A number of clever, yet common techniques have been the basis for several social engineering attacks we’ve seen lately. Hackers are registering domain names similar to authentic domains in an effort to make the e-mail recipient believe that the sender’s request is legitimate.
These techniques can consist of one or more of the following:
- Homoglyphs – A homoglyph is one or more characters with shapes that appear identical or very similar. For example, a capital O and the number 0, a number 1 and lower-case l, a lower-case g and q, you get the idea. Believe it or not, it’s quite common for someone to mistake these letters for one-another when spoofed and replaced in a domain name. (e.g., ahrconsu1ting.com (yes, that’s a number one in place of the letter l))
- Transposition – Simply put, its swapping letters that are adjacent to one-another. most people won’t notice this in a domain name when quickly glancing at a senders e-mail address. (e.g., ahrconsutling.com)
- Repetition – Repeating one of the letters in the domain name (e.g., ahrconsultting.com)
- Replacement – Replacement of one of the letters in the domain name, usually with a letter in proximity of the original letter on the keyboard (e.g, ahrconsilting.com)
- Omission – Removal of one of the letters from the domain name (e.g., ahrcnsulting.com)
- Insertion – Inserting an extra letter into the domain name (e.g., ahrconsiulting.com)
So how is this used by phishers (read: hackers)?
- A hacker will research a company on any number of corporate information sites (Manta, Spokeo, etc.) to gather data about its structure, owners, website, email addresses, revenue, and any other publicly available information
- They will then privately register a domain similar to the target’s domain using the above techniques
- They will immediately send an e-mail from the CEO or President (or similar) to a mid- or high-level employee, preferably in finance, with an official-looking request
- The e-mail will typically request a money wire transfer or some other type of urgent monetary request be sent to a particular account or recipient
- The request may also have what appears to be an official-looking e-mail signature compiled from the information gathered above
Don’t fall victim to this fairly common attack, be sure to double check authenticity of e-mail name and domain name spellings.
When in doubt, make sure a verbal approval is acquired before doing ANYTHING involving company capital.
To read more about Malicious Social Engineering, see our other blog post: Can you expand a bit more on the threat posed by malicious social engineering?