Cybercriminals are increasingly imitating well-known brands as a means for infiltrating corporate networks and stealing sensitive data, according to recent research from Cisco Talos Intelligence. This attack vector sees cybercriminals exploiting trust in well-known brands on social media and websites, but especially via email to entice users to click carelessly or to share personal login details.
“Brand imitation attacks work like a Trojan horse,” explains Thorsten Rosendahl, technical leader at Cisco Talos in Germany. “People trust what they see without checking exactly what’s inside. Unfortunately, such attacks are becoming increasingly successful.”
Most imitated brands
The Cisco Talos researchers examined the extent of these attacks in detail. With the help of the Brand Impersonation Detection Engine from Cisco Secure Email Threat Defense, corresponding attack attempts were registered and analyzed worldwide from March 22, 2024, to April 22, 2024.
What Cisco Talos researches found was that the most frequently imitated brand worldwide by cybercriminals was by far Microsoft, followed by DocuSign and Amazon in second and third place. PayPal, Adobe, and Instagram also rank in the top 10, along with Nortonlifelock, Chase, Geek Squad, and Home Depot, according to Cisco Talos.
The illegal use of brand names is relatively easy, according to the researchers. For example, attackers insert the trademarks directly into the HTML source code of the email. To make detection more difficult, cybercriminals also encode this email using base64. Another method is to retrieve the logo from a remote server when requested by the email program. In this scenario, the URI (Uniform Resource Identifier) of the resource is embedded in the HTML source code of the email. Alternatively, the attackers provide a logo — base64 encoded — as an attachment, which is displayed by email clients when referenced in the HTML source to persuade potential victims to reveal their login details and other sensitive information.
The attackers’ perfidious goal: By making the email about the brand name appear to come from a trustworthy company, recipients are less likely to doubt the message’s authenticity. For example, the fraudsters pose as technical support employees of a company that is supposedly acting on behalf of the company whose brand is being exploited. The email requests the victim’s login credentials, for example, and thus gains access to the relevant accounts.
Trust shamelessly exploited
Hackers use brand imitations primarily in the areas of e-commerce or office software. Also popular are fake job offers with the logo of a trustworthy brand. The same applies to emails from law firms or government organizations.
“Cyber attackers shamelessly exploit trust in well-known brands,” warns Rosendahl. “When big brands appear in emails, it at least arouses interest. Often enough, there are already real emails from these companies in your own inbox — you really have to look very closely.”
The manager recommends that users always check whether such an email really makes sense and not share information and access carelessly. CSOs should also make their workforces aware of these issues through regular security awareness training.