Typosquatting is an impersonation technique frequently used to target employees. In this scenario, attackers buy a domain that is very similar to the company's domain and use it to send spear phishing emails to the company's employees. For example, attackers targeting Barracuda employees would buy baracuda.com (one ‘r' is missing) and try to trick employees of the company to send them sensitive information or wire money. Some attackers even register the same domain in non-Latin alphabets (e.g., Cyrillic), for example, Baггacuda instead of barracuda (the Cyrillic letter ‘г' replaced the Latin ‘r').
Some email security solutions do provide protection against typosquatting. This is typically done by creating rules that try to find common letter replacements or by trying to find similarities between the URL of the company and the URL of the sender. While this type of protection should be in place to protect your business, it is only partially effective in protecting you from spear phishing attacks.
Spear phishing protection requires more
The vast majority of spear phishing attacks do not contain a typo-squatted URL. Many attacks spoof the company's actual domain (e.g., if the attacker is targeting Barracuda, the attacker could send an email from barracuda.com with a different reply-to address). Since the attacker is spoofing the company's domain, it would not be caught by a typosquatting detector.
In addition, many attackers simply send an email from a random email domain (e.g., google.com, yandex.ru), relying on the fact that many email clients (e.g., mobile clients and web clients) do not display the full email address of the sender. And even if they do, many recipients simply do not carefully look at the sender's email. It's hard to stay ahead of the attackers' creative typo-squatting techniques. Many typo-squatting detectors missed the Cyrillic example above because they only looked at Latin alphabets. Also, there are almost endless variations in replacing and omitting single letters, and it's very hard to catch them all.
We’ve also seen attacks that use other alphabets beyond Cyrillic, including Arabic, Chinese, and Greek. Or they can replace letters with numbers. And instead of making just one letter substitution, they can substitute multiple letters at a time. In summary, the number of possible permutations of typosquatting is very high, and it's impossible to predict with a fixed rule what type of creative technique attackers will use next.
A complete solution
Artificial Intelligence (AI) offers a much more robust approach than typosquatting since it tries to find any anomaly rather than relying on fixed pre-determined rules. AI has the ability to learn the patterns of behavior within your organization and identify behavior that operates outside of those patterns. With AI, it doesn't matter what type of domain the attacker uses; whether it's typosquatted with Latin letters, Cyrillic letters, Chinese letters, spoofed, or just a random personal email. If the domain is not the normal domain used by the employee, or if there is another anomaly in the email, the AI will be able to detect it as a targeted attack. AI is the only way to detect zero-day targeted attacks and stay ahead of modern-day social engineers.
Asaf Cidon, VP of Content Security Services, Barracuda
Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.