Should organizations need to worry about domain look-alikes? The answer is, unfortunately, yes. Threat actors often impersonate popular brands and domains to lure users into visiting malicious pages and divulging their personally identifiable information (PII). This data then ends up peddled in underground markets or used in more sinister cyberattacks. Worse, users who hand in their credentials to cybercriminals are not the only ones affected. The spoofed businesses suffer, too. They suffer consequences that include:

• Loss of web traffic
• Loss of customer trust
• Tarnished brands and reputations
• Profit loss

Off to a Rocky Start: Attackers Target Venture Capitals and Start-Ups in Business Email Compromise Schemes

Over the past three years alone (from June 2016—June 2019), organizations have lost US$26 billion to businesses email compromise (BEC) attacks. We do not expect this figure to decrease anytime soon.

In a BEC attack, threat actors typically mimic a company’s chief executive officer (CEO) or other C-level executives to ask someone from the finance department to transfer funds to an account that they control. BEC attacks can come in various types such as:

• Bogus invoice scams
• Account compromise
• Attorney impersonation scams
• Data theft

The latest additions to BEC attack targets are venture capitals and start-ups. We recently read a report about such organizations losing as much as US$1 million when their domains were spoofed via man-in-the-middle (MitM) attacks, and they were asked to send investment funds to bogus accounts.

The attackers, in this case, discovered impending venture capital deals through careful reconnaissance. They then intercepted ongoing email exchanges between the venture capital and its investors. After a while, they modified the contents of emails from the venture capital before these got to investors’ inboxes, eventually leading to investments being redirected to their own accounts.

How to Avoid Becoming a Victim: Using Domain and Brand Monitoring Tools

Any organization can become a BEC victim, regardless of size. Experts opine that small businesses are at greater risk since they often do not use robust security solutions nor employ their own cybersecurity and incident response teams. Venture capitals can fall into this business size category.

Domain and brand monitoring tools may thus come in handy for them as these allow them to proactively scout for potential spoofed versions of their websites. Domain Monitor can alert users to any change made to a domain of interest. Brand Monitor, meanwhile, allows users to keep track of matches and variations of their domain names that may figure in cyberattacks.

We took a look at the top 100 venture capital companies in 2019 (i.e., Andreessen Horowitz, domain: a16z[.]com) and chose to subject it to a Brand Monitor query. We ran the domain to see if there are potential look-alikes that attackers can use against its stakeholders in attacks. Our tool turned up 100 domain variations. Any of these can figure in BEC attacks.

We chose a-16z[.]com from the list. Anyone could easily mistake it for the real domain. We ran it through Domain Availability API and found that it is currently available for registration.

Attackers can easily purchase domains such as a-16z[.]com for BEC scams. This and other easily confusable domains like a16-z[.]com, a-16-z[.]com, and so on can be added to Domain Monitor. Should someone purchase them, a16z[.]com’s owner would receive an alert as the registrant could be a potential BEC attacker.

We queried the domain of another of the top 100 venture capital firms in 2019 (i.e., Sequoia Capital China; domain: sequoiacap[.]com) on Brand Monitor. Again, the tool turned up as many as 100 variants.

We chose sequoia-cap[.]com from the list and checked if it was available for registration. Domain Availability API showed this result:

While unavailability is not a telltale sign of use in attacks. It may be worth comparing the real with the alternative domain’s WHOIS records. We did that with WHOIS Search and found that sequioacap[.]com and sequioa-cap[.]com may have different owners.

Venture Capital Domain: sequoiacap[.]com

Alternative Domain: sequioa-cap[.]com

All in all, it may be a good idea for all companies to register domains that very closely resemble theirs so they cannot be used in attacks against their stakeholders, as we have seen in the attack against a venture capital firm’s investors.

* * *

Venture capital firms and start-ups are lucrative targets for BEC attacks. And it is relatively easy to snatch a domain look-alike, so attackers do not have to go through a tedious MitM attack to trick investors into wiring money into their own accounts. Organizations that wish to protect their stakeholders and customers from cyberthreats can proactively use domain and brand monitoring services to spot potentially harmful domains before these can figure in BEC and other cyberattacks.