The growing threat to fleet security from lookalike domain attacks

As cargo theft becomes more common in the freight industry, strategic theft also occurs.

Keith Lewis, vice president of operations at CargoNet, commented on the rise in cargo theft: “(A big increase) is fraud using deceptive means to steal a load – whether it’s stealing another person’s identity to register on a load exchange, setting up a trucking company and registering on a load exchange, purchasing another trucking company’s operating license, name, email address and domain, and finally fraudulently stealing the load.”

As methods like these become more common, this is a warning to stay alert to phishing attacks that use imitation domains. Cybercriminals can create domains that closely resemble those of legitimate mobile phone companies. These fake domains are used to send phishing emails to trick employees and customers into revealing sensitive information such as login credentials, financial data, or personal details.

“Replicating the landing page is a simple process where the threat actor designs or obtains the format of the landing page,” said Joe Ohr, COO of the National Motor Freight Traffic Association (NMFTA). “As evidenced by communications identified on the dark web and cyber forums, threat actors outsource this process and customize the page to suit the target actors.”

A 2023 report by Arctic Wolf found that nearly half of all cyberattacks in 2023 resulted from attackers stealing their target’s credentials and reusing them to gain access to their intended organization.

There are many reasons for this. Mark Manglicmot, senior vice president of security services at cybersecurity firm Arctic Wolf, said that similar-looking domain-based attacks, like all social engineering and credential compromise scams, are on the rise.

“Companies have more digital tools in their environment than ever before, creating large attack surfaces that are difficult for security teams to adequately defend,” he said.

Bobby Kuzma, head of offensive cyber operations at cybersecurity firm ProCircular, also pointed out that the number of attacks is increasing because there are few defenses in place. “The bad guys have a huge economic incentive to gain access to companies, especially those that are part of critical infrastructure.”

Manglicmot noted that with the advent of artificial intelligence, these same threat actors are now also able to create realistic-looking websites, text messages, emails and even multimedia content to more effectively disguise their online behavior as legitimate rather than fraud.

The transportation industry relies on thousands of vendors whose security is fragmented but who have access to each other. These interconnected systems, Manglicmot pointed out, are often tempting to threat actors because they provide multiple entry points.

Cybercriminals use a wide range of tools and tactics. A common example that Manglicmot cited is using a fake domain that prompts the user to enter their username and password. This gives the attacker everything they need to log into the company’s systems and, depending on security protocols, access to all data.

Kuzma noted that attackers could use a similar domain against a company or its customers to gain access to user accounts as part of a phishing campaign or to redirect payments. “They exploit the fact that people have trouble distinguishing between very similar characters like 1 and (uppercase I) and (lowercase L),” he said. “Late last year, security researchers discovered a state-sponsored attack that used a similar domain with Greek and Cyrillic letters to spoof Microsoft.”

(RELATED TOPIC: QR code attacks are on the rise)

Protecting fleets from threats from similar domains

A proactive approach is essential to protecting an organization. Manglicmot recommends having a solid crisis response plan and a 24/7 detection and response system. “Understand your systems inside and out, know what tools you have and how those tools work together,” he said.

Kuzma said companies can also make sure they add clear notices to their emails indicating that they are external emails. “For the best protection, you can use software like DNSTwist or subscribe to a cyber threat intelligence service like Flare to create a list of lookalikes for key domains and then either purchase them yourself or preemptively block them.”

When it comes to tactics like stealing credentials from lookalike domains, Manglicmot says the best line of defense is trained employees.

“Make sure you have tools that enable your teams to make cybersecurity-aware decisions,” Manglicmot said. “Implement multi-factor authentication (MFA), launch training programs with phishing tests that can demonstrate the sophistication of spoofed domains and other tactics.”

“By arming ourselves with an organization full of people who recognize the nuances that threat actors can present, we have a much better chance of mitigating the risk posed by cybercriminals and their attacks,” he said.

Ohr provides the following tips to reduce risk:

• Implement various security measures such as multi-factor authentication, email filtering and domain monitoring services that can help detect, limit and prevent potential attacks.
• Use external tools such as password managers and bookmarking sites to help identify similar domains and automate the identification process.
• Regularly monitoring new domain registrations that are similar to a domain name can help prepare and understand the landscape.
• Secure similar domains by registering domains with common changes based on known threat actor techniques to prevent threat actors from using different domain variations. For example, if your URL is johndoetrucks.com, you should also register j0hnd0etrucks.com and other variations.
• Secure sites by implementing SSL/TLS certificates and additionally using HTTPS. This helps protect sites from potentially unwanted activities such as hacker attacks and penetration attempts.