Mitigating Angry Boss Phishing Attacks From Copycat Domains

Recently there was a wave of what I like to call the Angry-Boss attacks. This usually goes something like this: A phisher sends an email to someone in your organization with the ability to make wire transfers. They say that paying off a vendor is an urgent issue requiring their immediate attention. What makes this usually work is that the phisher uses a copy cat domain. For example,  if your domain is example.com, the bad guy will send emails from a domain, like exarnple.com (look closely to see the difference.) The unsuspecting employee sees their bosses name and what looks like their email address (the attacker has done their OSINT homework), and quickly tries to comply to keep their “boss” happy. Next thing you know, tens of thousands of dollars have left your organization, possibly never to return.

How can we mitigate this? Depending on your infrastructure it should not be too hard. First, there is a program for Ubuntu (and I assume other Linuxes, but I usually have an Ubuntu machine or VM handy) called Urlcrazy. This software will take a domain name you give it and generate a list of copycat domains for you using a variety of misspellings and other techniques. Getting Urlcrazy to run does require installing an older version of Ruby and Ruby Gems. If anyone needs help with that reach out and I will put together a post on how I did that. Here you can see a list of the copycat domains generated when I ran the program against my domain.

Once we have the list of domains, the rest is pretty simple. If your organization has a good spam blocking tool in place, just add the copycat domains you generated to your list of blocked domains. Now you and your finance department can sleep a little easier.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s