Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Cozy Bear Goes Typosquatting

    RogueURLs-Webinar-LibraryResearchers at Recorded Future’s Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.

    “From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure,” the researchers write. “In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators. A key factor we have observed from NOBELIUM operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses). Domain registrations and typosquats can enable spear phishing campaigns or redirects that pose a threat to victim networks and brands.”

    Recorded Future notes that the threat actor is effectively imitating the targeted companies.

    “Analysis of recent and historical domains attributed to NOBELIUM broadly demonstrates the group’s familiarity with, and tendency to emulate, a variety of media, news and technology providers,” the researchers write. “The group has abused dynamic DNS resolution to construct and resolve to randomly generated subdomains for its C2s or root domains to mislead victims. The key aspect to these attacks is the use of either email addresses or URLs that look similar to the domain of a legitimate organization. Potentially harmful domain registrations and typosquats can enable spear phishing campaigns or redirects that pose an elevated risk to a company’s brand or employees.”

    The researchers add that spear phishing is a common technique used by both criminal and nation-state threat actors.

    “A successful spear phish is dependent on factors such as the quality of the message, the credibility of the sender address, and, in the case of a redirecting URL, the credibility of the domain name,” the researchers write. “Insikt Group has previously observed other Russian nexus groups using typosquatting in support of operations, such as those aimed at the 2020 presidential elections, to increase confidence in the validity of the fraudulent login portal used to harvest victim credentials. This tactic has also been reported recently in open sources in connection with intrusions targeting entities in Ukraine, likely in support of Russia’s invasion of the country.”

    New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

     

    Return To KnowBe4 Security Blog

    Discover dangerous look-alike domains that could be used against you! 

    Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

    Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

    DomainDoppelgangerResults-1Here's how it's done:

    • Get detailed results of look-alike domains found similar to your primary email domain
    • You can now quiz your users with your look-alike results
    • Get a summary PDF that contains an overview of the look-alike domains and associated risk levels discovered during the analysis
    • It only takes a few minutes to discover your “evil domain twins”!

    Find Your Look-Alike Domains!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/domain-doppelganger

    Topics: Phishing, Spear Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews