Organized crime groups such as the Italian-American mafia and the Japanese Yakuza are known for their sophistication. Their ability to pivot operations are on par with many legitimate corporations.
In recent years, cybercrime groups have taken a page from organized crime. They are shifting focus, meticulously choosing targets, and transforming their business model. Hackers are offering Malware-as-a-Service to carry out exploits, malicious code, and targeted attacks. They accept payment for these single-purchase or subscription-based services anonymously through digital blockchain and cryptocurrencies such as Monero.
These services are often offered on marketplaces hosted in the Dark Web.
The Identity Theft Niche
For years, identity theft has been a profitable niche for malicious hackers, which explains the rise in major data breaches. The focus has primarily been on harvesting records of individuals, but recently more cybercrime groups have begun targeting business identity theft. It requires more sophistication but holds greater profit potential.
Let’s backtrack slightly. Traditional identity theft involves stealing personal information to impersonate individuals. The most common criminal goals for this include making purchases, intercepting tax refunds, and accessing online bank accounts.
While conducting data breaches related to personal information, hackers figured out that business data could be an even more powerful heist.
Business Identity Theft – By the Numbers
What is business identity theft? In business identity theft, cyber crime groups steal data related to corporate operations.
There are various permutations of these information breaches. For example, there’s traditional corporate espionage, where hackers steal client lists and trade secrets to gain a competitive edge. A more alarming trend is the actual impersonation of the targeted business.
According to an analysis by Dun & Bradstreet, known instances of business identity theft have climbed by more than 45% since 2017. The National Cybersecurity Society concurs with this analysis. Meanwhile the FBI has acknowledged that at least one incident has resulted in a loss of a billion dollars.
Secretary of State offices in some jurisdictions have already sounded the alarm. Such is the case in Colorado, where business organizations are urged to use the state’s secure filing option. The goal is to minimize the possibility of malicious third-party interventions.
A Company can be a Target
As previously mentioned, business identity theft can take many forms, and it may not necessarily involve a data breach. Transparency statutes in many states require publicly available databases to display corporate registration data.
Many of these databases have reduced the information displayed because it often included details used for personal identity theft. Private jurisdictions such as Delaware and Nevada have taken strides towards offering greater corporate security.
Aside from cyber crime groups actively targeting companies, business owners can also become victims of insider attacks. These types of attacks are more difficult to detect and prevent. One example in this regard would be a stolen Employer Tax Identification Number issued by the IRS.
Let’s say… an insider who works in the accounting department of a restaurant franchise turns this number over to a cyber crime group for a nice little cash bonus. This could, in turn, be used to falsify a series of Form W-2 filings. The documents which report paid wages, could then be used to file for fraudulent tax refunds.
Even more sophisticated business identity attacks can start with a phishing, spear-phishing or man-in-the-middle attacks. Luckily these can be effectively prevented with DNSSEC protection. 101domain offers DNSSEC to prevent outside parties from redirecting traffic to counterfeit DNS without verification at the Registry level. Secure DNS starts with a good firewall and anti-malware software.
Typosquatting and Homograph Attacks
A more devious approach to business identity theft involves domain name management. Typosquatting, also referred to as online brandjacking, consists of hackers registering domain names that are similar to those used by popular business entities. This tactic diverts internet users who enter accidental misspellings of the web address in their browser bar.
A famous typosquatting case was illustrated by HBO talk show host John Oliver in 2016.
A famous typosquatting case was illustrated by HBO talk show host John Oliver in 2016. His production team registered the following domains to squat and troll the three major American consumer credit bureaus:
- www.tramsonion.com for TransUnion
- www.experianne.com for Experian
- www.equifacks.com for Equifax
As of May 2019, the alternate websites were still live (though very NSFW, so visit at your own risk). They are hilarious. Although it’s not as funny considering that it could have just as easily been someone besides John Oliver’s producers. Every business should be aware of the threat of registering domain names in this new form of cybersquatting.
As for internationalized domain name (IDN) homograph attacks, they consist of domain spoofing by means of Unicode trickery. One of the most common being replacing the lowercase “a” character used in Latin alphabets with a Cyrillic version. Homograph attacks and typosquatting can be effectively prevented with brand monitoring services such as Global Domain Watch.
Rogue Mobile Apps
Brand name recognition is a major driver in terms of enticing consumers and clients to install apps on their mobile devices. Rogue developers have been known to usurp brand names, logos, and other corporate marks for malicious purposes.
One of the scariest incidents involving rogue mobile apps was reported in April 2019 by Android Police. The incident involved a fake Google Wallet. The rogue publisher of this app took advantage of Google merging Android Pay and Google Wallet services into a single solution called Google Pay.
Even with all the press releases and notifications of this merger, many smartphone users continued to search for the old Google Wallet. This resulted in the installation of a malicious app coded to collect Google Payments information. Rogue mobile apps can be detected through services like 101domain’s Mobile App Watch. This service covers all major app marketplaces including the Amazon App Store, iTunes, Google Play, and the Windows App Store.
A Suspicious Mindset is a Good Thing
It’s unfortunate that legitimate online businesses and individuals have to be highly suspicious of everything in today’s internet evolution. What used to be innocent activities can no longer be trusted with innocence. Did you get an email from your bank asking you to click a link to verify your account? Don’t you dare do it!
It’s probably a fake site that resembles your bank. Interacting with it would invite a hacker into your system to do his or her worst. Domain-based Message Authentication, Reporting and Conformance (DMARC) services help you understand where email is being sent on your company’s behalf. This allows you to actively block phishing attacks and protect your staff and customers from falling victim to spoof emails.
Investing in appropriate defensive technology is an excellent baseline strategy. Every business should utilize a virtual private network (VPN), solid firewall, and regularly updated anti-virus software. However your number one tactic in the fight against identity theft is your brain and good old human intuition (paranoia). Do you always feel as though someone is looking to get one over on you? Good, because they probably are.
Despite popular belief, a VPN alone isn’t enough. VPN technology encrypts your data so that hackers can’t decipher it, which is wonderful and highly recommended. But even the best VPNs on the market won’t protect you against viruses and malware. They’re simply not built to do that.
For impenetrable protection against identity theft tactics you need the aforementioned firewall and anti-virus software. In addition, everyone in your organization should have a defensive mindset. Schedule company-wide training designed to teach employees how to recognize identity theft attempts.
The Real Problem Caused by Identity Theft
Internet users who fall for the malicious tactics of business identity theft can’t be blamed for feeling let down. Major brands are expected to have the resources to monitor homograph attacks, theft of digital branding materials, and rogue mobile apps.
The impersonated companies will have to pay deeply as the result of a successful business identity theft. Damage to their brand reputation and loss of consumer confidence may be the worst of the fallout.
YOU'VE BUILT YOUR BUSINESS AND YOUR BRAND. NOW HOW DO YOU SECURE AND PROTECT IT?
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.