Beware the evil twin (domain name)

Jan, Tue, 2025
nathan
Industry News , Tech news

We’re seeing a sharp rise in the number of attackers using an evil twin type attack to steal money, intellectual property or gain a foothold in a target company that can later be used to gain further access into that company or other companies including their customers, vendors and other trade partners. In this type of attack, the bad actor will purchase a domain similar to their target domain and then insert themself into a conversation with a customer, vendor or other trade partner posing as the target. An example of this would be if the target domain is mycompany-llc.com, the threat actor may buy mycompany-l1c.com and an example of an attack may be something like the following:

The bad actor uses open-source intelligence (OSINT) to learn about My Company LLC’s business, including details about their products and services, billing practices and some of their vendors, customers, etc. One of My Company LLC’s clients is Your Company, and the threat actor decides that Your Company is going to be the victim. They then use OSINT again to find out who at yourcompany.com is in charge of paying invoices and what kind of products and services Your Company purchases from My Company, LLC. Lastly, they learn how My Company, LLC structures their emails (email address format, fonts, signature blocks, etc.), perhaps by sending a request to sponsor a youth sports team and then copying the format of the response. At this point, our bad actor has all that he or she needs to launch an attack. They send a spoofed email from mycompany-llc.com to accoutspayable@yourcompany.com that looks and feels like an actual email from mycompany-llc.com but the reply-to address is actually mycompany-l1c.com. When the accounts payable person replies (to what looks like an entirely legitimate email), the reply goes to mycompany-l1c.com and the rest of the thread is with the attacker, and accountspayable@yourcompany.com is none the wiser. The bad actor can take things one step further and gain access to a legitimate user at mycompany-llc.com to set up email rules to forward things like emails with specific items (invoice, remittance, etc.) in the subject to the mycompany-l1c.com domain name and then delete them from the legitimate mycompany-llc.com email account.

Best Practices

Be vigilant and monitor for evil twin domains. One easy way to do this is with DNS Twister.
Document processes for change requests (account numbers, routing numbers, etc.) that include a secondary form of contact like a phone call to a pre-established telephone number.
Educate your users on the threat. Make certain that they’re aware that these types of attacks exist and encourage them to question anything that seems off if it’s being requested via email. Also, potentially invest in either online or in person Security Awareness Training.
Ensure that your users have a clear path to report suspected email based attacks, typically either an internal contact or a trusted third party IT Support Provider.
Test your users. Use available tools to test your users by sending phishing emails to them to see how they respond in the real world. In many cases, these phishing tools can be automated to enroll users into online Security Awareness Training if they fall victim to one of the tests.
Use existing protections like SPF, DKIM and DMARC to protect your domain name.
Use email security services to “tag” or “label” suspect emails that have poor reputation or have been newly registered.

Need IT Support for your Home or Business? We’d love to help!

Are you a small to medium sized business looking to leverage technology and enable your business and workforce to work smarter and more efficiently? Do you already have computers, servers, firewalls, VPNs or other technology that you’re not taking full advantage of? Are you looking for an IT Service Provider who understands small to medium sized businesses needs and the challenges that we face that can work with you to grow your business rather than just sell you time?

Cyber Tech Cafe an IT Service Company with a focus on helping small to medium business get the most out of their technology investment. As a small business ourselves, we understand the challenges you face and have designed our service offerings to help you get the most out of your technology dollar. We offer on-call, as needed support if you just need a quick fix or extra set of hands right now. We also offer maintenance plans that we call “MyIT” that are designed to address the most common concerns (patch management, disaster recovery / backup, log review, etc.) that are based on the number of workstations and servers that you have and have no term contract. We believe that, if you find value in what we’re doing, you’ll find a way to keep us around without contract saying that you have to.

If you have questions about the MyIT plans or have an IT need that you need addressed right now, let us know. We look forward to the opportunity to earn your business.