The rising threat of lookalike domain attacks on fleet security

Whats App Image 2024 01 23 At 2 59 56 Pm Headshot
Updated Jun 10, 2024

As cargo theft grows rampant in the freight industry, strategic theft has also come up.

Talking about the surge of cargo theft, Keith Lewis, vice president of operations at CargoNet, said, “[A big increase] is the fraud using deceptive means to steal a load – whether it’s stealing someone else’s identity to go on a load board, creating a trucking company and going on a load board, and buying another trucking company’s operating authority, name, email and domain, and eventually, taking the load by fraud.”

As methods like these continue to increase, this serves as a warning to remain vigilant against phishing attacks that utilize lookalike domains. Cybercriminals can create domains that closely resemble those of legitimate carrier companies. These fake domains are used to send phishing emails, manipulating employees and customers to disclosing sensitive information, such as login details, financial details or personal data.

"Replicating the targeted site is an easy process in which the threat actor designs or obtains the format of the targeted site," said National Motor Freight Traffic Association (NMFTA) COO Joe Ohr. "As seen in communications identified on dark web and cyber oriented forums, threat actors outsource this process and customize the site in order to fit the targeted actors.”

A 2023 report by Arctic Wolf found that nearly half of all cyberattacks in 2023 were driven by attackers stealing their target’s credentials and reusing them to gain access to their intended organization.

There’s plenty of reasons for this. Mark Manglicmot, senior vice president of security services at cybersecurity firm Arctic Wolf, said that lookalike domain-based attacks, like all social engineering and credential compromise-based scams, are on the rise.

“Organizations have more digital tools in their environment than ever before, thus creating large attack surfaces that are hard for security teams to adequately defend,” he said.

Bobby Kuzma, director of offensive cyber operations at cybersecurity firm ProCircular, also pointed out that it’s increasing because it’s poorly defended against. “The bad guys have a huge economic incentive to gain accesses to enterprises, particularly those that are part of the critical infrastructure.”

With the rise of artificial intelligence, Manglicmot noted these same threat actors are also now able to create realistic-looking websites, text messages, emails and even multimedia to more effectively disguise their online behavior as legitimate, rather than a scam.

The trucking industry relies on thousands of vendors who are simultaneously fragmented in their security but retain access to each other. These interconnected systems, Manglicmot pointed out, are often enticing to threat actors, as they offer multiple points of entry.

Cybercriminals use an array of tools and tactics, but a common example that Manglicmot gave is where a threat actor could use a phony domain that prompts a user to enter their username and password, giving attackers what they need to login to company systems, and depending on security protocols, give them access to any and all data.

Kuzma noted that attackers may use a lookalike domain against a company, or their customers, as part of a phishing campaign to gain access to user accounts, or as part of a fraud to redirect payments. “They take advantage of the fact that people do have issues distinguishing between very similar characters, such as 1 and (uppercase I) and (lowercase L),” he said. “Late last year, security researchers discovered a state sponsored attack using a lookalike including Greek and Cyrillic letters to spoof Microsoft.”

[RELATED: QR code attacks are on the rise]

Protecting fleets from lookalike domain threats

A proactive approach is essential to protecting an organization. Manglicmot suggested having a strong incident response plan and 24/7 managed detection and response system. “Understand your systems inside and outside, know what tools you have, and how do those tools work together," he said. 

Kuzma said businesses can also ensure that they have clear indicators added to emails to warn they are external. “For best protection, you can use software like DNSTwist or subscribe to a cyber threat intelligence service such as Flare to collect a list of lookalikes for key domains, then either purchase them yourself or preemptively block them.”

Most importantly, with tactics like credential stealing from lookalike domains, Manglicmot said that your best line of defense starts with educated employees.

“Ensure that you have tools that empower your teams to make cybersecurity-conscious decisions,” said Manglicmot. "Implement multi-factor authentication (MFA), launch training programs with phishing tests that can demonstrate the complexities that fake domains and other tactics can take on.”

“By arming ourselves with a company full of individuals that recognize the nuances that can come from threat actors, you stand a much better chance of mitigating the risk cybercriminals and their attacks pose,” he said.

Ohr offered mitigation tips below:

  • Implement different security measures, such as multi-factor authentication, email filters, and domain monitoring services, which can help detect, limit and prevent potential attacks.
  • Use external tools, such as password managers and bookmarking sites, to assist with identifying and automating the identification process of look-alike domains.
  • Regularly monitoring new domain registrations that resemble a domain name can assist with preparing and understanding the landscape.
  • Secure similar domains by registering domains with common changes based on known threat actor techniques to prevent threat actors from using different domain variations. For example, if your URL is johndoetrucks.com, consider also registering j0hnd0etrucks.com and other variants. 
  • Secure sites by implementing SSL/TLS certificates and further utilizing HTTPS assists with protecting sites from potentially unwanted activity such as hacking and penetration attempts. 

Pamella De Leon is a senior editor of Commercial Carrier Journal. An avid reader and travel enthusiast, she likes hiking, running, and is always on the look out for a good cup of chai. Reach her at [email protected]