Brand Spoofing prevention: Check Point Software Technologies’ Zero-Phishing AI Engine

Defending attacks using Brand Spoofing needs to take into account the massive challenge of covering not only global brands, but local brands – on a global scale.

Brand Spoofing  

In our 2023 cyber security report, Check Point’s research teams reported that in 2022, 21% of initial entry vectors were due to phishing incidents. Well-known brands, such as Microsoft, Google and LinkedIn, Wells Fargo, and Walmart, are frequently imitated by cyber-criminals in their attempts to steal individuals’ personal information or payment credentials. As an example, LinkedIn users faced the risk of account theft through fraudulent emails disguised as reports, while Wells Fargo customers received emails requesting account information under false pretenses. Walmart customers were enticed with fake promises of gift cards in exchange for personal information. Similarly, customers of local banks, e-stores and travel organisations are also often targeted in phishing incidents involving loyalty points, important account-related messages, and fake transaction alerts.

How does the attack work?

In a brand phishing attack, criminals try to imitate the official website of a well-known brand by using a similar domain name or URL and a web-page design that resembles the genuine site.

The link to the fake website is then sent to targeted individuals by email or text message. Users may be redirected during web browsing or via a fraudulent mobile application. The fake website often contains a form intended to steal users’ credentials, payment details or other personal information.

Attackers target these mimicked brands from reputable companies because they are confident that these companies have a solid reputation for trustworthiness. Cyber criminals also know that it is difficult for even large companies to stop such brand impersonations by themselves. 

Understanding Local Brand Spoofing

While global brands are a common target for spoofing, a significant and growing number of attacks actually use local brands to create the most compelling social engineering mechanism.

In a Local Brand Spoofing attack, the attacker will target local individuals with a Local Brand that the target will be familiar with.

Use of local brands in attacks is extremely effective for attackers as it is highly convincing and often successfully tricks top-level executives and even security professionals. Local Brands used are often banks, financial services, post offices and government websites.

It is therefore key to understand that defending attacks using Brand Spoofing needs to take into account the massive challenge of covering not only global brands, but local brands – on a global scale.

Brand Spoofing Prevention - Pre-emptive AI-Powered Identification and Blocking of Local and Global Brand Impersonation

To enhance online safety and security, Check Point introduced an industry first, inline security technology, called ‘Zero Phishing’ in our Titan release, T81.20, leveraging patented technology based on dedicated AI engines. This Zero-Phishing Security is also available in all Check Point product lines – Quantum, Harmony, and CloudGuard.

Check Point is now expanding its Zero-Phishing offering, introducing an innovative new AI-Powered engine to prevent local and global brand impersonation employed in phishing attacks across any attack vector -- from networks, emails, files mobile devices, SMS, and endpoints to SaaS -- with a 40% higher catch rate than traditional technologies.

The newly developed engine blocks links and browsing associated with both local and global brands that have been impersonated and exploited as bait to deceive victims in phishing attacks, spanning multiple languages and countries. Capabilities to block spoofed global brands such as Microsoft, LinkedIn impersonation have been in existence for some time, but this newly developed engine will have the capability to block fake websites impersonating even local and regional brands. For example, it can detect and block a Spanish Post Office attack or a spoofed site disguised as a local bank in the Netherlands.

An additional capability of the new engine is what we call Pre-Emptive Prevention, where it scans domains immediately upon registration to detect spoofed domains.

The spoofed domains are then stored in Check Point’s ThreatCloudAI, enabling pre-emptive protection to customers across all Check Point products, with collaborative intelligence across all surfaces, blocking access to links in emails, files, messaging etc or while browsing the web.

The new engine uses advanced AI, Natural Language Processing (NLP) algorithms and image processing, to detect similarities to well-known brands. These algorithms compare the structure of the inspected content against a database of known brands to determine if there is an indication of brand spoofing.

 How does it work?

• Uses URL string or web page content as an input
• Extracts features and compares it with many anchors of the original web page, such as domain, favicon, copyright, title, text similarity and more, to identify the impersonation
• Uses machine learning and heuristic engines to classify the phishing attack
• Pre-emptive Prevention – newly registered domains are immediately inspected for Brand Spoofing attempts, being detected and blocked before the attackers campaign can even begin.

There are 3 key phases to the classification.

• In the first step, features are extracted from the URL or page content that will later on be used for analysis.
• In the second step, using the extracted features and NLP, AI and heuristics, the brand context is derived.
• In the final step, the brand context along with its anchors and all of the extracted features are again run through a classification layer using heuristics and AI for a final classification if the content is genuine or spoofed.

How to Identify URL Phishing

URL phishing attacks use trickery to convince the target that they are legitimate. Some of the ways to detect a URL phishing attack is to:

 Ignore Display Names: Phishing emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email address to verify that it comes from a trusted source.

Verify the Domain: Phishers will commonly use domains with minor misspellings  that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. Look for these misspellings, they are good indicators.

Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, do not click on a link at all; visit the company’s site directly and navigate to the indicated page.

Check Point’s Zero-Phishing engine, running as part of ThreatCloud AI, revolutionizes threat prevention, providing industry leading security as part of Check Point’s Quantum, Harmony and CloudGuard product lines.