According to Kaspersky, they have found that the service and e-commerce industry has become most targeted by phishing attacks with the domain that looks legitimate.
In 2020, Q3 the sector estimated 35% of all attacks that use domain technique. The reason may be due to the users who rely on online services and shopping during the pandemic. It is hard to detect these types of attacks since 50 percent of fake domains are used only once and 73 percent are active for only one day. The automated multi-layered analysis helps in detecting such attacks without compiling domain lists manually.
The recipients will not notice the mistake that fraudsters will change for example in place of @netflix.com change to @netffix.com or @kaspersky.com to @kapersky.com. Since they are lookalike domains they can pass authentication without any problems, have a cryptographic signature, and do not arouse the suspicion of anti-spam systems.
The conventional method of detecting lookalikes domains is the manual insertion of all possible variants of fake domains into an anti-phishing solution but it is time-consuming and will not be always effective because some options may be missed from the list. It is similar to the police who created an identikit of a criminal but not sure about some of the facial features, so they had to make a hundred identikits with a broad variety of options for the eyes or nose.
When a letter from an unfamiliar sender is received in an email inbox, it goes through anti-spam filters and if nothing malicious is reported, the domain analysis starts. In the first stage, the system compares the domain with all known lookalikes domains, and if no matches are found it moves to the second stage where the system reviews data about the domain, such as registration details or certificates. If something looks different, the investigation process continues and in the 3rd stage the domain is compared with the list of known legitimate web addresses, and this list is also composed automatically. If the system finds any similarity between the suspicious domain and a legitimate one, then the conclusion will consider it as a lookalike.
This approach does not require manual action as compiling a list of legitimate or possible lookalikes domain from the customer and it helps in blocking attacks which use lookalike domains in real-time when they first appear.
This is available at Kaspersky’s solutions with mail server protection and Kaspersky Security for Microsoft Office365.
