Seeing Double: How to Deal with Cloned Website Attacks | Once More Into The Breach


Table of contents

It’s a new year, and that means we’re going to see plenty of new and novel tactics from cybercrime and hacker groups. To help you stay on top of as many of them as we can, we’re kicking off a new blog series where we’ll discuss various real-world nefarious activities and dissect what happened and how it could have been avoided—or at least better mitigated.

So without further ado, let’s head Once More Into The Breach.

The latest attack from the ALPHV/Black Cat Ransomware group has people seeing double, and it’s been making quite a number of headlines recently. That’s because of the unusual method they used to carry it out: The group actually published the compromised companies’ information on a fake website designed to mimic the victim’s actual website. It’s clear this new tactic is intended to shame organizations into quickly paying the ransom before they suffer public embarrassment. While neither of these methods of attack are new, I've never seen a group combine them and use them to hold the target ransom to have the cloned site and leaked data taken down before.

So how do you deal with a cloned website? I’ve actually dealt with similar tactics in the past, when typosquatted domains were used as part of a phishing attack designed to trick people into typing in a tracking number or searching for an order on a completely fake website. These sorts of things can easily devolve into a bit of a cat-and-mouse game, but there’s plenty you can do to overcome this style of attack:

  1. There are tools out there that can make your webpages and its artifacts much harder to repurpose. These tools are typically used by organizations with a large consumer-facing presence — think: shipping companies, e-tailers, banks, etc. However, if the hackers are able to obtain access to an institution’s website source code, that would render these tools ineffective.
  2. If the bad guys do manage to obtain your source code, you can lean on website takedown services instead. These companies specialize in working with hosting services and using other methods to get fake websites removed from the internet. If you expect you might face this sort of threat, it’s a good idea to have one of these companies on retainer. These activities can take time, so you do not want to waste time looking at and evaluating vendors after the cloning has occurred.
  3. That said, avoiding these attacks altogether is still preferable to having to respond to them. Since these attacks are typically launched via phishing, you can put measures in place now like email gateways, controls testing, and improving your employee cybersecurity awareness training programs to head them off before they become a headache or worse.
  4. Despite your best efforts, these attacks happen. How successful you are at handling them will depend entirely on the quality of your GRC program. Have solid business continuity and crisis management plans in place, and know how to access them quickly. Make sure they’re up to date and tested regularly. A good GRC platform can help you manage all of this as part of your overall risk strategy.

Think your organization is too small to be targeted by one of these attacks and that you don’t need to start thinking about putting these measures into place now? Think again: Threat actors very often target smaller orgs—which often have weaker cybersecurity postures—to leverage their relationships with larger orgs as a way into a bigger fish.

So get ahead of these tactics now, folks. We’re only going to see more of this.

Related Posts