Cyber Evil Twin Sites

A vast majority of users judge the authenticity of a website by its look and content, which has inspired attackers to vastly improve the quality of attack websites used in scams. Majority of these cloned sites are almost indistinguishable from the originals as they are a complete copy of the genuine target web site, with specific changes relevant to the attack. Lately, there has been a global spike of such attacks with relevance to a variety of advance fee frauds (AFF) scenarios, whereby unsuspecting victims are persuaded to make upfront payments for financial incentives that do not materialize (e.g. loans, credit cards, job scams and rewards).

Banks and investment companies are the frequent choice of attackers, to copy website content for setting up their bogus attack site, sometimes with even a bogus non-existent bank name. The attackers are also impersonating various legitimate non-banking organizations, based on the target organization’s general popularity, recent news or business activity that may lure the victim with minimum suspicion of scam. This combined with social engineering, spoofed emails and typo-squatted domains, make this a challenging threat that needs to be addressed.

**How do they appear credible?**These websites utilize various methods to seem legitimate, such as:

• Blatant plagiarism of content from legitimate websites using automated scripts and software tools known as site scrapers to make the cloned website look more professional and plausible.
• Using a cyber-squatted or typo-squatted domain to appear as the original website.
• Incorporating active registration forms, contact us pages, and job portals.
• Links to news or promotional schemes relevant to the target brand.
• Having bogus logins that would also let the victim view bogus account statements.
• Exchanging E-mail messages that are professionally constructed.
• Human touch; Providing telephone contacts as well connecting with victim using Skype.
• Most of all, offering financial incentives like loans, credit cards, jobs and rewards, appealing to the victim’s wishes thereby lowering their ability to recognize signs of scam/fraud.

**Scenarios**The fake/cloned websites are often used in one of these combinations:

• Website comepletely cloned in its entireity with all content name and logo.
• Only content and logo copied.
• Content copied with the theme of the site.
• Cloned the website including the logo but changed the name.
• Only content copied.
• Cloned website with a different name and a registration page.

Objectives of Fraud

These cloned websites can be utilized in perpetrating a variety of scams and attacks (often together as a combination):

1. Advance Fee Frauds — used to deliver 419 scams such as “next of kin/inheritance” scams or bogus loan/credit card frauds where the victims have to pay fees to the attackers believing they will be obtaining a large sum of money or a loan/credit card.
2. Registration Forms — in one scenario these sites may scam vendors in different countries by asking them for their services, and having a registration form on their site for the vendor to register. Eventually they may be tricked into paying a registration processing fee, lured by the incentive of a large purchase order.
3. Online Identity Theft — these websites contain contact us forms which are used to collect data of users, which may in turn be used to impersonate an individual or organization.
4. Job Scams — by having a career portal or email address such as jobs@fakedomain.com within the cloned website with a cyber-squatted domain, a cloned website can also be used to make the job scam email appear legitimate.
5. Phishing — having a login page to harvest user credentials.
6. Spear Phishing — attackers could orchestrate well planned, targeted social engineered attacks by sending emails to users from the domain of the cloned website.
7. Legitimizing Scam — changing the name and logo of the cloned website to make the fraudster’s brand seem legitimate. The presence of a website makes a scam a lot more believable to victims owing to which scammers often set up fake websites to perpetuate their scams.
8. Drive-By-Downloads — links on the website, which when clicked upon by the user downloads a malware or delivers a Man-in-the-Middle attack in the browsing session
9. Malvertising — users download malicious code by simply clicking on an advertisement on a website that is infected.
10. Click Fraud — forcing a user to click multiple times on a link to generate revenue covertly
11. Ransomware — users download a malware that encrypts files on their computer and have to pay a sum of money for the encryption key. This type of threat is exponentially rising and evolving rapidly.
12. Fake Bank Account — email communication may take place where a potential victim can be further guided to open an account in the fake bank for a minimum deposit.

Remediation

The remediation strategy is “become a harder target”. Fraudsters have always existed, even before the internet. The goal would be to make them feel that their return on investment when targeting your Brand is minimum, so they go elsewhere.

• Educating employees and raising awareness along all levels of the organization by conducting training sessions with mock phishing scenarios.
• Educating your call center and help desk staff, enabling them to recognize victims of such attack and to collect the right information for mitigating such attacks.
• Having an adequate monitoring system or vendor that is able to detect such attack sites, ideally prior to the attackers launching their attack campaign.
• When an attack is detected targeting your Brand, be very vigilant in performing a comprehensive identification and mitigation of each component of the attack:

- Website

- Domain Name

- Email addresses on public Email hosts

- Telephone numbers

- VoIP contacts (skype)

• Regular audit of online assets and ensuring adequate security control of corporate content online.