Infoblox warns that multifactor authentication (MFA) could potentially give a false sense of security. This is because criminals are increasingly using lookalike domains to gather MFA data to penetrate networks anyway. Multifactor authentication (MFA) is a popular method of securing corporate networks. By not relying solely on passwords and using additional authentication methods, an organisation's network security becomes a lot more robust. However, in cybercrime, phishing campaigns with lookalikes are increasingly being set up to gather targeted MFA data.
Criminals have been using websites similar to those of trusted brands since the early days of the internet to trick people and capture data. These so-called lookalike domains are now a regular part of many a security awareness training course. Using lookalike domains to gather MFA data is a recent phenomenon.
This is how criminals operate:
- Employees are approached through known channels to log in to their corporate network. In doing so, the attackers use so-called adversary-in-the-middle methods to convince employees of an organisation that the website is legitimate. They often already have e-mail lists and other data, which they can use to send familiar-looking communications.
- Links in phishing emails or text messages, for example, direct users to a specially set up lookalike domain, which looks like the trusted login environment.
- The login environment then asks for MFA data. Once the user enters these, the criminals are on the hook and can log into the corporate network.
Why do lookalikes work so well?
Lookalike domains use a number of methods, all based on psycholinguistics. Quite simply, our brain causes us to simply read over discrepancies in a text and thus we still understand what it says. This is also how it works with lookalikes: URLs containing deviating characters are used to trick visitors. For example, a capital 'i' instead of an 'l' or characters from other alphabets that look exactly like characters from our own alphabet.
Even the most observant employees can be misled by a well-designed lookalike, especially when they are also targeted through other channels to persuade them to take action. Moreover, lookalikes use various DNS functions to trick people, including nameservers, mail servers and CNAME records.