The IT Nerd

According to a recent blog post by Akamai Technologies, security researchers analyzing phishing campaigns targeting the United States Postal Service saw traffic to the fake domains similar to that of the legitimate site and during the holidays it “greatly exceeded legitimate traffic”.
 
Akamai started observing USPS-themed phishing last October after an employee received a suspicious text that redirected to a site containing malicious JavaScript code. During the 2023 holiday season, researchers observed a significant volume of DNS queries going to “combosquatting” domains that impersonated the USPS service.
 
The design of the fake pages appears as exact replicas of the actual USPS site even with realistic tracking pages with status updates. The total queries generated by these malicious websites between October 2023 and February 2024 is over 1,128,146, just short of the 1,181,235 queries recorded for the legitimate USPS site. Meanwhile, the traffic to malicious domains from November to December was higher compared to the legitimate one.
 
Akamai only focused this research on USPS, so the scale of these combosquatting campaigns could encompass other postal brands and likely be larger.

Dave Ratner, CEO, HYAS had this to say:

   “Attacks involving typosquatting, combosquatting, or look-alike domains are increasing in nature and can be highly effective as individuals often don’t inspect the domain name itself closely enough. This can be made more complicated and difficult to detect with the use of different character sets like punycode which can make the difference between the legitimate and fake domain very hard, if at all possible, to detect by visual inspection.  This is one of the reasons that Protective DNS solutions are so vital today, because they know the legitimate domains from the fake ones and can be the critical difference between a successful attack and a failed attempt.”

This is pretty insane. The fact that the real USPS site gets less traffic than fake ones shows that this is a huge problem that really needs to be addressed. I am not sure how one would address this, but it’s high time to figure it out.

Last week, Akamai claimed to have observed and thwarted a massive DDoS attack targeting one of its “largest and most influential”, American financial institution.

Usually, almost all the legitimate traffic to the company’s site comes from the U.S., but during the 2-minute attack there was 633.7 gigabits of traffic per second from all over the world, including Bulgaria, Brazil, China, India, Thailand, Russia, Ukraine, Vietnam, and Japan.

The attack went directly after their primary web landing page with a likely intent to disrupt their online banking, according to Akamai. The incident didn’t harm or disrupt services, but given the magnitude of the attack, the financial company would have faced severe disruptions to its vital web systems had it not been mitigated.

Since 2021, there has been an increase in the number of DDoS attacks against financial services and over the past year, more than 30% of the DDoS attacks detected by Akamai have been aimed at financial services.

“Financial institutions are a key pillar of an economy, and targeting such businesses often has a larger impact on the overall economy,” Akamai researchers said.

Emily Phelps, Director, Cyware had this comment:

   “While financial institutions should pay close attention to the escalating attacks aimed at banks, enterprises across all sectors should take notice and ensure they have appropriate protections in place. Threat actors are not loyal to hitting one particular industry if the opportunity presents itself elsewhere.

   As DDoS attacks grow in scale and frequency, organizations must adopt more proactive measures to safeguard against such threats. Enterprises should regularly evaluate their risks and vulnerabilities and stay updated on the latest DDoS tactic, updating their defenses accordingly.

Dave Ratner, CEO, HYAS had this follow up:

   “The attack highlights that a chain is only as strong as its weakest link — in this case, one user likely following a malicious link amongst the hundreds that were delivered. Even the smartest of professionals will occasionally make mistakes or be fooled. It has never been more clear that Protective DNS solutions, capable of catching that mistake when a user clicks on a nefarious link, are required as part of a depth-in-depth strategy.”

DDoS attacks are easy to carry out and are devastating in nature. Thus this should be added to the ever growing list of things that organizations need to protect themselves against.

A new Magecart credit card stealing campaign has been highlighted by Akamai. This new campaign hijacks retail sites to act as temporary C2 servers to inject and hide the skimmers on targeted eCommerce sites in the US, the UK, Australia, Brazil, Peru, and Estonia. Many of the victims did not realize they were breached for over a month as the threat actors had obfuscated the skimmer with Base64 encoding, hiding the host’s URL so it resembles that of Google Tag Manager or Facebook Pixel. 

David Ratner, CEO at HYAS, shares these insights:

“Protective DNS solutions are known for observing and stopping anomalous communications or connections coming out of an organization to known nefarious infrastructure; however, consumers accessing websites behave in much the same way, as the traversal of the website generates a series of connections to other domains and, in the case of Magecart infections, some being to nefarious locations. Protective DNS solutions can also be utilized by organizations to periodically scan their consumer-facing websites to identify these anomalous communications and address Magecart and other vulnerabilities, before significant numbers of consumers are taken advantage of.”

This is one of these areas where both consumers and organizations need to take steps to protect each other. By doing so, it makes these sorts of campaigns less effective.

In Akamai’s State of the Internet report, API and application-based attacks had a record year on the EMEA in 2022 compared to 2021. 

Web application and API attack growth has been primarily driven by Local File Inclusion (LFI) and XSS. The report found that LFI remained the top attack silo in EMEA, with attacks growing 115% and 193% globally. 

48% of organizations stated that they release vulnerable applications into production because of time constraints and that only 14% of developers prioritize application security during coding. 

82% of IT executives noted that their organization experienced a data breaches when introducing new technology.

Notable spikes in attacks included:

• Retail sector – up 189% 
• Tech – up 176% 
• Social Media – up 404%

Globally, the financial services sector saw an increase in attacks, but the UK’s recorded threats declined by 4%. Akamai suggests the decrease may be attributed to threat actors targeting individual accounts instead of the institutions.

Furthermore, organizations’ expanding attack surfaces with the adoption of IoT equipment has driven attacks on the healthcare industry by 82% and manufacturing by 76%.

George McGregor, VP, Approov had this comment:

   “Because it is based on data from the Akamai WAF this research is very much focused on traditional web apps and their vulnerabilities. 

   “Increasing use of mobile apps rather than browsers should really be taken into account especially as their use presents a particular set of security challenges which cannot easily be addressed or even seen from server-side reporting.”

Given how pervasive attacks are these days, it makes sense to look at your entire attack surface and make sure that your defences are aligned to that attack surface.