Anything that can be done with a domain spoofing your name (one letter off)?
Posted by ADynes@reddit | sysadmin | View on Reddit | 38 comments
So we have a situation where someone is emailing our customers/vendors asking for payment via ACH using a email address similiar but not the same as ours. So for example ours being JSmith@RandomInside.com and them using JSmith@RandomInsde.com (no i). One of our vendors fell for it and sent out a 40k payment to the wrong bank account. We were not at fault at all in that case, the vendor in question had their email account compromised and someone was watching their the email in and out for weeks and custom crafted a email based on that information. They still lost 40k and weren't happy.
So I have done a WHOIS on the domain, everything is protected by privacy. I emailed the "abuse" email for the register but never get anything back. Where do I go from here?
And before anyone asks why we didn't register the domain. Ours was registered in 2006. This other domain was registered in 1997, 9 years prior. So nothing we can do there.
Seductive-Kitty@reddit
Not your circus. Their accounting department not reading emails properly & their IT not picking up a compromised account isn't your problem
tomhughesmcse@reddit
THIS is the answer… if someone sent a letter to someone with your return address on it as a scam halfway across the country, how is that your problem? You aren’t responsible for the internet bad guys, it’s the responsibility of the receiving party to do their due diligence. You have nothing to do with this.
imnotaero@reddit
Obligatory mention of gail.com. Visit and enjoy.
AvonMustang@reddit
Check the source of the page for an Easter Egg of sorts...
imnotaero@reddit
lol thanks for the heads up!
cjcox4@reddit
I know our company's solution is litigation. We even have a process for this, as this is done quite often.
Part of "having a brand", especially one that is trademarked, is your (the holder's) responsibility of showing effort in protecting the brand. It's like, sure the government/authorities will help, but if you didn't "try", maybe you get your trademark taken away from you. Just one of those things...
With that said, while the above is "the letter of the law", in general, failure to be concerned about your trademarks thing isn't really "enforced" in general. But.... there is that "letter of the law"...
In your case, the "value" of protecting the trademark (?) is important to prevent the exploitation around "near misses" and the confusion that creates. So, even apart from the unenforced weird laws with regards to trademarks, a company might feel it's worth the "huge spend" to have a legal team combating those that are trying "cybersquat" domain names.
Good luck.
Oh, and trademark holders sometime have the upper hand, especially if well established and into international commerce, etc. That is, even if I have "myfirstname-lastname" registered, if your trademark is close to that, you may be able to force me to lose my domain, even if registered years earlier. Not exactly fair, just telling you how it is.
itishowitisanditbad@reddit
Tell that to Nissan.com
cjcox4@reddit
IMHO, as with almost any litigation, it's something you can take "bets on" in Vegas. Sometimes you win, sometimes you lose and often times there's no discernible pattern.
Tymanthius@reddit
Key fact there is that the primary holder had a legit claim. I think it was a family name and business?
wosmo@reddit
and a legitimate use. Even being his real name, if he'd been trying to pass himself off as the eponymous motor company, neither of us would have heard the tale because it wouldn't have reached its first hearing.
Mindestiny@reddit
Litigation is the answer, this isnt an IT problem, it's a business problem.
Serafnet@reddit
Yup. This is how we dealt with a domain squatter that was trying to get us to buy it for five figures.
Legal costs were much less.
bageloid@reddit
Plenty of companies offer this as a service:
https://www.zerofox.com/demo/domain-protection
https://docs.rapid7.com/threat-command/initiate-a-takedown-remediation/
https://www.netcraft.com/website-takedown-service/
https://alluresecurity.com/
SecAbove@reddit
Will they take care or help with taking bad domains down, or informing your partners? Thanks.
bageloid@reddit
They will notify you of the copycat and if you choose, they will take down the domain on your behalf. You are responsible for all customer comms afaik.
Pain_n_agony@reddit
Proofpoint will if you subscribe to their email defense service
Mrh592@reddit
We recently had an attacker do something similar to us too, bought a similar domain name but they also rang up as a fake potential client to obtain an invoice. They used it as a template to send to a few of our clients, adjusting the contact and bank details.
tjn182@reddit
Used to admin a private finance company, we were a big target for this type of attack. We developed a system of of confirmation that was required before changing payment information.
Email saying new ACH account? Must confirm with authorized contact via phone. This information is provided at time of financing, so easy to reach out. Ended up being a good safeguard . Almost, if not all, attacks came from email compromise of our customers (small businesses with no IT).
This is something outside of your control. If there is an active campaign against your customers, I would wonder how your customer information has been exposed.. that should be private information.
jstuart-tech@reddit
If your talking about mail where you aren't even in the loop (e.g. Attacker -> Recipient), there is literally nothing you can do apart from trying to buy all the domains yourself (Which is a never ending battle).
If the Recipient has Defender for O365, they can add your domains into the Domain Impersonation Protection
https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about#domain-impersonation-protection
TinderSubThrowAway@reddit
We got one from a “customer” that swapped rn for an m.
The customer wasn’t microsoft but as an example the domain looked like @rnicrosoft.com vs microsoft.com
Pretty tricky but we caught it fortunately before they followed the link to the rando file share website.
lasteducation1@reddit
Sneaky rnotherfucker 😂
cspotme2@reddit
Is there anything on the similar domain or has their accounts/dns been hijacked? You should get a eml copy of that email received and see what the headers say.
A recently registered domain doing this is easier to take down with most registrars except for cloudflare and godaddy.
cspotme2@reddit
Who is the registrar? Outside of those dumbtards at cloudflare's registrar and godaddy ... Most will take down the domain if you have proof of the malicious activity/impersonation/etc.
Get a copy of that email and submit it to the registrar's abuse email.
PurpleFlerpy@reddit
This is absolutely their fault - they were likely compromised for weeks if not months, long enough for a threat actor to research on who they worked with, buy a incredibly similar domain, and pwn them.
If they are unhappy and blaming you for their own email compromise issues, I would advise the powers that be to no longer do business with this vendor if at all possible.
Sasataf12@reddit
OP said the vendor was at fault. No-one's blaming OP.
OP's asking a legit question about protecting their brand/business.
Alderin@reddit
Yeah, they can't really pin this on OP's company, since the vendor was the target. It could have been any of the companies that that vendor works with that was domain spoofed for an invoice. The vendor needs to look at their own security, which is where the problem actually exists.
wosmo@reddit
Depending on the customer though, it can be worth it just being seen to be seen. You don't even need to succeed - as long as you do absolutely nothing that looks like admitting liability, having the customer feel like you're doing what you can, can be a huge win.
I mean it depends on the business, the customer, and the relationship. We have customers we'll move heaven and earth for - and customers where we'll use GPT to reword the reply more politely.
imnotaero@reddit
Talk to vendor who was had and have them file a report with ic3.gov. The FBI will read it and if there's a malicious domain actively stealing money from US businesses there's a reasonable chance they'll act. (At least, that's how it used to be.)
You can also file a report yourself.
LimeyRat@reddit
You could add something to your website warning visitors that you’re aware of phishing emails spoofing your domain. I’ve had to do more research lately on several inquiries to our website which are almost all bad, and one of the spoofed companies had just that in its home page image rotation.
ethanjscott@reddit
See where the servers are hosted and contact them
Tduck91@reddit
I have had luck getting a few domains that were impersonating us taken down, but it depends on the registar. Some don't care, some will make you jump through hops, some are just slow. Most of the time it's too late as the campaign is already been sent.
Immediate-Serve-128@reddit
I tend to reach out to the host and explain the situatoin and provide evidence, emails etc.
Most hosts eventually shut em down.
Silent331@reddit
There is nothing you can do. This is a training issue at their company. Lessons learned, all ACH info changes should be done in person or the person sending the money has to call the recipient on a known phone number to verify.
ADynes@reddit (OP)
I agree but I still want to do something if I can.
vdragonmpc@reddit
We implemented Pospay where checks are only allowed to pass if the amount and name match.
We had a vendor who had a regular mailbox in front of their property taking mail. The mail would come in on friday/sat and sit in that box. Stolen over the weekend and the checks washed/altered and cashed by 'work from home' people. I had previously suggested to their CFO that they simply pick their mail up from the post office that is right up the street.
He didnt. It happened more than once after they were notified. We only fed ex items to them now. No idea how much they have lost and cost clients by being lazy and ignorant.
*They did buy a locking mailbox. The thieves ripped it open and took the mail with no problem the following week.
FlatusGiganticus@reddit
We've had the same problem with some of our customers. Sadly, this is a "them" problem. They have a process problem in their accounting department. You can warn them, but it likely won't help in the long run. Our accounting department has a solid procedure in place for these types of tasks, and I guarantee that an email won't get it done.
tankerkiller125real@reddit
Our accounting department won't even touch a new bank account sent by someone unless verified by the person doing the purchasing, the vendors AR people, and a final confirmation from the COO (who handles accounting stuff).
jamesaepp@reddit
TL;DR if you throw money, time, people, and process at the issue you can mitigate it but you can't wholly prevent it because to completely prevent it would be to have an absolutely massive domain estate which would be unnecessarilly expensive.
My org uses phishlabs (not an endorsement, just an example, there's other vendors who offer similar services) to detect brand impersonation among other things and they do most of the initial investigation and triage for us. The odd time I'm filling in for our security guy (small team) it's 99% of the time just domains that look similar to our brands and they're just being monitored for any suspicious changes.
I think MarkMonitor and CSC are organizations who offer similar services but whoever you go for, prepare to open your wallet. The other option is to have an MSSP/managed SOC who can offer a similar service or suite of services. The end goal here is to delegate this to another company who specializes and understands and/or has automated the abuse reports depending on registrar, internet name authority, jurisdiction, hosting company/service provider/hyperscaler, etc etc etc.