Brand impersonation attacks targeting SMB organizations
Building and maintaining a brand is an important part of a successful business. Having a recognized brand confers recognition, and if done well, provides a way of developing trust between customers and company. Brand trust and loyalty go hand-in-hand. Research has shown that 80% of US customers look at the trustworthiness of a brand when making a purchase decision.
So, when a company brand’s trust is impacted by a cyberattack, a business can suffer adverse effects that cost money and time to rectify.
There has been a recent shift in cyberattack strategy to focus on smaller businesses. SMBs are now in the sights of phishing campaigns and brand impersonation of the SMB looks set to become the new low-hanging fruit for cybercriminals.
Why use brand spoofing and brand impersonation attacks?
Relationships, both in the real and digital world, work best when they are based on trust. If you know a person who shows repeatable good behavior, you are more likely to interact positively with them. This is psychology 101 and we use it in our daily lives.
We use the same strategies online too. Trust is the basis of internet exchanges: protocols such as TLS and digital certificates form the architecture to define and deliver trust. Other technologies, such as verification of an individual, build layers of trust to allow assured transactions to happen.
One thing that companies can do to build additional trust is to create a trustworthy brand. This involves demonstrating that you deliver quality goods that are on time as well as various other aspects of good business practice. It takes time and money to create digital trust. A trustworthy brand is an intrinsically valuable commodity and this fact is not lost on cybercriminals.
Cybercriminals can exploit trust. In fact, using trust as part of a cyberattack chain will add a greater level of success. This is keenly demonstrated by the use of privileged access to resources: if the hacker can gain trusted access rights, they have the keys to the castle. Trusted brands are similar in that they confer an instant relationship that cybercriminals can exploit.
Brand spoofing or brand impersonation has been part of the cybercriminal toolkit for a very long time. A hacker will typically use a brand as part of a wider cyberattack campaign such as phishing, with the phishing email having all of the elements of well-known and trusted brands. Domain spoofing is also a key part of brand impersonation. Hackers create near-perfect replicas of websites, which trick unsuspecting visitors into transacting.
SMBs and brand impersonation
VadeSecure keeps regular tabs on the most spoofed brands. In Q2 of 2020, Microsoft was by far the most impersonated brand in cyberattacks. Second and third place went to Facebook and PayPal. This is not surprising: big brands are more recognizable by more people, and so the bigger the brand, the more likely it was to become a victim of a phishing campaign.
However, change is afoot. Mimecast recently identified a brand impersonation that did not target one of the large multinational names. Instead, the domain that was spoofed was that of security vendor, Check Point Software Technologies. Mimecast found the spoofed domain as part of a brand exploitation protection scan and the fake site was removed. However, this clearly shows that cybercriminals are widening their focus from the big-name brands to those less known. But why would this be so?
Why SMBs are now targets for brand impersonation attacks
Phishing campaigns are the usual reason for a fraudster to spoof a brand. Phishing campaigns that are general, play a numbers game, a “spray and pay” approach. Therefore, any widely spread phishing email is more likely to be more successful if the brand is well known. The issue with this tactic is, that by the same token, a well-known brand is usually well-funded and has specialist security teams making sure their brand is protected. Those teams are well aware of brand impersonation attacks and actively respond to these types of attacks.
Like most things, cybersecurity attacks are based on reward vs. risk. If you choose a lesser-known brand instead of a more prominent one, chances are that brand will have less funding, perhaps not even having access to brand impersonation checks. This means the spoofed domain is less likely to be removed quickly. In turn, this allows for a phishing campaign to last longer, with targeted users being drawn in over a longer time period.
While a lesser-known brand may have fewer opportunities, a focused target may reap greater success.
It is perhaps this perceived lack of IT protection amongst SMBs that is attractive to cybercriminals. Instead of cybercriminals continually having to replace spoof sites of large brands that have been removed, they get a potentially larger window to play with those smaller brands.
The end result, however, is the same. The small brand, just like its better-known equivalent, loses the trust of its customer base and exposes key data to theft and loss.
Techniques to help prevent successful brand impersonation
Brand impersonation can result in lost trust, rectification costs and even regulatory non-compliance fines for any exposed data. There are several mechanisms that can be used by an SMB to protect against the impact of brand spoofing and associated phishing:
- Implement multi-factor authentication wherever possible: The use of more than one factor when signing into a web portal or app reduces the likelihood of credential theft
- Set up brand protection monitoring: To look for registration of new domains that are similar to those of your brand
- Use security awareness training for all employees: So they know how to spot the tell-tale signs of a phishing message or a spoofed domain
Brands at risk: The weakest link?
If the floodgates for brand impersonation open to allow fraudsters to look at attacking smaller brands, who is likely to come into the fraudster’s firing line?
My own prediction is that, like Business Email Compromise (BEC), fraudsters will gather intelligence to work out who to target. In other words, it could literally be any organization. Fraudsters often use domain spoofing and brand impersonation to steal credentials. These credentials may be customers or internal employees. In the latter case, these may, in turn, be used to escalate privileges to allow access to increasingly sensitive data.
One type of SMB that may find they are more at risk than others are those that are part of a supply chain. Supply chain attacks are increasing: a Deloitte 2019 study into third-party governance and risk management found 83% of organizations had been the victim of a third-party-related incident in the last three years. Brand impersonation of a supply chain company may look for the weakest link and that could well be an SMB.
Third Party Risk Management Survey 2020, Deloitte