Impersonation stands at the heart of so many cybercriminal schemes today. Whether used to fuel traditional phishing or malware propagation attacks, business email compromise (BEC), advertising fraud, or e-commerce fraud, there's nothing quite so effective as piggybacking off the trust and goodwill of a brand to lure people into a scam.
Brand impersonation can be a particularly thorny problem for CISOs, especially when the threats stray from the typical malicious email attacks that security practitioners have grown up fighting. Today, retailers, product creators, and service providers increasingly face a whole host of brand theft and impersonation ploys that stretch far beyond the common phishing scam.
Criminals are making a killing setting up scam sites that masquerade as a brand's property to sell counterfeit or gray-market merchandise, fence stolen goods, or process payments but never send the products. According to the US Federal Trade Commission (FTC), consumers have lost more than $2 billion to these kinds of scams since 2017.
Stealing a Brand
For the businesses that are imitated, these scam sites at best erode the brand's trustworthiness and value. At worst, they steal sales and could even threaten the very existence of a small or emerging business.
"We've had a close shave with brand impersonation at Code Galaxy," says Marliis Reinkort, CEO and founder of Code Galaxy, an online coding school for kids. "Someone created a business profile — website, social media profiles, and everything — with our own brand identity. They went to advertise the same services we offer at ridiculously lower prices, only they didn't even offer the services. They simply made away with the money."
Reinkort's team didn't notice the fraud until it had not only scammed potential customers but also made the entire market think her business had drastically cut prices.
"That single occurrence was a wake-up call for me," she says. "The reputational damage dealt a huge blow to the business for a while."
It's understandable that startups like Code Galaxy would struggle to detect brand impersonation due to resource constraints, but even enterprises with mature security functions can have a hard time systematically rooting out impostors that leech off their brand. Using techniques like website spoofing through typosquatting and lookalike URLs, brand impersonation attacks often aren't attacking a company's owned infrastructure — making them very difficult for incident responders to detect in a security operations center (SOC) setting using traditional security alert tools.
"The external attack surfaces for brand impersonation are built and launched by bad actors entirely on the Internet," says Ihab Shraim, CTO at CSC Digital Brand Services. "Therefore, the SOC security teams do not have the specific data feeds [they need to detect impersonations]."
Tracking Mentions, Keywords
To alleviate the gap, some companies proactively search online or use simple brand tracking tools. This is how Reinkort and her team have responded since Code Galaxy's costly brush with brand impersonation.
"We actively track brand mentions and keywords related to the business, even when misspelled," she says. "Brand mentions should just be for engagement and troubleshooting. We ended up discovering two brand impersonations by simply tracking mentions that mirrored our keywords and acting words."
But the increasing volume of online marketplaces means that organizations trying to scan for keywords and mentions are likely to bump into scalability issues.
"Brand impersonation is hard to track due to the vast number of digital marketplaces that have materialized in the past decade," says Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG. "Simply scanning the Internet for similarly named products, websites, and product descriptions is no longer sufficient to identify and remove fraudulent information."
Whose Job Is It?
Additionally, because attackers are essentially committing trademark violations in these instances, and because irate victims often call the spoofed company's customer service asking for the products they paid for or to return defective products, it is often unclear within larger organizations whose responsibility it is to go after the impostors once they're detected.
"This has not been in the realm of security practitioners in a consistent way for very long," says Josh Shaul, CEO of Allure Security, an online brand protection company that's part of a growing category of firms focused on detecting scam sites and remediating through actions like takedowns.
He explains that when he goes out to the market and talks to companies, sometimes they'll say they've got incident response (IR) looking at the problem. At other companies, they say the legal team is on it. At still others, they see it as a customer service or marketing problem. Meanwhile, the attacks keep mounting, and the companies struggle with quickly orchestrating mitigation efforts like takedown requests and communication with registrars.
CISOs will need to take a systematic and multidisciplinary approach to solve the brand impersonation problem. That begins with registering trademarks and setting up domains and social media presence for the brand. It then extends to include domain monitoring and using threat intelligence to identify impersonation attempts.
"It's odd because to me this is all in the realm of the security [professional]," Shaul says. "The trademark is an important piece, but it's a fraud problem and a security incident problem. People are stealing from you, and you're trying to prevent the theft."