Why do attackers continue to deploy phishing campaigns? Because even after all these years, they still work. They’re also quite cost-effective and easy to deploy. For a fairly small investment, an adversary can acquire all the tools they need on the dark web to set up highly convincing website spoofing schemes as part of a larger phishing campaign. Website spoofing works on all of the major internet browsers and is not prevented by “secure” connections. The adversary can observe and modify all website pages and form submissions, even when the browser’s “secure connection” indicator is lit. The user sees no easily discernible indication that anything is wrong. Even sites protected by 2-factor authentication cannot escape the assault.
It is time for defenders to rethink the way they have dealt with web spoofing. Why is it still possible for a company to have no idea that their site has been successfully spoofed? Let’s look at how we got here.
To date, options for detecting when a website has been spoofed have largely relied on monitoring domain registrations and manual web searches. However, this approach is susceptible to human error, and is only capable of identifying spoofed websites after the fraud occurs. A common approach to detecting website spoofing has been to search for brand images and relevant content from the copied site. But this approach leaves the attacked company with no insight into how many and which of its clients were potentially victimized and does nothing to deter the next attack.
Another familiar approach has been to train workers and consumers to be able to spot fakes. This is a good idea in theory because it educates and empowers individuals. It’s true that in some cases, web spoofs can be detected because something “looks off” compared to the original website. However, the sheer volume of spoofs being created (Google estimates 1.6 million a week) and the increased level of sophistication behind these attacks makes it quite difficult for the user to spot them with certainty. It also places an unfair burden on the victim of the attack, making them responsible for detection instead of the owner of the original website that’s been targeted.
Domain registration monitoring and training employees fail to help organizations detect spoofing early in the lifecycle of an attack, before data is stolen. These defense approaches don’t help businesses understand how long the spoof site has been active, or how many customers or employees may have been victimized. The two biggest challenges of all – who initiated the attack and deterring the adversary from trying it again – are completely left out of the mitigation process using these approaches.
At Allure, our focus is on early detection and a smarter mitigation strategy that is painful to the attacker and provides actionable data for organizations.
Deception technology is a maturing field of cybersecurity that provides a better way to respond to website spoofing attacks. The idea is to flood the adversary with highly believable decoy credentials and personal information. This causes a great deal of doubt about what may have been stolen, making it hard for the fraudster to discern what is real and what is fake. The only way to know is to test all credentials at the real site, causing greater overhead costs for the adversary, and providing an opportunity to gather information about the attacker when decoy logins occur, such as endpoint IP addresses under his or her control.
Using deception techniques would finally shift the advantage in favor of the legitimate businesses victimized by website spoofing. At Columbia, our Computer Science and IDS Lab has been conducting experiments to determine how certain deception techniques can bait adversaries with highly convincing but false credentials embedded with tracking mechanisms that are triggered when the attacker attempts to open or exfiltrate them. We called this the “BotSwindler,” and it aims to detect crimeware such as spoofing by deceptively inducing attackers into an observable action during the exploitation of monitored information injected into the guest OS. To entice attackers with information of value, the system supports a variety of different types of bait credentials, including decoy Gmail and PayPal authentication credentials, as well as those from large financial institutions.
Whether the motivation is to spread fake news in pursuit of influence, steal customer login credentials or credit card numbers for financial gain, or break into cloud shares and networks to exfiltrate intellectual property, website spoofing has devastating impacts on company reputation, consumer trust and corporate revenues. It’s time to take a more modern approach to solving this pervasive security problem. Simply detecting IP anomalies isn’t enough. Deception technology is evolving rapidly and is well-positioned to detect website spoofing schemes sooner, giving organizations the ability to turn the tables on adversaries.
To find out more about how Allure’s web spoofing detection and response solution works, get in touch today.
Posted by Salvatore Stolfo