Domain Typo Squatting, yes that is really a thing!
It is a very simple and clever method that hackers use to deceive users into thinking a legitimate entity has emailed them, often one they know or have communicated with in the past. Domain Typo Squatting is a technique used by attackers to form a real domain, that looks similar to the legitimate domain.
What occurs is hacker purchases similar looking domain names, tactfully misspells the domain name or substitutes letters or numbers for similar looking characters; so substituting an O (Oscar) for a ‘0’ (zero) or an ‘I’ (India) with a ‘l’ (Lima) so the spelling still looks similar to a known legitimate domain when really, it’s a different spelling and its not that entity at all!
For example, let's take a (pretend) legitimate domain and (pretend) company called: www.solicitors.net.uk and we substitute the first ‘l’ (Lima) with a capital ‘I’ (India) and let’s look at this in the email message using Outlook.
The top email is with the correct spelling, and the bottom with the misspelt capital I (India) instead of the ‘L’ (Lima), they look exactly the same!
And for those who are as cynical as me and don’t believe me try it yourself and follow the link and see what your default browser displays, or simply hover over the two links and you will see the bottom one is spelt with 'email@example.com' but even on the web page looks the same on face value.
Legit (correct spelling) - firstname.lastname@example.org
Fake (incorrect spelling) user@soIicitors.net.uk
The other method a hacker could use to obtain a fake but convincing domain, is to spell the first part of your name correctly but purchase a different domain, for example the (pretend) legitimate solicitors.net.uk, the hacker may purchase solicitors.net.com or .org etc so it still looks legitimate and plausible to the recipient.
How Does This Get Exploited?
Typically, in the cases 3B Data Security investigates, this technique has been employed in two ways, either shortly after a compromise has already occurred of a single user mailbox or to initially compromise a mailbox.
If a hacker has compromised a mailbox, they copy the legitimate email thread, sender and recipients details and initiates their own email thread to the one of the parties, (usually the client) utilising the same style and details already shared and also the historical and legitimate email thread, which makes it all the more plausible to receive an email from the hacker.
However, the email from the hacker is sent from their own fake domain (that has one letter spelt wrong for example) and in our example the legitimate solicitors would have no idea this is occurring, as the emails are not being sent via their email systems; the client has no reason to question the validity of the hackers email, as it has the same senders user name, it has the genuine historical email thread and the domain name ‘appears’ to look exactly the same.
Below is a fabricated example that mimics the type of fake emails 3B Data Security sees on these types of cases.
If you were expecting a message from the legitimate company or already knew them would you go to the trouble of checking the characters in the email domain, especially if it had previous correspondence in it?
The hackers often monitor compromised email boxes for the opportune time, and we have seen many cases where they manage to send an email to a client and update the bank details to their own details and the client pays the hacker and not the solicitor.
It is near-on impossible to obtain the money back once this has occurred, then the accusation of blame kicks in as to who is at fault, the sender of the money or the company that the hacker was impersonating.
The other method 3B Data Security has seen where this technique has been successful is the initial compromise of a mailbox account.
A hacker has already purchased a fake domain of a legitimate looking business (after changing a letter or two). They will then use some other means, like social engineering, looking up the client base on a company’s website, or staff list from trawling LinkedIn, opportunistically emails en-masse or targets specific users pretending to be from the legitimate company, asking them for help, tricking them or scaring them into following a phishing link like the ones detailed above.
Perhaps pretending to impersonate someone from the IT Department etc utilising the legitimate person’s name, which they have sourced from doing their LinkedIn trawls; saying please follow the link and reset your Microsoft 365 password.
The recipient obliges (everything looks legit!) and once this occurs, the hacker has access to the first mailbox and can start the next stage of the attack, including executing the first example of monitoring and crafting a more targeted attack on the next victim using real data from the initial compromised mailbox.
What Can Be Done To Prevent This?
There is no simple answer to stop someone buying misspelled domains, other than purchasing variants of the domain name for your organisation in advance in preparation, but it is not a fool proof prevention method and may just be a cat and mouse game in which the cost could mount up depending on your domain name; and all the variants you need to buy like .com, .co.uk, .net, .org.uk and so on (I should have got myself affiliated to a domain name registrar; I could have got some commission!).
You may have a decent mail or spam filtering system in use within your organisation, that checks reputation of domains or similar, but this is not going to help your clients, who the hacker may be targeting if they are impersonating you with a fake domain.
Probably the main preventative method is security awareness training for your staff and where possible and depending on your profession, your clients as well.
Other processes like not sharing bank details in emails or using secure email systems or specific file sharing systems rather than putting the sensitive data in a body of an email could be used to prevent or at least possibly detect the phishing or email impersonation attack.
The more you can do to educate your users (or your clients) the better they will be at spotting the anomalies and raising the fact that if they do get a request to share bank details in email, they know that is not the correct practise and should raise a concern.
There is no harm in employing 'old skool' communication methods, (especially now the world is working remotely) and picking up the phone and double checking with the (potential) sender of the email, 'did you really want me to transfer all of this month's salaries to this new bank account?'.
About The Author.
Benn has spent many years in digital forensics, investigating breaches of sensitive data. As Office/Microsoft 365 gained popularity it started to become another common focus for attacks and data loss, Benn has focussed on investigating and proactively securing/locking down the Microsoft 365 environment. If you need any additional help or advice on M365 reach out on IR@3BDataSecurity.com or 01223 298333.
There are many other M365 configurations that can be locked down and secured on the similar topics, and Benn will cover these in future 3B Data Security Insight blogs in the future.