Recent SMS Phishing Attacks Reveal the Dangers of MFA Lookalike Domains

By Krupa Srivatsan, Director of Product Marketing at Infoblox

In cybersecurity, the weakest link is often the human element. This proved to be true in a series of recent SMS phishing attacks.

In February, the Coinbase cryptocurrency exchange platform revealed that it was the target of a cyberattack that lured one of its employees, via SMS, to log into a company account to read an important message. The employee was taken to a phishing site where he entered his credentials. Once the attacker had the stolen credentials, he tried to login to Coinbase’s internal systems but was not successful due to multi-factor authentication (MFA). After failing to authenticate, the attacker called the employee, claiming to be Coinbase’s IT department. The employee believed the caller to be legitimate and started following the attacker’s instructions. Soon after, Coinbase’s CSIRT (Computer Security Incident Response Team) team saw alerts of suspicious activity from the employee and immediately contacted the employee, at which point he stopped all communications with the attacker.  Since then, several other companies have confirmed that they were subject to the same attack, including Reddit, Zendesk, Twilio, DoorDash, and Namecheap.

Attackers love phishing because it is cheap and all they need is one person to make a mistake and click on the link. SMS phishing attacks, commonly called smishing, such as the one above have increased in frequency recently, and Infoblox is actively tracking actors who operate massive resilient smishing operations.

Phishing involves tricking the victim into clicking on a malicious link and providing personal information, such as passwords, credit card numbers, or social security numbers. Phishing attacks can start with an email, an SMS, a phone call or social media messages that appear to be from a legitimate source, such as a bank, social media platform, or an online store. The message typically includes a link or attached file for the recipient to click on or open.

Connecting Phishing Attacks to Lookalike Domains

Lookalike domains are used in phishing and spear phishing attacks such as the one that targeted Coinbase. Lookalike domains can imitate any organization, including well-known consumer businesses such as Paypal, Bank of America or Facebook, businesses large-and-small without a consumer focus, and an organization’s supplier or partner.

Read on to learn more about lookalike domains related to multi-factor authentication and how you can stay protected.

Infoblox Identifies Attacks Related to MFA Lookalike Domains

Infoblox Threat Intelligence Group dug into historical data following the disclosures. They found that these MFA-related attacks began in January 2022, or earlier, and that there was a steep rise in registrations for lookalike domains related to MFA starting in August 2022.

A summary of the team’s findings is as follows:

In total, since January 2022, over 1600 domains were registered as lookalikes to MFA domains.

Large companies began registering domains in Summer 2022, likely as a proactive measure, but many others are suspicious and possibly related to phishing attacks.

These attacks are likely the work of multiple independent actors, and targeted large financial institutions, software companies, service providers, insurance companies, and government-related organizations globally.

The team detected MFA lookalikes for major services such as Dropbox, Paypal, Microsoft, Okta, Netflix, Amazon, Tripadvisor, and YouTube, in addition to those reported in the media.

Using Infoblox Suspicious and Emergent Domain Feeds to Stay Protected

We all know the age-old adage, “The bad guys only have to be right once, while we have to be right every time.” Being right every time is easier said than done in cybersecurity.

To help organizations stay a step ahead of the attackers, especially when it comes to lookalike domains, Infoblox provides suspicious emergent domains data as a feed for BloxOne Threat Defense customers. These are domains that share common indicators with other known malicious sites, but have not been classified as malicious yet.

Since the launch of our suspicious emergent domains data in early November 2022, Infoblox has detected 75% of the MFA lookalike domains registered with these characteristics as suspicious. This means customers who had the suspicious feeds and set the policy to “block” were protected against those MFA lookalike domains.

In addition to using these feeds, customers of BloxOne Threat Defense can use the built-in lookalike domain detection service, where they can submit their organization’s own domain, or domains frequently visited by or controlled by the organization, for lookalike protection. The Threat Intelligence Group will determine high-risk lookalike domains for initial assessment and monitoring. Customers are notified of suspicious activity related to these lookalike domains for visibility and as an advance warning to help the organization avert a potential network breach or customer threats.

Phishing attacks are a serious threat to individuals, businesses, and organizations. By being aware of the signs of a phishing attack and taking steps to protect yourself, you can reduce the risk of falling victim to one.

You don’t have to be a cybersecurity expert to be secure, but you do have to be aware and proactive.

Comments (0)
Add Comment