelly, so it’s one of those assets that need to be protected or at least watched. It’s often the first place customers, employees, and partners learn more about a particular company, especially one with a high-profile or great product, for instance. Knowing this, adversaries will go to great lengths to support their aims by using trickery and fraud to take advantage of that public trust.
As we found, threat actors use all kinds of techniques to spoof domain names, register lookalike subdomains, website content, and even logos to complete their fraud. As a result of these campaigns, we’ve seen the targets range from harvesting credentials to delivering malware on unsuspecting victims.
The actual pages associated with some of these impersonating domains ran the entire spectrum:
In a few cases, they’d even ended up on a threat feed, which is how the intelligence and security communities often share indicators of compromise and other adversary data with the rest of the world.
The good news is that there are takedown services that can assist with moving these bad actors off these domains. Still, as Michael wrote in his domain monitoring blog, it’s much harder to do this with parked pages simply there and not actually performing a malicious function. It’s also hard to do with bulletproof hosting, which typically turns a blind eye to malicious or criminal activity or does not comply with law enforcement or takedowns.
So what do those threats look like, in terms of our customers? It means getting alerted to the presence of these potentially spoofed domains.
1,100 impersonating domains and subdomains detected on average per year per Digital Shadows (now ReliaQuest) client.
In particular industry verticals like financial services, food and beverage, technology, and healthcare, some clients saw some of the most alerts or risk factors compared to other client industries.
It’s a complicated question, one that depends on a lot of factors.
TLD Variations
For one, it’s the sheer number of terminal-level domains (TLDs) that go beyond the usual .com, .net, and .org TLDs that are familiar to many of us. Try and register a domain, and you will be presented with probably dozens of options between various available domain spellings and TLDs (we know, we’ve checked).
As we’ve written about before, it becomes cost-prohibitive to pay for all of these domains to block illegitimate use or support redirects from typos. Based on the data we saw for our clients, and just them alone, it’s likely an average of at least a half-million domain alerts for the year. Now, to get a sense of that scale globally, multiply that times the number of possible permutations between word and letter changes, multiple TLD use, and the number of companies and products that exist worldwide and… Well, let’s say it’s a lot, and you can see how it gets complicated.
Lowered Technical Barriers to Cybercrime
As usual, the criminal underground has responded to the demand and offers just about everything you’d need to get access to hosting, registering domains, setting up phishing services or professionally-spoofed pages at scale, as well as lots of niche tools and specialties in-between that support these enterprises. There are lots of tutorials and other advice out there that can help you on your quest to commit fraud on the web. We even found that some of these services don’t require tons of resources, whether technical or financial.
This has probably been echoed through other, similar research projects elsewhere, but there were some common threads regarding the motivations behind domain impersonation, which can answer the question of “Why?” In some cases, it might be world domination if we’re talking about a nation-state actor (who also plays the domain game), but it is more than likely just about money and notoriety on the criminal side.
The top reason to set up an impersonating domain is to harvest credentials.
This is done by nation-state actors and criminals alike and serves various purposes. It’s more than likely to perform some measure of account takeover, whether it’s for your social media account, bank login, or employer’s online webmail portal. It may even just be for your favorite streaming service.
Phishing is probably the culprit, and it might be messages warning you about your account expiring or maybe even fake payment invoices that you need to check by logging in right now! It may even be just a request from a potential customer to check out a file or a colleague trying to send you a share link, and it takes you to what seems to be a Microsoft Online portal login, as seen below:
Once credentials are harvested, they may be monetized further and sold in bulk on various marketplaces for various uses, including the sale to initial access brokers (IABs) who often traffic in the purchase and sale of administrator and remote access credentials. In the case of a nation-state actor harvesting credentials, they might use stolen credentials to gain access to critical or sensitive information that supports an ongoing espionage operation, for example.
The following motivation shouldn’t come as any surprise, but personal information, medical data, and financial or payment data are still lucrative, especially in bulk and especially when it’s new data. A spoofed shop page might harvest credit card details, while another page pretending to be your bank might take a Social Security number or other personal information. While these offerings in singles can often sell for pennies to dollars on the dark web, they can bring in some money for criminals together in bulk.
The final motivations are also shared by criminals and spies alike, and that’s to drop malware and use information against us. Domains with spoofed pages might look like a software update for a standard application, which hosts a remote access Trojan, for example. Or it might take the form of an embedded link in a document or, worse, an email attachment that’s a misleadingly-named file meant for further download and inspection by the user. In using information against victims, spoofed domains could redirect users to fake news sites or support similar attempts at misinformation en masse. In other cases, they may be directing traffic to so-called clickbait and similar sites attempting to make money from ad clicks.
As we’ll show you in the release of our domain research this week, the threats are many while the barrier to entry keeps getting lower. As a matter of course, Digital Shadows (now ReliaQuest) can monitor that attack surface for you, and help you keep your brand protected by monitoring lookalike domains. We can help reduce the noise of looking at every single domain out there and help you make a choice, based on various risk factors such as: domains that are newly registered, appearing in threat feeds, parked, or possibly even hosting content, which might even include your logos and designs. We can help you take down those domains where possible and keep an eye on those that appear risky.
As we’ve discussed before, it might be cost- and time-prohibitive to do all of this yourself, and as you’ll see in the research, not every risky domain ends up on a threat feed. If you’d like to know how the domain monitoring works, take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a 7-day test drive, or request a demo from us to help you better understand where the online risk lies.