Between The Hacks

View Original

Domain Name Confusion

I want to share something that has been frustrating me for years and it seems as if the problem is only getting worse. The details may be a little nerdy for the less-technical reader but it will impact most of us at some point. I am calling this problem, Domain Name Confusion and it is neutralizing much of the work that cybersecurity professionals do to educate people on how to prevent becoming the victim of a phishing attack.

The Problem:

Domain name confusion can happen in different ways. Many companies, even tech companies, send email to employees or customers with links that use a domain name that doesn’t match their normal, publicly known domain name. I have seen this happen in companies for years, where a department like HR finds a cloud vendor to deliver employee training or to have employees register for benefits. Instead of sending an email to employees from an internal email address, they let the vendor send email to employees with a link to an external, unfamiliar site. When your security education and awareness program instructs your employees not to click on suspicious links, and then your company sends suspicious links to employees, it undermines the whole security education program.

Of course, in the above example, the HR department did not intend to have employees ignore the anti-phishing tips but that was the result and this example exposes a security gap in many companies. Phishing is arguably the biggest digital threat today. Every year we see the phishing attack numbers increase and it’s not just through email. Social media, SMS, chat, and collaboration tools are also vectors for attackers to send malicious links. Since this method of attack prey’s on a victim by tricking them into clicking a link or otherwise divulging sensitive information like passwords and financial information, it is no wonder that most organizations have a security education and awareness program. The good news is that these programs work and studies show that the more that employees are educated, the more resistant they are to falling for phishing attacks.

One of the key tenets of a good anti-phishing education program is training people to identify a phish. There are a lot of tips and tricks and you can read more about them in my phishing blog. One tip that is very important, is to verify the links that are sent to you in email, texts, chat, etc. We need to check them because threat actors try to register domains that look like the real domain, with hope that you won’t look closely and you will be tricked. These are called doppelganger domains or evil twin domains. For example, if the email claims to be from microsoft.com, make sure the domain name in the ‘From’ field and in any links, both match microsoft.com and not something similar, like miicrosoft.com or microsoft.com.passwordreset.io.

Real-world Example

Domain name confusion doesn’t just happen at work. A few weeks ago, I received an email from a logmein.com address, with the subject, “Suspicious activity detected on your LogMeIn account.” Here is a screen shot of that email.

Hovering over the link shows the destination to be a logmeininc.com address. Of course, I thought this was a phishing email and was excited to see how poorly or well it was executed. I looked up the domain name to see if there were any clues.

whois record of logmeininc.com

I noticed that it was registered with GoDaddy and had the privacy settings set so that all of the contact information points to GoDaddy and not LogMeIn. That’s a little suspicious because companies will tend to add their contact information into the domain registration. The privacy settings are used more by individuals who want to protect their home address and phone number. Then I noticed that the domain name was registered in 2014. Hmmmm, usually phishing domains are registered and used quickly so maybe this is not a phish? The next step was to follow that link in a virtual machine.

This page looks normal but I’m still suspicious of the logmeininc.com domain name, so I checked the certificate…

And, it is indeed a valid certificate for LogMeIn. I don’t use LogMeIn but have in the past, so I created a new, 60+ character password with my password manager and reset the password as suggested. Since I had two-step verification set, I was then sent an SMS message with a code to enter into the website. After entering the code, I was taken to the LogMeIn page to review my login activity.

I clicked on the Audit log to see if there were any suspicious logins.

Viewing the audit log shows that the last time I logged into this account was in 2015. That sounds about right, so nothing suspicious, two-step verification is set to ON and now my password is reset. All is well, except this domain name confusion issue is bothering me.

Don’t get me wrong, I applaud LogMeIn for offering two-step verification (MFA) and for making me reset my password when they saw suspicious activity. But why is the LogMeIn password reset page being hosted under a different, unfamiliar domain name? It would be trivial to have the same site hosted under the recognizable, logmein.com domain or to include a link in the email that points to logmein.com, which then automatically forwards to the logmeininc.com address. While the second option is not ideal, it is better than causing domain name confusion.

I’m not trying to pick on LogMeIn specifically. They certainly are not the only company who does this, but they are a company who should know better. Ironically, LogMeIn owns the LastPass password manager which is explicitly marketed to, “Avoid phishing scams." And at the risk of revealing too much about my own technology use, I have been a happy LastPass customer for many years.

What Can You Do?

Preventing domain name confusion may seem like a trivial thing, but it matters! We cannot continue to tell people to not click on suspicious links and then send them suspicious links, especially for important security tasks like resetting a password after seeing suspicious activity! So what can we do?

This action item is for everyone. If you see this happen to you. Speak up, especially at work. If you are sent an email from an external domain name and it asks you for anything sensitive, report it. If everyone does this, the cybersecurity team at your company will get sick of all those reports and tickets and hopefully make the offending department stop this practice.

For all of the companies and organizations, please don’t do this. You are forcing your employees and customers to ignore the rules that we teach them to follow to prevent phishing, which makes it easier for the phishers to phish. Additionally, consider a few extra controls to prevent domain name confusion:

  1. Require that all email sent to employees from within your organization, must come from an internal email address.

  2. Require that all email sent to customers and vendors use the domain name that matches your organization’s website or at least a well-known brand from your organization.

  3. Add an entry in your cloud vendor security checklist that will inform the IT and cybersecurity teams if there are plans to send bulk email to employees or customers

  4. Track the number of times valid email is flagged as a phish by employees and reward them for pointing it out.