From Trust to Trickery: Brand Impersonation Over the Email Attack Vector

Summary:
Cisco researchers have discovered various techniques used by cybercriminals to embed and deliver brand logos within emails, targeting users through brand impersonation. This widespread threat leverages the familiarity and trust associated with well-known brand logos to solicit sensitive information, particularly in phishing emails where attackers aim to deceive recipients into revealing credentials or other valuable information. Cisco’s threat intelligence unit, Talos, conducted an analysis between March and April 2024, revealing the extensive nature of these attacks. The techniques identified include simple HTML insertions, advanced methods like fetching logos from remote servers at the time of email delivery, base64 encoding, and embedding logos within email attachments. Sometimes, entire email bodies, including logos, are attached as images or PDFs to evade detection mechanisms.

Security Officer Comments:
Many impersonation emails originate from various domains, often using free email services. For instance, emails imitating document signing services, security software, and retail support services have been sent from a wide range of domains, targeting different industry sectors, including education and insurance. Threat researchers can utilize the data collected to block future attacks, focusing on factors like sender email addresses, originating IP addresses, attachments, and URLs. Researchers at Cisco Talos have identified patterns such as callback phishing, where attackers include a phone number in the email to persuade recipients to call, thereby shifting the communication channel and potentially delivering malware through subsequent interactions.

Suggested Corrections:
Researchers at Cisco Talos have published the following mitigations to protect against brand impersonation:

  • Strengthening the Weakest Link:
    • Therefore, educating users is of paramount importance to reduce the amount and effects of security breaches. Educating people does not only concern employees within a specific organization but in this case, it also involves their customers.
    • Employees should know an organization’s trusted partners and the way that their organization communicates with them. This way, when an anomaly occurs in that form of communication, they will be able to identify any issues faster. Customers need different communication methods that your organization would use to contact them. Also, they need to be provided with the type of information you will be asking for. When they know these two vital details, they will be less likely to share their sensitive information over abnormal communication platforms (e.g., through emails or text messages).
    • Brand impersonation techniques are evolving in terms of sophistication, and differentiating fake emails from legitimate ones by a human or even a security researcher demands more time and effort. Therefore, more advanced techniques are required to detect these types of threats.
  • Asset Protection:
    • Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. Last, but not least, domain names need to be updated regularly since expired domains can be easily abused by threat actors for illicit activities that can harm your business reputation. Brand names should be registered properly so that your organization can take legal action when a brand impersonation occurs.
  • Advanced Detection Methods:
    • Detection methods can be improved to delay the exposure of users to the received emails. Machine learning has improved significantly over the past few years due to advancements in computing resources, the availability of data, and the introduction of new machine learning architectures. Machine learning-based security solutions can be leveraged to improve detection efficacy.

Link(s):
https://blog.talosintelligence.com/from-trust-to-trickery-brand-impersonation/