Morphick releases free tool to identify homograph based attacks.

David Lavinder

Morphick Cyber Security is seeing a dramatic increase in the number of companies receiving malicious emails trying to entice them into sending fraudulent wire transfers. These emails are coming from scammers who are trying to dupe their victims into transferring funds to an account the scammer owns.

These scams involve a trick known as a homograph attack.  The scam artist creates an email account that looks a lot like their victim’s address (morph1ck.com instead of morphick.com).  The goal is to create an email account that, at first glance, looks close enough to the real thing in order to convince the victim that the email is originating inside their company.  From there, the scammer can establish credibility and convince the victim to transfer funds to an account the scammer owns.

As part of our Email Security platform, Morphick has developed several technologies to protect our clients against these attacks.  As the frequency of these attacks increases, we want to make some of these protections available to the general public.  As such, Morphick is releasing a free, proactive tool that can identify the emails containing these scams as they enter companies.  

In the Bro-IDS framework the authors have included the Levenshtein Distance function in the string library.  Finding and locating look-alike domains is the perfect use case for this type of function.  We are releasing a script today that you can deploy to your Bro sensors to look for this sort of traffic on your network.  It will check the domain name of the senders against the domain names of the recipients.  With some simple tuning to your whitelist and threshold you’ll now be running signatureless detection without having to keep track of thousands of permutations. While our clients have been protected from these attacks, we wanted to offer a way for anyone to quickly and easily detect these kind of scams before they become a victim.

Download the tool

https://github.com/Morphick/bro/blob/master/bro_typosquatting_email.bro

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License.