Last month brandsec was engaged to assist several brands to enforce against lookalike domain names that were used to impersonate them and their employees. The false domain names in question appeared legitimate, and the website was simply copied for authenticity. The common issue in all cases was that the bad actor sent purchase orders (P.O), via email, to the target customers and partners for services they were legitimately engaged for.
We managed to liaise with the Registrars and Hosting providers involved and quickly got the offending domains suspended, but the number of attacks last month prompted us to write this blog.
The recent speight of attacks targeted government agencies and also well know ASX listed brands.
These particular P.O scams were sophisticated and seemingly well planned. It is possible that they followed some type of hack where the bad actor had collected intelligence about a commercial engagement or relationship.
In one case, the bad actor used a hyphen in an attempt to trick their targets, for example city-of-example-gov.com. In another attack, the bad actor used the identical brand in an open TLD, meaning there are no registration restrictions (proof of ID, ABN etc). In this case they simply swapped the .com with a .co (example.co). We have listed the top abused TLD in the world here.
Fake Domain Email Purchase Order Scam – What to look for
The characteristics of an invoice or purchase order scam are as follows:
- The sender’s email address is not from the domain name email address domain.
- The fraudulent email addresses will likely contain misspellings of the domain.
- The email message may be poorly written, with misspellings and awkward sentence structure.
- The email and purchase order may include an attachment designed to look like a P.O from the target company, may include a logo or other graphic and a signature that may look legitimate.
- The P.O will include a delivery address that is typically not associated with the legitimate brand.
- The sender may use the name of an employee in the email signature.
According to ScamWatch almost 13.5M has been lost in reported billing scams, so it’s important the brands remain vigilant and implement steps to mitigate and address incidents when they occur.
Steps to Mitigate and Address
- Monitor: Deploy a domain name monitoring solution that can find look-alike domain names shortly after they are registered.
- Register: Defensively register look-alike domain names that could be confused for your core domains.
- Enforce: If an incident occurs, brandsec can engage our Registrar & host network to suspend the offending domain name.
- Awareness: Communicate incidents to suppliers and customers and make them aware of the incident, method of attack and most importantly what to look for.
brandsec is a corporate domain name management and brand protection company that looks after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.