“Typosquatting” is the name given to criminals pretending to be someone they aren’t – taking a domain name that uses a clever combination of legitimate-looking original sender email addresses, with spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters. The hackers are starting to host some of their platforms on Microsoft and Google to further add to the sense of authenticity.
These are highly compelling when they mimic organisations that you typically expect to receive emails from and would normally trust. We’ve seen examples where the supposed shared document is something you might normally take a look at – OneDrive, SharePoint, Teams or Google drive links to files with names like “Staff Reports”, “Performance Bonus” or “Price List”.
If you click on the link they will take you to a fake login page. These fakes are very high quality, and of course, we’re all so used to logging in to 365 or Google that most of us will simply type in their credentials. Once yo do that, the hacker has got you.
Hopefully you have turned on MFA. Multi-factor authentication makes it harder for the hacker to get to your data, but not impossible. The simplest thing they can do is have their fake website immediately apply your credentials an try to log in as you. If they see an MFA prompt, then they will ask you for your code, or have your mobile app prompt you to approve the login. At least you have had a moment to think about it though.
The best defenses are :
- Paranoia – check everything!
- MFA with geo-blocking – chances are the hacker is somewhere like eastern Europe or the Middle East and you don’t normally get logins from there. Of course, that isn’t necessarily true for all of us, or the hacker could have hijacked a computer closer to hand.
- URL scrubbing and ATP – using systems like the ones in KARE for Security to ‘wash’ URLs – albeit harder to prevent on mobile devices.
Some clues have emerged from the current attack. Look out for words like ‘referral’ or ‘reminder – x shared this without 7 days ago’
Remember, we’re more vulnerable than normal when working from home, when we can’t check these as easily.