In response to some important shifts in the threat landscape at the beginning of the year, Infoblox unveiled some innovative new capabilities at this year’s RSA conference in San Francisco. Centered around the Custom Lookalike Domain Monitoring feature, available within BloxOne Threat Defense, these new capabilities provide a significant counter to the use of lookalike domains by threat actors, including more recent tactics such as imitating multi-factor authentication (MFA) systems to steal credentials.
What follows is a summary of key trends and research from the Infoblox Threat Intelligence Group (TIG) on how lookalike domains, a consistent though evolving technique used in phishing emails, is being used in more advanced attacks today, such as those imitating MFA systems. If you are interested in an even deeper dive into lookalike threats, a comprehensive research report was recently released on the topic by the Infoblox TIG.
CURRENT LOOKALIKE THREAT: HOW DID THIS BECOME AN MFA PROBLEM?
Over the last year, as security industry analysts, writers, speakers, and others have consistently highlighted the value of MFA for a strong security posture, MFA adoption has unsurprisingly skyrocketed. As a result, MFA is being adopted by everyone from gamers, concerned with protecting their accounts and in-game purchases, to digital currency marketplaces, wallets, and exchanges who have seen major breaches involving convincing lookalikes in attacks like one against Coinbase in early 2023.
Using adversary-in-the-middle (AitM) techniques, they attempt to trick employees into thinking they are interacting with the company’s real network during authentication. A study by the Infoblox Threat Intelligence Group (TIG) found over 1,600 domains used since the beginning of 2022 alone that contained a combination of corporate and MFA lookalike features, with worldwide targets ranging from large corporations to major banks, software companies, internet service providers, and government entities.
LOOKALIKES USED IN MORE THAN JUST EMAIL PHISHING
Lookalike domains are a popular tool for cybercriminals targeting individuals and businesses. Social media platforms, major brands, and even small businesses are at risk. Attackers are using various methods, such as SMS messages, phone calls, direct messages on social media, emails, and QR codes to deploy these lookalikes.
Smishing is being used to distribute phishing messages, allowing attackers to bypass some security measures used to protect against email phishing attacks. Actors such as those we’ve named OpenTangle and Scamélie target consumers and government employees with lookalike domains – over 1500 domains for OpenTangle alone – and used tactics like spearphishing against their targets.
Lookalike domains are also being used as mail servers and malware command and control (C2s), making it more challenging for humans to detect phishing emails and malware on endpoints. Lookalikes can be deployed in various DNS capacities, such as nameservers, mail servers, canonical name (CNAME) records, and pointer (PTR) records, and can be employed as redirects, making them perfect for malware C2s.
Mobile devices may be more vulnerable to lookalike attacks due to smaller screen sizes and a lack of link previewing. Even security-aware individuals can fall victim to a well-crafted lookalike, especially when combined with other social engineering tactics like SMS messages or urgent phone calls.
Organizations can defend themselves against lookalike domains by implementing DNS-level solutions, such as those offered by Infoblox. While bad actors currently have the upper hand, the fight against lookalikes is not lost. It is important to remain vigilant and to automate security measures wherever possible to reduce the risk of human error, when they can easily miss what is right in front of them.