Justin Fier, Director of Cyber Intelligence & Analytics discusses why the frenzy of passwords, money and credit card information changing hands over the winter months coalesces into the perfect storm for cyber-attacks, particularly doppelgӓngers.
Year after year, the festive season witnesses an unprecedented exchange of cash in cyberspace, with UK consumers alone projected to spend a record £80.3 billion in the lead up to Christmas. And amid the desperation to take advantage of digital doorbusters, shoppers can find themselves racing between dozens of retail sites — all in pursuit of the dream deal.
This frenzy of passwords, money and credit card information changing hands over the winter months coalesces into the perfect storm for cyber-attacks. In November and December of last year, Darktrace observed a 128% rise in Trojan attacks across its customer base relative to the previous two months.
Such Trojans, which leverage social engineering to mask their true nature, are often facilitated by “doppelgӓnger” domains — slight variations of legitimate domain names that are used for malicious purposes. Indeed, doppelgӓnger attacks in particular increased by 70% during the 2018 festive period, according to Darktrace research.
For employees bombarded with time-sensitive discounts on their work devices and corporate email accounts, it is all too easy to miss the subtle signs of a doppelgӓnger, while just a single click can cause an enterprise-wide breach. As a result, neither these employees nor traditional email security tools — which cannot be programmed in advance to spot an infinite number of possible fake domains — are sufficient as a last line of defence.
Rather, the only reliable way to sniff out convincing doppelgӓngers is with artificial intelligence (AI). By learning the online behaviour of each unique user and device that it protects, without preprogrammed rules or fixed IP blacklists, AI can distinguish between “naughty” and “nice” domains in real time.
Exposing a festive doppelgӓnger
A doppelgӓnger attack recently took place in which the duplicitous site masqueraded as an Amazon-associated page.
Of course, the webpage had no connection to the genuine retail entity. Yet the targeted device’s firewall did not block it because it had no way of anticipating future doppelgӓnger domains and thus no ability to recognise them when they arise. And while the webpage also had misspellings and fake product images, a user — perhaps rushing to take advantage of a deal — did not notice.
Most major businesses today utilise the standard security protocol “https://,” especially when payment information is involved, to encrypt the sensitive data being transferred.
But this measure alone does not guarantee a safe connection if the website itself was created or compromised by malicious actors — notwithstanding the digital padlock that appears beside HTTPS URLs. The doppelgӓnger site in question, though, used the unencrypted HTTP protocol ‘http://amazoner.info/checkout/’, which appeared alongide an unsecure, or open, padlock.
’Tis the season to be secure
When it comes to what methods cyber-criminals will turn to next, the festive season is full of unpredictability. No one knows exactly what the next doppelgӓnger will look like, meaning that perimeter tools struggle to identify novel attacks before it’s too late.
It is imperative that individuals are wary of emails and ads that seem at all suspicious, even if it isn’t clear why. And when in doubt, it is always better to navigate directly to retail sites like Amazon from your browser, rather than clicking on an email link. #
The default disposition when shopping online — especially during the festive period — should be overcautiousness. Keep an eye out for broken language, typos and design flaws that would all be rare on trustworthy retail sites, ensure URLs are legitimate before entering any information and, in general, trust your instincts when you sense something is amiss.
From an organisational standpoint, on the other hand, assume that employees won’t do any of the above. Human error is responsible for the vast majority of breaches, so expecting employees and conventional security tools to never allow attackers into the network is a recipe for compromise.
Instead, to prepare for the inevitability of attack, AI-supported tools are needed to detect in-progress threats — not by predefining ‘bad’, but by understanding ‘self’. Some organisations are already utilitising cyber AI and, as a result, are readying themselves for the heightened seasonal activity, for sophisticated doppelgӓngers, and for the unpredictable.