Disrupting Smishing Attacks Midstream, Take Down Fraudulent and Malicious Domains When Registered
By Chua Zong Fu, Vice President, Consulting at Ensign InfoSecurity
Phishing is most prevalent in cyber attack campaigns. Due to its simplicity, ease of obtaining tools for attacks, and believability when exploiting human weaknesses, phishing remains one of the most effective methods to trick unsuspecting victims into providing sensitive information, such as usernames, passwords, or bank accounts.
Today, threat actors have further evolved their tactics in smishing, or SMS phishing. This is a phishing attempt via SMS text message, WhatsApp, or any messaging platform. They are now employing smishing with a high level of realism in their cyber attack campaigns. These smishing attacks often include fake claims for parcel delivery, alerts of disruptions to services or subscriptions, or tempting promotions—urging the unsuspecting victims to click on malicious links. The Singapore Police Force highlighted that in September 2021 alone, at least 150 victims were believed to have fallen for such scams1.
Additionally, smishing attempts also come with links to malicious websites that are made to look like legitimate websites, tricking users to enter their username and password details. In 2021, the Hong Kong Monetary Authority published more than 180 alerts on fraudulent, suspicious, and unauthorised websites and mobile apps2.
It is common for threat actors to register websites with domain names similar to legitimate company websites to deceive end-users. Advanced phishing attacks use Homoglyph and Typosquatting techniques to trick users into clicking on malicious links:
- Homoglyph – Threat actors use deceptive characters to create visually indistinguishable hyperlinks. it leverages the Unicode system that incorporates multiple writing systems with similar-looking characters.
- Typosquatting – Threat actors register misspelt URLs of genuine organisations to trick end-users into divulging sensitive information, believing that they are on legitimate sites.
If unaddressed, such smishing attacks not only will lead to financial losses, but also cause significant damage to the reputation of affected organisations.
One approach to stop such domain masquerading attacks is to disrupt them midstream when threat actors are still preparing for an attack. By leveraging deep-learning technologies and cyber threat intelligence, organisations can put in measures to detect attacks before, during and after attacks. These include:
- Pre-emptively generating a list of domain names that look similar to legitimate company domains
- Monitoring this domain name list for registration changes (An early warning indicator of attacker activities)
- Leveraging on threat intelligence to identify ongoing campaigns and their related domain
- Investigating the domains for logos and visual similarities to legitimate domains as evidence for takedown
This approach allows organisations to proactively disrupt potential smishing attacks before they are launched, putting them ahead of their attackers.
Furthermore, we have developed a novel approach that has enhanced our detection of phishing attempts. It leverages on image recognition and transformer neural networks. By integrating this approach into our technology stack, coupled with up-to-date cyber threat intelligence, we can automatically detect and correlate elusive phishing attacks, as well as uncover lookalike domains hidden to the naked eye with greater accuracy and confidence.