Russian Typosquatting (May 2022)

Date of Incident Occurrence

May of 2022

Incident Type

Typosquatting

Event Severity

High

Event Narrative

A Russian organization was actively attempting to target our organizational employees.  About a year ago, a Russian organization registered a domain very similar to our organizational domain. Our domain begins with an “m” and these attackers registered our domain but with an “rn” (RN) at the front instead of an “m” (M). This makes the domain almost indistinguishable from ours. At that time, they sent emails to our employees and customers attempting to gain access to our network and directly attempt to get invoice payments from our customers.

A new domain was registered last month to the same Russian registry server with another domain nearly identical to ours (with one extra letter). This most likely means it’s the same organization that is attempting to attack and extort our organization.

Remediation steps put in place since discovery of the incident?

We have blocked all potential email communication from this domain as well as all of our computers from going any websites hosted there. At the moment, no emails have been detected in the last 30 days, nor is there a fake website hosted.

At the moment, it looks like the criminals were prepping to attack, but haven’t executed just yet.

We’re already performing all the general preparations we can do as an organization. We have multiple layers of controls, that we audit against weekly. We have asked stakeholders to review social engineering awareness training with their employees including increased phishing training and reminding employees to hover over links before they click to ensure the links go to the right URL.