Protecting your business against impersonation attacks

Companies grow through mergers and acquisitions. Marketing teams promote new products. New products spawn new web domains. As brand names, URLs, and cloud IT infrastructure proliferate, so do enterprises’ vulnerability to online attacks.

At the same time, security professionals working with limited resources find it increasingly challenging to maintain oversight of their online assets. Given the sheer number of assets to track, conventional configuration management databases no longer do the job. And cybercriminals become increasingly sophisticated as they work to take advantage of the online sprawl for phishing campaigns, business email compromise, and malware attacks.

Fortunately, there is a way for IT professionals to regain the upper hand. It begins with modern external attack surface management (EASM) tools.

Brand impersonation in action

Cybercriminals specializing in brand impersonation behave like burglars prowling the streets looking for unwatched entry points in buildings, such as unguarded side doors and unlocked windows. Examples in the cyber realm include websites and interfaces that remain online longer than businesses need them, such as past marketing campaigns and old versions of applications.

In a typical attack, a threat actor finds an open window, i.e., a forgotten but still active site, and copies it. The attacker attaches the clone to a new domain that looks similar to a legitimate one, for example, with transposed characters or a dash in the new name.

Next, the attacker emails or texts links as part of a phishing campaign to entice employees to log into the fake site using their actual credentials. The cloned site captures the credentials, effectively handing the keys to a company’s real online assets to the cybercriminal.

Armed with the stolen credentials, the attacker can then take over employee accounts to use them in business email compromise attacks, infect company networks with malware, and create other mischief.

Stopping brand impersonation attacks depends on maintaining inventories of online assets and their potential vulnerabilities. However, updating such knowledge is easier said than done for large and growing organizations. Imagine a house whose owners continuously add new floors and windows while leaving behind old ones as potential entry points.

Security vulnerabilities across industries

To get a sense of the scope of the problem, we took representative snapshots of companies in three industries in 2021: telecommunications, pharmaceutical, and healthcare.

We examined more than 45,000 online assets in the telecommunications industry, we found an average of eight potential security issues for every 100 assets. By their very nature, telecommunications companies, do tend to have more layers of IT infrastructure than, say, hospitals, so we expected to see more assets in this industry.

Yet, even though we saw fewer assets in the pharmaceutical and healthcare industries, we found a much higher ratio of critical observations for the same number of assets.

For a total of 3,678 assets in the pharmaceutical industry, we found 50 potential issues per 100 assets. In healthcare, we saw even fewer assets (689) but more than twice the number of critical observations (114) per 100 assets than in the pharmaceutical industry.

Although it is clearly worse in some industries than others, the problem of neglected online assets ripe for exploitation by bad actors is nevertheless prevalent across industries and only growing worse.

And because keeping track of potential vulnerabilities on thousands of online assets has become impractical for most IT departments, organizations have turned to EASM tools to address critical vulnerabilities.

Managing brand impersonation threats with EASM

EASM tools streamline the asset inventory and investigation process by continuously monitoring an organization’s web assets, scanning for potential problems, and flagging them for attention before threat actors can exploit them. For example, they help security teams identify disused assets they can safely take offline and out of harm’s way.

Sweepatic, acquired by Outpost24 in 2023, is an EASM solution enabling online asset and brand monitoring to reduce threats. In addition to inventorying online assets and identifying problems such as expired security certificates and stranded domains and websites, Sweepatic can flag potential cybersquatting attempts, in which threat actors register sound-alike domains.

To identify cybersquatting, Sweepatic users can create lists of keywords related to company names, product names, or any other information to monitor for unauthorized domain registration.

Protecting your business against impersonation attacks

Sweepatic does not actively penetrate or send crafted packets to networks and systems. Instead, the tool works passively, gathering meaningful insights without risking being blocked and impacting results. As part of its inventorying process, Sweepatic looks at DNS records, Whois information, user-generated keywords, and other details to assemble a picture of an organization’s attack surface.

And Sweepactic now includes powerful threat intelligence capabilities thanks to integration with Threat Compass from Outpost24. With threat intelligence, Sweepatic provides insights related to leaked and stolen credentials to mitigate the risk of user impersonation and unauthorized access.

Sweepatic also offers a wide range of integrations including Jira and ServiceNow to optimize the remediation process. It’s all to unburden the IT professional to focus on higher-level tasks while keeping the organization’s reputation and online assets safe.

Learn more and request your free attack surface analysis

About the Author

Stijn Vande Casteele
Stijn Vande Casteele Founder of Sweepatic , Outpost24

With over 20 years of experience, Stijn is a seasoned entrepreneur and cyber security leader. He has worked with startups and enterprise organizations in both the private and public sectors, leveraging his industry knowledge and technical expertise to benefit all levels of the organization. Stijn holds the NATO/EU SECRET security clearance and is fluent in Dutch, French, and English.