Shoring Up Brand Protections in the Age of Domain Spoofing
Cybercriminals leverage the trust and digital reputations that online brands have fostered to further their malicious email spoofing and domain spoofing activities.
Which are the most impersonated brands on the internet? While the answer varies a bit from month to month, it probably wouldn’t surprise you that PayPal, Facebook, Microsoft, Apple, and Amazon are regularly among the top 10. These companies are widely known and trusted, and cybercriminals know that impersonating them increases the likelihood of success of a phishing email. But, brand exploitation can happen to anyone.
When cybercriminals send out mass phishing attacks, it only makes sense to leverage probability and use brands that have massive customer bases. The internal monologue for many users often goes something like this:
“Why yes, I do have a PayPal [Facebook, Microsoft, Apple, Amazon…] account. I’d better login and ‘reactivate’ my account like this official looking email says. And given the linked login page looks just like the one I have logged into many times on PayPal.com [Facebook.com, Microsoft.com, Apple.com, Amazon.com], it must be correct”.
But there are thousands of other companies cybercriminals can impersonate. If your organization isn’t one of these top internet brands, are you safe from these types of attacks? Unfortunately, this is very much not the case. While attacks against the best-known internet brands continue unabated, the more sophisticated cybercriminals – with the assistance of cybercrime toolkits and a multitude of hacked web sites and DNS entries - have shifted to impersonating the online brands of lesser known firms.
Targeted email spoofing and domain spoofing attack techniques are being used to leverage the brand trust of thousands of organizations every day, none of which would be considered extremely well-known internet brands. If you have a website - particularly one with a login - you are a target.
And this includes Mimecast’s own brand.
To demonstrate how any organization with an online presence is a brand impersonation target, this article will provide examples of phishing emails and websites that cybercriminals have used leveraging the Mimecast brand. And if isn’t clear exactly how we catch these attacks, that is not by accident. We certainly don’t want to provide the black hats with any insights!
Attempts to Exploit the Mimecast Brand
In Figure 1, the attacker registered a .com domain and sent a personalized email that was made to look like a Mimecast email digest message, but with no mention of “Mimecast” either in the email body or via a logo. All the included links pointed at the same web page (keep reading for details on the web side of the attack later in this article).
Figure 1. Phishing email appearing to be a Mimecast digest email, without any mention of Mimecast.
In the example shown in Figure 2, the attacker used the Mimecast brand and versions of the logo in an email appearing to be the Mimecast email message digest. In this sample the attacker used the relatively uncommon and inexpensive top-level domain (TLD) of “.live”. The email was also personalized for the receiver and used the “postmaster” display name to add credibility. All the links in this email pointed at the same web site as well.
Figure 2. Phishing email that looks like a Mimecast digest email, uses the Mimecast brand and logo multiple times.
In Figure 3, the attacker took a different approach altogether. From a visual perspective, the email does not mimic any standard Mimecast email, and uses an old Mimecast logo. From a content perspective, the attacker personalized the email copy, but language like “temporal suspension” would likely come from a non-English speaker. And the domain spoofing aspect is more advanced: it used a display name of firstname.lastname@example.org to simulate a legitimate email address. The email was sent from a domain that was registered in Vietnam and was sent from a legitimate support account not related to Mimecast from that domain that was likely hacked. The link also resolves to the same website found in Figures 1 and 2.
Figure 3. Phishing email that doesn’t look like a common Mimecast email, is personalized, uses poor English, and likely comes from a hacked, legitimate email address.
Figure 4 is another advanced domain spoofing attempt. It appears to come from the Mimecast.com domain, but this sender will not pass a DMARC check, as we certainly aren’t going to be providing them with our DKIM private key or entering them into our approved sender SPF listing in our DNS entry! The primary link in the email body looks like it goes to the receiving organizations webmail service but actually resolves to the same website in the first three examples. The email body is personalized to the intended receiver.
Figure 4. Phishing email that pretends to come from the Mimecast.com and does not mimic any legitimate Mimecast standard emails. Both links resolve to the same web page.
These four phishing email examples highlight the subtle variety of techniques a cybercriminal group can and will undertake when running their phishing campaigns.
The Need for Brand Protection: Stolen Credentials
What about the target webpage that was linked to in every email? In all cases shown above, the attacker’s goal was to bring the intended victim to the same webpage, shown in Figure 5, demonstrating the attacker group’s ultimate goal is to steal Mimecast login credentials for use in further attacks internally or outbound from the target organization. This is even further underscored by how the attackers personalize the login page by replacing email@example.com with the receiver’s actual email address by loading it into a customized URL in the email.
Figure 5. Fake Mimecast login page
Note they also were very careful in selecting the URLs where the pages were hosted. In this case, hacking a legitimate organization’s DNS entry and registering a subdomain – known as domain shadowing - resolves to a cybercriminal-owned IP address.
Figure 6. Example of a subdomain of a legitimate domain that has had their DNS entry hacked so the cybercriminal can enter a URL resolution that points to their web host.
Note also that this attacker group also regularly moves the website hosting URL by both hacking many DNS entries as well as the web sites of legitimate organizations and placing the Mimecast looking login pages there.
Figure 7. A small sample of the URLs that have hosted the fake Mimecast login page in the recent past.
And of course, depending on the attacker’s goal they can also use a trusted brand – such as Mimecast - in a phishing email to bring the target to a login page that is simulating yet another organization’s online brand, but with the similar goal of getting log-in credentials for their employees.
Figure 8. Webpage simulating another organization’s log-in page
The Bottom Line
You should not leave this article with the belief that Mimecast is a heavily impersonated brand. It isn’t, although we certainly get our share. Instead, there are specific technologies and teams in place to find, capture, follow, and block attacks that use email- and web-based brand exploitations against Mimecast.
There’s a high level of sophistication and focus that cybercriminals undertake to maliciously leverage online brands. Are you sure your online brand is not being exploited in the same way right now? What brand protections do you have in place?
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly