Fake domains that are only slightly different from the domain of a legitimate company are often leveraged in attacks, and researchers at Anomali recently discovered that cybercriminals abused this technique to target companies in the Financial Times Stock Exchange 100 (FTSE 100).
Brand spoofing is not a novelty in the cybercriminal world, and it does not come as a surprise that FTSE 100 companies are targeted in such attacks. By creating dummy websites, cybercriminals trick users into supplying private data, and Anomali says that 81 companies in the FTSE 100 had potentially malicious domain registrations against them in the past three months.
According to the security company’s The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures report, 527 malicious domain names were registered over the last three months, an average of 5 per company. The Financial Services industry was hit the most, at 376 domains, followed by Retail at 175, and Critical Infrastructure at 75.
The report also reveals that the largest number of these suspicious domains were registered using a Chinese address. Moreover, the second most were from the US, while the third most were from Panama, the researchers say.
These fake domains can be used as part of social engineering-based attacks where users are either tricked into entering their personal information or into clicking URLs that result in malware being installed on their computers, researchers explain.
More alarming, however, is the fact that security researchers also found 5,275 employee email and clear text password combinations from FTSE 100 companies available on the Dark Web, on paste sites, on hacking forums, or posted through accidental exposure. Moreover, the report reveals that the list includes not only companies with headquarters in the UK, but also any global subsidiary of those companies.
The Oil and Gas industry was hit the most by credential leaks, accounting for 20 percent, or 1,090, of the exposed accounts. Pharma, Consumer Goods, Telecoms, and Banking segments were also impacted.
According to the report, an average of 50 employees for each FTSE 100 company have had their credentials exposed. This was possible because employees visited non-work-related sites that have then been hacked by cyber attackers, Anomali says. Apparently, 40 corporate credentials across 23 companies were exposed in April, when a major UK-based football website had its database dumped on the Darkweb.
“Employees need to be reminded of the dangers of surfing to these types of websites and logging in using corporate email addresses and passwords. Companies should monitor for compromised employee credentials so they can force reset accounts and gather metrics about how often employees are using their work email addresses for access to non-work related websites,” Anomali notes.