Advanced Detection Techniques For Brand Forgery

784

What is Brand Forgery?

In the past, the “Nigerian prince” scheme was effective, where an attacker claimed to be a Nigerian prince willing to cut someone into a large sum of money if they paid a few processing fees to transfer it to a bank in their country.  Now, people are more educated about phishing schemes and less likely to fall for implausible phishing emails.

Today, a common tactic of phishers is to pose as a legitimate email from a respected company.  For example, they might claim that there was a suspicious transaction on your credit card and that you should log into your account with the provided link to confirm or deny its validity.  The link will lead to an attacker-controlled website designed to look like the bank’s official site and will collect your username and password, granting the attacker access to your bank account.

These “brand forgery” emails take advantage of the trust placed in certain organizations.  Using publicly available logos, stylistic details, and trademarked phrases from the organization, the faked emails are designed to be extremely convincing to their recipient.

Seeing emails “Like a Human Would”

Brand forgery emails work because they look legitimate to their targets.  Today, marketing is developed to the point where you automatically associate symbols, words, or phrases with a certain company.  Brand forgery emails take advantage of these associations by deliberately including these logos to subconsciously convince you of the validity of the email.

The issue with detecting brand forgery emails using computers is that computers don’t “see” like humans do.  Text that looks nearly identical to humans is stored as completely different values within a computer.  In order to train a computer to effectively detect and protect against brand forgery attacks, it’s necessary to teach it to see the emails “like a human would”.

Recognizing Brand Logos

Humans are visually-oriented and advertisers take advantage of this to sell things.  Almost every company has a logo that lets customers quickly and easily identify their products.  Since people prefer the known to the unknown and avoiding difficult decision making, a well-publicized logo can dramatically help a company’s sales by creating a feeling of familiarity and trust towards anything that carries that company’s logo.

Attackers take advantage of people’s knowledge of company logos to perform brand forgery attacks.  The strong association that companies create between their logo or trademarked phrases and their brand makes people subconsciously believe that anything containing that logo or phrasing is legitimately from that company.  A carefully crafted phishing email can fool even the most well-trained recipient.

Computer Vision is the field of training computers to “see” like humans do.  One powerful application of this is training computers to recognize brand logos within phishing emails.  Using machine learning, computers can be trained to “see” the images and text within phishing emails that subconsciously convince their recipients that they come from a certain company.  Identification of the supposed brand of an email is the first step in identifying brand forgery attacks.

Approximate Domain Name Matching

An awareness of phishing attacks has trained many people to be skeptical of unexpected emails.  Most anti-phishing training teaches people to check an email’s From address to detect phishing emails.

One issue with this is that people are frequently in a hurry when reading emails.  If you have many unread emails in your Inbox, you don’t have the time to minutely inspect each one.  Attackers take advantage of this by sending emails from addresses that look similar to authentic addresses (by dropping or adding a letter or taking advantage of similar-looking letter combinations like rn and m) or look plausible (like sales_yourbank.com).  To a reader in a hurry, misspellings in addresses may be overlooked and plausible addresses accepted as legitimate.

Approximate domain name matching is used to identify the supposed brand of a phishing email.  Since approximate domains are designed to look like the domain of a trusted brand and popular brands are often used to increase the number of potential targets for a phishing email, maintaining a database of big, trusted companies will cover most of the companies that will be spoofed using brand forgery attacks.  Using fuzzy matching between this database and the domain used by an email, a computer can identify the organization that an email claims to be from.

Identifying Brand Forgery

Just because an email supposedly comes from a certain company doesn’t mean that it is a brand forgery attack.  These companies have legitimate reasons to send emails and they don’t want all of their emails blocked or marked as suspicious by email protection programs.  Once an email is matched to its supposed sender, the next step is to determine whether or not they actually sent it.

Machine-Generated URL Recognition

One of the primary protections against phishing attacks is blocking identified malicious domains.  This means that attacks with a set target domain quickly become stale as their requests are blocked.

To get around this attackers use automated URL generation, where the malware uses a predefined method of generating pseudorandom domains to call out to.  Since the attacker knows the algorithm, he can register the target domains and respond to the malware.

Automated detection of machine-generated URLs is a powerful tool for email protection software.  Most legitimate emails don’t use them so emails that do can be safely classified as suspicious.  Even if a brand forgery email otherwise looks completely convincing, identification of a machine-generated URL in a link is reason to warn the recipient to be suspicious.

Matching Brands to Official Domains

Every brand has a set of domains that they use for their websites, emails, etc.  By maintaining a database matching these domains to their associated brands, it is straightforward to determine the validity of an email based on its claimed brand.

As discussed previously, Computer Vision and approximate domain name matching can be used to identify the supposed brand of an email by looking at the email “like a human would”.  Maintaining a database of the official domains for each brands makes it easy to check if the sending address of an email matches one of an organization’s official domains.  If not, the email is most likely a brand forgery attack and can be blocked or marked with a warning before delivery to the intended recipient.

Protecting Against Brand Forgery

Brand forgery emails are designed to take advantage of people’s unconscious trust in certain companies and organizations.  By creating an email that looks like it came from a trusted company, attackers can get past people’s natural defenses against phishing emails and increase the probability that they will click on a malicious link or open an attachment containing malware.

Protecting against brand forgery attacks requires seeing emails “like a human would”.  The use of Computer Vision and approximate domain matching helps a computer figure out who the alleged sender of a brand forgery email is.  This makes it possible to do a simple check against the official domains associated with the company to determine the validity of the email.  To protect against brand forgery attacks, choose email protection software that provides these advanced brand forgery detection features.

About Andrew B. Goldberg
Andrew B. Goldberg, Ph.D. is Chief Scientist at Inky Phishing Protection. Leading development at Inky, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks. Besides full-stack development, my background includes machine learning, big data, and natural language processing applied to text and communications data.
In this article