Phishing remains the evergreen cyberattack. Why? Because it works — as phishing attacks have become more targeted, they have become a simple, cost-effective way for cybercriminals to break into a network. Here is what you need to know:
The number of new domains is rising – and will continue to grow
Domain names are the crown jewel for a brand. A single brand alone may have thousands of domains. In our recent research report, “The Modality of Mortality of Domain Names”, we stated that Farsight observes two to three new Second-Level Domain Names, per second, on the Internet and over 150 Fully Qualified Domain Names (FQDNs) i.e. www.farsightsecurity.com, per second. While many are created for legitimate purposes, new domains are cheap and short-lived assets – the perfect tool to commit phishing and other cybercrime attacks.
The use of Internationalized Domain Names (IDN) for phishing attacks
Cybercriminals often create “lookalike” domains of well-known brands. While these lookalike domain names may simply be a misspelling of the original brand name i.e. using the number 1 for the letter “I”, some phishing tactics are not so obvious or easily detected. For example, Farsight has discovered evidence of phishing attacks against commercial airliners using Internationalized Domain Names (IDNs). IDNs represent a DNS standard representing non-English domain names, which are nearly undetectable by either human eyes or human judgement.
Different phishing domains may share a single malicious infrastructure
At a glance, two new domains used for different phishing attacks against a single organization may appear to come from different attackers. However, bad guys will often share a single set of name servers for multiple related domains. Over time, bad domain names also will often hop from one bad IP address to another. By using Farsight’s historical passive DNS database, DNSDB®, organizations can discover this shared infrastructure, and gain more valuable insight into the attackers, their motives and Tactics, Techniques and Procedures (TTPs).
Reputation systems alone can’t protect against new domain phishing attacks
In a recent research report conducted by Farsight Security, we learned that the majority of new domains die due to blacklisting. Yet not all – and remember, it only takes one domain in a phishing attack to lead to a catastrophic data breach. New domains are often so quickly created, used and discarded by cybercriminals for phishing attacks before blacklists and other reputation systems can block them. Organizations need other methods to protect against risks posed by new domains. Assessing risk based on the “age” of a domain and then blocking these domains for a specific amount of time is a simple but successful strategy. Farsight’s Newly Observed Domains (NOD) tool can provide that necessary protection you need.
Expect Phishing Attacks Using New Domains to Rise
Phishing is one of the most successful and lucrative types of cyberattacks today. A single news event, from a massive data breach or inaugural presidential campaign launch, can lead to the creation of thousands of newly created domains to lure users to fake Go-Fund-Me or campaign donation sites. Phishing attacks using new domain names are a cheap form of cyberattack – and will be for the foreseeable future. Right now, it is the victim’s organization that carries the high cost of protecting their employees and their assets. Yet there are steps you can take to reduce that risk.
DNS Asset Management is Key to Reducing Risk
As I mentioned earlier in the article, a single brand may have thousands of domains and sub-domains. Often, many of these domains created for now discontinued products or old marketing campaigns are forgotten by the IT or security team – and, as a result, become ripe for potential abuse. While monitoring for suspicious new domain names related to your brand is critical to your security program, you first need to put in place comprehensive policies and procedures to regularly identify and manage all your DNS assets, from domain names to name servers and IP addresses. You can’t protect what you don’t know you have.
At Farsight, we help Fortune 500 organizations fight phishing and other cyberattacks every day. Learn more how we can help your organization. Contact us at [email protected].
Karen Burke is the Director of Corporate Communications with Farsight Security, Inc.
