Highlights:

  • Check Point Software Technologies’ Zero-Phishing AI Engine now scaled and improved to identify and block access to potential brands spoofing attempts which impersonate local and global brands across multiple languages and countries.
  • New domains are inspected immediately upon registration for pre-emptive prevention, where potential brand spoofing attempts are blocked before they can even be used in an attack.
  • The Brand Spoofing Prevention’s new engines use Machine Learning, Natural Language Processing and Image Processing to detect Spoofing Attempts to local and international brands.
  • Over the course of the last 30 days, the engine safeguarded more than 6,000 organizations across 140 countries by effectively preventing such attacks. This was achieved through the utilization of Quantum, Harmony, and CloudGuard products.

Brand Spoofing

In our 2023 cyber security report, Check Point’s research teams reported that in 2022,
21% of initial entry vectors were due to Phishing incidents. Well-known brands, such as Microsoft, Google and LinkedIn, Wells Fargo, and Walmart, are frequently imitated by cybercriminals in their attempts to steal individuals’ personal information or payment credentials. As an example, LinkedIn users faced the risk of account theft through fraudulent emails disguised as reports, while Wells Fargo customers received emails requesting account information under false pretenses. Walmart customers were enticed with fake promises of gift cards in exchange for personal information. Similarly, customers of local banks, e-stores and travel organizations are also often targeted in phishing incidents involving loyalty points, important account-related messages, and fake transaction alerts.

How does the attack work?

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and a web-page design that resembles the genuine site.
The link to the fake website is then sent to targeted individuals by email or text message. Users may be redirected during web browsing or via a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.
Attackers target these mimicked brands from reputable companies because they are confident that these companies have a solid reputation for trustworthiness. Cyber criminals also know that it is difficult for even large companies to stop such brand impersonations by themselves.

Understanding Local Brand Spoofing

While global Brands are common target for spoofing, a significant and growing number of attacks actually use local brands to create the most compelling social engineering mechanism.
In a Local Brand Spoofing attack, the attacker will target Local individuals with a Local Brand that the target will be familiar with.

For example individuals of a Western European country are often targeted using the Brand of the local Post Office service.
In the following example you can see a Brand impersonation attempt to the post office service, explaining to the user that they have a package waiting and need confirmation, tricking them into entering their credentials.

Use of local brands in attacks is extremely effective for attackers as it is highly convincing and often successfully tricks top level executives and even security professionals. Local Brands used are often banks, financial services, post offices and government websites.
It is therefore a key understanding defending attacks using Brand Spoofing needs to take into account the massive challenge of covering not only global brands, but local brands – on a global scale.

It’s important to note that the post office service were not the victim nor did the

JOIN OUR WEBINAR TO LEARN HOW AI CAN PREVENT BRAND SPOOFING

An example of local brand spoofing attack:

Recently the new engine blocked a zero-day Phishing attack trying to impersonate an Indian multinational bank and financial services company headquartered in Mumbai, India.

This attack was blocked in Harmony Browse for one of our customers (an Indian Bank headquartered in New Delhi)

This attack was uniquely detected and blocked by Check Point.
Since its launch, Check Point’s patented inline ‘Zero Phishing’ technology has prevented dozens of zero-day phishing campaigns.

Brand Spoofing Prevention – Pre-emptive and AI-Powered Identification and Blocking of Local and Global Brand Impersonation

To enhance online safety and security, Check Point introduced an industry first, inline security technology, called  ‘Zero Phishing’ in our Titan release, T81.20, leveraging patented technology based on dedicated AI engines.

Making Zero-Phishing Security available for all Check Point product lines – Quantum, Harmony, and CloudGuard.

Check Point is now expanding its Zero-Phishing offering, introducing an innovative new  AI-Powered engine to prevent local and global brand impersonation employed in phishing attacks across any attack vector — from networks, emails, files mobile devices, SMS, and endpoints to SaaS — with a 40% higher catch rate than traditional technologies.

The newly developed engine blocks links and browsing associated with both local and global brands that have been impersonated and exploited as bait to deceive victims in phishing attacks, spanning multiple languages and countries. Capabilities to block spoofed global brands such as Microsoft, LinkedIn impersonation have been in existence for some time, but this newly developed engine will have the capability to block fake websites impersonating even local and regional brands. For example, it can detect and block A Spanish Post Office attack or a spoofed site disguised as a local bank in the Netherlands.

An additional capability of the new engine is what we call Pre-Emptive Prevention, where it scans domains immediately upon registration to detect spoofed domains.

The spoofed domains are then stored in Check Point’s ThreatCloudAI, enabling pre-emptive protection to customers across all Check Point products, with collaborative intelligence across all surfaces, blocking access to links in emails, files, messaging etc or while browsing the web.

The new engine uses advanced AI, Natural Language Processing (NLP) algorithms and image processing, to detect similarities to well-known brands. These algorithms compare the structure of the inspected content against a database of known brands to determine if there is an indication of brand spoofing.

Over the course of the last 30 days, the engine safeguarded more than 6,000 organizations across 140 countries by effectively preventing potential attacks. This was achieved through the utilization of our advanced Quantum, Harmony, and CloudGuard products.

 How does it work?

  • Uses URL string or web page content as an input
  • Extracts features and compare it with many anchors of the original web page, such as domain, favicon, copyright, title, text similarity and more, to identify the impersonation
  • Uses machine learning and heuristic engines to classify the phishing attack
  • Pre-emptive Prevention – newly registered domains are immediately inspected for Band Spoofing attempts, being detected and blocked before the attackers campaign can even begin

There are 3 key phases to the classification

In the first step, features are extracted from the URL or page content that will later on be used for analysis.

In the second step using the extracted features and using NLP, AI and heuristics the brand context is derived

In the final step the brand context along with its anchors and all of the extracted features are again run through a classification layer using heuristics and AI for a final classification of if the content is genuine or spoofed.

Keep your users safe – How to Identify URL Phishing

URL phishing attacks use trickery to convince the target that they are legitimate. Some of the ways to detect a URL phishing attack is to:

  • Ignore Display Names: Phishing emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email address to verify that it comes from a trusted source.
  • Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. Look for these misspellings, they are good indicators.
  • Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, do not click on a link at all; visit the company’s site directly and navigate to the indicated page.

Check Point’s Zero-Phishing engine, running as part of ThreatCloud AI, revolutionizes threat prevention, providing industry leading security as part of Check Point’s Quantum, Harmony and CloudGuard product lines.

JOIN OUR WEBINAR TO LEARN HOW AI CAN PREVENT BRAND SPOOFING

 

 

 

You may also like