A Step-by-Step Guide to Brand Hijacking Attacks and How to Prevent Them

yayabobi - May 1 '23 - - Dev Community

Brand abuse, brand hijacking, brand theft, or brand impersonation. No matter what you call it, the tactics fraudsters take to misuse your customers' trust in your brand are getting worryingly sophisticated. 

In recent years, brand hijacking attacks cost consumers and businesses billions of dollars in reported losses. Along with the monetary costs of discovery, mitigation, compensation, and public disclosure comes an untold cost that is harder to calculate: damage to your brand's reputation. It is nearly impossible to estimate and calculate the impact of a successful brandjacking attack on the perceived value of your digital brand and the trust of your clients, partners, and investors.

You may think that brand hijacking attacks start and end with various forms of phishing, using poorly-designed email templates with pixelated brand logos and bad spelling to try and lure innocent victims. Today, brand hijacking attacks are far more complex and sophisticated, with tutorials and ready-made kits available to cyber criminals on the Dark Web.

Before discussing the types of web-based brand hijacking attacks, let's break down what is considered a brand hijacking attack and whose role is to prevent and mitigate it.

What is brand hijacking & whose problem is it, anyway?

Brand hijacking, often referred to as brand impersonation, is a tactic employed by cybercriminals to harvest user credentials and propagate malware by masquerading as a familiar and trusted party. The goal of brand jacking is to mislead users and defraud them or launch a more sophisticated attack against an organization's infrastructure.

The majority of brand hijacking attacks entail leading the victim to click through to a fraudulent website, masquerading as that of the brand hijacked. The cause for this is the prevalence and sophistication of email and network firewalls that block malicious email attachments or downloads. It's simply easier to trick someone into clicking through to a website they believe belongs to a brand they trust and then getting them to submit sensitive information or download a file that may contain malware.

So whose problem is brand hijacking? It's everyone's problem. For consumers, it means diminished digital trust, while for businesses, the impact and responsibility are divided between departments. Digital marketing and customer service feel the impact through customer complaints, fraud remediation costs, and campaign failure rates. Information security teams are swamped and helpless against threats that are, for the most part, external to the company's information security perimeter. In most enterprises, it comes down to CISOs to select and implement the tools and strategies to stop brand hijacking at the point of impact.

The anatomy of a brand hijacking attack

A typical brand hijacking attack usually consists of three steps: intelligence gathering, asset development, and payload distribution.

Intelligence gathering

The first step of web-based attacks (as opposed to open-source package cybersquatting) usually entails scanning the target brand's website for common vulnerabilities and attempting to scrape the public-facing content of the website so it can be altered and uploaded elsewhere. It may also involve scraping social networks to build a database of potential clients of the targeted brand or purchasing stolen contact data from the Dark Web to gauge the volume of the potential victim base.

Asset development

Once cybercriminals have the resources to forge branded communications and digital assets, they can deploy them to cloud servers linked to anonymously purchased domain addresses. They often go as far as to purchase an SSL certificate for their fraudulent website or employ IPFS to conceal their payload.

Payload distribution

Finally, the malefactors turn to email, SMS services, social media channels, and search engine ads to distribute the link to the trap they've set. This is when phishing emails are sent, and fake social media profiles disseminate the link across various platforms (usually automatically). Now starts the race between the cybercriminals collecting data or distributing malware and the brand impersonation takedown services attempting to stop them.

Depending on the distribution volume and the scheme's sophistication, even a few hours of an ongoing brand hijacking attack can impact a significant percentage of a brand's clients. Especially if reports of the attack reach media outlets, amplifying a negative brand sentiment.

Types of web-based brand hijacking attack tactics

Cybercriminals employ various tactics as part of the different steps of a brandjacking attack. Some involve manual creativity on behalf of malefactors, while others are automatically executed. Let's look at some of the most common brand-hijacking attack tactics today.

Typosquatting/cybersquatting

According to a 2022 report, 75% of domains for the Global 2000 that contained more than six characters from the brand names were not owned by the brands themselves. In addition, consider how easy it is to confuse "arnazon[.]com" with "amazon[.]com" on a mobile screen. So even as users are educated to check the URL before clicking, malefactors are extraordinarily creative in using special characters in their domain names to make them look genuine.

A recent example of creativity on behalf of cybercriminals is in a brand hijacking attack against Media Markt, a prominent European electronics vendor. Since Media Markt is known as Media World in Italy, the malefactors registered the domain "mediaword[.]net" to host their elaborate fake shop.

Subdomain hijacking

As part of the intelligence-gathering step of the brand hijacking attack, malefactors will scan the targeted brand's website for vulnerabilities. One of the things cybercriminals will look for is dangling DNS entries: unused subdomains the malefactors can direct to malicious pages.

One recent example of subdomain hijacking involved an old and unused subdomain on the website of CocoaPods (a common dependency manager for iOS and MacOS development) that malefactors hijacked to host a casino website.

Clickjacking/user journey hijacking

Clickjacking and user journey hijacking employ transparent overlays and other cross-site acrobatics to display the legitimate website while the user's action is transmitted elsewhere. 

User journey hijacking is a similar tactic that employs third-party software (whether malware, a browser extension, or a mobile app) to pop up during the customer's interaction with your site. It attracts the user to visit another site or send a copy of the data entered to the malefactors behind the scheme.

Google Search Ads brandjacking

Phishing emails are such a well-known channel for brand hijacking attack distribution that malefactors are turning to search engines to impersonate brands in search engine ads instead.

Numerous malicious search engine advertisements (malvertisements) have been spotted recently, such as that against Blender3D, a 3D graphics software that is free to download and use. Malefactors type-squatted several domains and ran paid advertisements on Google Search to get users to browse them and download a file infected with malware instead of the original software.

Considering that Blender3D is an open-source project. It is unlikely that the marketing or information security teams involved employ brand protection professionals to automate brand monitoring and ensure that such malicious ads are removed by Google posthaste.

Website cloning/scraping

The success of a brand hijacking attack depends greatly on the ability of the attackers to convince victims that the page they are browsing is genuine and belongs to the brand they are impersonating. To achieve perfect website replication, malefactors use website scraping and cloning tools that simulate user activity while downloading the content and studying the limitations of your website's security.

How you can prevent brand hijacking attacks on your website

As brand hijacking attacks evolve, so must the strategies and tools you use to prevent, investigate, and mitigate them without wearing out your infosec teams.

Monitor your website for brand-hijacking threats

Visibility is key to preemptive action against web-based brand abuse attempts. To detect and thwart attempts to clone your website, you can employ PoSA Brandjacking Detection & Prevention, a lightweight AI-powered brand impersonation monitoring, alerting, and prevention engine. 

In addition, PoSA provides you with unprecedented granular visibility into brand hijacking attack fallout, enabling you to proactively remedy damage to specific clients and users by temporarily deactivating their compromised accounts, for example.

Employ automated web and dark web scanning tools

Expanding your security perimeter beyond your organization means scanning not only your website for vulnerabilities but also keeping a step ahead of cybercriminals acting on the Internet and the Dark Web. Among the solutions you can adopt are domain monitoring services that seek out typosquatting, social media monitoring tools, and Dark Web scanning services.

Safeguard your clients' trust in your brand

Cybercriminals are not slowing down in their successful brand hijacking cyber-crime spree. In 2023, it's up to brands and enterprises, with the help of technological innovation, to take a different approach to brandjacking prevention. That means showcasing authenticity and nurturing trust.

With PoSA, you can introduce your users to a unique, memorable, and agentless Proof of Website Authenticity watermark: a forge-proof and user-friendly seal of genuineness for your websites.

By showing your customers that you are taking proactive steps to protect them from brand fraud, you won't only be earning points with your users but also signaling to malefactors that your brand is not as easy to counterfeit.

Schedule a demo now to discover how PoSA can empower your infosec teams and drastically reduce fraud remediation costs.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .