This interview with Allure Security CTO Salvatore J. Stolfo was first published by Cybernews.
Nowadays, threat actors can not only harm companies by infiltrating malicious programs but also by abusing their identities. Fraudsters aim to impersonate well-known brands to gain users’ trust and lure out personal information. Unfortunately, such tactics work in a simple but still highly effective manner.
Cybercriminals create fake websites that look exactly like the real business sites that they’re impersonating. Since the contents and visuals are nearly identical, many users fail to spot a scam and enter their credentials. This way, threat actors easily collect sensitive user data and exploit it for financial benefits. What’s even worse is that the growing number of fraudulent websites that take advantage of brand names makes it extremely difficult to eliminate them from the internet.
So we had a chat with the CTO at Allure Security and a Professor of Computer Science at Columbia University, Salvatore J. Stolfo, who explains how an innovative combination of artificial intelligence and machine learning can help put a stop to brand impersonation.
Tell us a little bit about your history. How did Allure Security originate?
Allure Security was spun out of my research lab, the Intrusion Detection Systems (IDS) lab, at Columbia University, to work on government R&D programs. The company performed under several contracts to develop advanced Artificial Intelligence (AI) and Machine Learning (ML) systems applied to some of the hardest problems in cybersecurity. At some point, we received funding to transition the technologies we developed into commercial products. That’s when Allure Security morphed into the commercial cybersecurity product company it is today.
Can you introduce us to what you do? What are the main challenges you help navigate?
We fight fraud and scams by quickly finding and neutralizing impersonations on the web. Popular brands are often impersonated by fraudsters and scammers to lure unsuspecting users into visiting their malicious sites.
These tactics are used to trick users into giving up their personal information, especially credentials to sites where they have accounts. The scammers can then take over the users’ accounts, or create new accounts using stolen identities.
Allure Security detects these scam impersonations and quickly takes them down. Finding these fake websites is not easy because of the vastness of the web and the efforts by the fraudsters to hide their malicious sites.
What set of tools do you use to detect and, eventually, remove threats?
Allure Security has harnessed AI and ML techniques and very clever defensive measures for our customers to find these sites quickly. We protect brands from impersonation by looking for sites that look and feel like the real site. This requires artificial intelligence to identify an impersonation even when fraudsters make remarkably simple but effective changes to the real site’s images and content. Allure Security automates the process of taking down sites that are detected by reporting to the major search engines and filing takedown requests with the hosting site. Other mitigation strategies are also used to disable the malicious site until the take-down process has been completed.
Have you noticed any new threats emerge in your field during the pandemic?
Fraudsters always leverage deception to lure unsuspecting victims. Any major news item is quickly leveraged to trick fearful users, especially since people are spending more time online during the COVID pandemic. We have noticed an increase in malicious sites that aim to gather personally identifiable information (PII) to effectively take over a user’s identity. Fraud is increasing with the growth in malicious sites that are far more effective in deceiving users.
Brand protection is receiving more recognition nowadays. However, some still might not be familiar with this topic. What brand assets can be taken advantage of for malicious purposes?
Let’s take an example if your favorite shoe brand markets a new sneaker that every kid must have, or your bank offers low-cost small business loans to cover your monthly payroll. Fraudsters would copy the websites prepared by the shoe company or the banks and misdirect interested customers to their site. The look and feel of the site resemble the real brand but it’s entirely fake.
So, customers provide their credit card or PayPal information to buy sneakers they will never receive. Similarly, a small business owner might provide the bank checking account information for a loan they didn’t apply for at the real bank website.
The scammers succeed in stealing this private information simply by tricking users to believe they visited a real site. The real brand loses sales and experiences angry customers who were tricked. It’s important to understand that brand protection is sales and reputation security.
What actions can put an organization’s customer data at risk?
Much attention is focused on internal security controls and cybersecurity hygiene to prevent customer data leaks from within the corporate network. But brand impersonation occurs outside the company’s network and is leveraged by attackers to steal customer data directly from the customer. Stopping brand impersonation is as important as protecting internal assets for modern companies.
In your opinion, which industries should put more attention towards protecting their brand?
The more valuable a brand, the more one should expect successful impersonations. This maxim cuts across all industry verticals. Recently, we have seen an increase in scams and impersonations leveraging the marketing of cryptocurrencies. Financial institution brands are always under threat since that’s where the money is. Retailers, especially smaller boutique stores, must also be highly diligent to protect their brand and their brand reputations.
What new threats do you think the public should be ready to tackle in 2022? What security tools should be in place as soon as possible?
All major brands whose business is dependent upon the internet to reach their customers are likely aware that the brand impersonation problem is growing, biting deeper into their revenues and harming their reputation and their customers.
The public is perhaps better informed since they are often reminded when they do interact online. For example, frequent text messaging and emails from major providers remind users to be cautious about clicking on suspicious links. Telecom providers mark incoming messages as potential spam on the user’s phone. These tactics are important to teach users that the internet is fraught with potential scams in just about everything we do. However, “public cyber hygiene” isn’t enough.
Brands that want to protect their customers from successful scams ought to protect their online brand presence from being misused for malicious purposes. Fraudsters and scammers will up their game and find new ways to lull and trick users. This implies attempts at going after the distribution channel, or the scam “invite vector” is a fool’s errand and won’t solve the problem at the root cause — finding and taking down malicious websites when they first appear. End users will need new security technology on their smartphones and desktop devices to stop scams in their tracks when these malicious sites first appear.
Share with us, what’s next for Allure Security?
Brand impersonation on the internet is a growing problem and Allure Security offers a solution to reduce potential losses. We will now move into protecting customers from social media impersonations, fraudulent mobile apps, and deceptive text messaging. Plans are in place to move Allure Security’s protection closer to the end-user to stop scams from succeeding from the user’s desktop or mobile device at the moment it appears. Allure Security is also developing advanced mitigation technology to not only stop fraudsters but also disrupt their financial ecosystem.
