Impersonation attacks are a significant contributing factor to the growing phishing challenge, with APWG reporting over 1 million phishing attacks in Q1 2022 – the highest number of attacks recorded for a quarter.
Threat actors are targeting well-known brands to carry-out sophisticated social engineering attacks and are leveraging legitimate 3rd parties to conduct their attacks. Threat actors are also using open source intelligence to impersonate and target specific individuals within companies.
Once trust has been established, the threat actor can further compromise the information system – this includes compromising vendors within the target’s supply chain – by delivering a malicious payload.
The challenge in detecting impersonation attacks is expected to become more protracted in the short term. This is due to the majority of organizations still relying on legacy rule-based email security solutions that are unable to detect sophisticated impersonation attacks.
Sign-up for our Threat Intel update to get this monthly update straight to your inbox.
The FTC has reported a sharp increase in impersonation fraud, with losses totaling $2 billion in the period October 2020 to September 2021. Some of the leading corporations are the most impersonated. In the technology space, this includes Microsoft, Google, Amazon and Apple as among among the most impersonated brands.
Email impersonation attacks come in different guises including:
Typosquatting – in this instance the threat actor sets up an email domain that appears to be legitimate – however with one or several characters replaced with look-a-like characters, for example using zero instead of “o.”
Email domain spoofing – the threat actor will manipulate the email headers so that false email address is displayed to the sender, for example the sender’s email address is “fraudster@cybercrime.com,” but the recipient sees “billgates@microsoft.com” in their inbox. Often email domain spoofing will include some degree of brand impersonation, including use of brand logos and email footers, to enhance the legitimacy of the malicious email.
Account Takeover – ATO attacks are possibly the most insidious form of impersonation attacks due to the threat actor leveraging a compromised and “trusted” email account to perpetrate an attack.
Threat actors often use a sense of urgency combined with some intelligence to get the target to carry-out their request, for example, such as requesting urgent payment of a known supplier invoice but to a bank account number controlled by the threat actor.
Malicious payloads in the form of attachments or links are also commonly used. The malicious nature of the payload is obfuscated to bypass rule-based security controls.
In the case of a malicious attachment, common obfuscation methods include changing the file name to a “.doc” or “.pdf” or in the case of a malicious link, using third-party mailing services to deliver the malicious links. This can include the use of link-redirects that will redirect the victim using a “safe” link to a safe website, which then redirects to a malicious website.
One noteworthy impersonation attack campaign included the NOBELIUM campaign detected by Microsoft Threat Intelligence. In this campaign, threat actors leveraged a legitimate mass-mailing service Constant Contact to impersonate the US International Development Aid agency (USAID) to distribute malicious URLs to a “wide variety of organizations and industry verticals.”
More recent impersonation campaigns are leveraging a combination of phishing email and a call-back number impersonating a well-known and trusted security vendor in an attempt to compromise the target via remote administration tools (RAT).
The need to upgrade email security is increasingly moving up the priority order list.
Legacy rule-based solutions are unable to detect multi-tiered impersonation attacks that remain undocumented in most threat intel engines on which legacy solutions rely.
Adaptive, machine learning powered behavioral detection is essential to detect unknown and rapidly evolving threats, including supplier based ATO attacks.
Leveraging security solutions that incorporate security awareness training as part of the active defense measures remains a key element of ensuring that end-users are in a better position to detect impersonation attacks.
To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo. For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn