Brand Abuse: How to Detect Threats Before Your Customers Do

Every day, well-known brands fall victim to online abuse, from rogue websites and paid ads to phishing emails and social media impersonation. In Proofpoint’s 2024 State of the Phish report, tech giant Microsoft, appeared in 68 million malicious messages, making it the most abused brand in 2023. As a result, customer support queues are inundated with frustrated customers seeking compensation for damages caused.

Brands (like Microsoft) can often manage these costs with cyber insurance, an industry estimated to be worth $22.5 billion by 2025. The actual costs depend on the expected financial damage and the measures taken to reduce it. Unfortunately, when it comes to reputation, it’s often too late, and the damage is already done.

What is brand abuse?

Brand abuse refers to the fraudulent use of a brand’s assets – such as its name, logo, trademarks, or domains – with the intention of deceiving consumers into sharing sensitive data or transferring money. This term covers a wide range of criminal activities that damage a brand’s reputation, revenue, and customer trust.

Brand abuse can manifest in many ways. For decades, the public has been aware of phishing schemes targeting banks and other financial institutions, as well as the misuse of email, hosters, and ISP accounts to send spam or hijack associated accounts.

However, in recent years, attacks have become more sophisticated, making it difficult to identify legitimate emails and websites from fraudulent ones. Today, we see websites impersonating well-known brands, phishing for credit card data, or simply taking victims’ money, without delivering the promised goods - classic textbook 419 advance-fee fraud! Or the unexpected messages about missing delivery fees for a shipment, or the reminder about an unpaid electricity bill – both requiring you to log in to your bank via a rogue website and pay the outstanding fees.

These schemes aren’t limited to the private sector. Fake government sites request login or banking details, while fake humanitarian organizations exploit catastrophic events to lure victims into sharing data and transferring money. 

The stories used by scammers are endless. Yet, they all share one common trait: impersonating well-known brands to appear trustworthy. In an ideal world, these scams would be taken down before they reach the customer. Unfortunately, that is rarely the case.

The status quo: processing end user reports

End users reporting abuse attempts – or worse, actual damages – have become the status quo. A report is submitted to the support department, processed, and, at best, forwarded hours later to the anti-abuse department to mitigate the activity. Meanwhile, each report of abuse could represent many more victims who haven’t yet reported the issue but have already been affected.

Having an efficient way of handling end user reports – preferably routed directly to the correct department – is essential, but, this is the last line of defense. The question is…

How can we identify and stop abuse earlier?

At the point of submitting a report, the brand’s reputation has already been damaged, cases have to be processed, and financial losses are unavoidable. Here are three strategies that can help detect threats earlier, before it’s too late:

      1. Spamtraps

Spamtraps that collect emails, SMS, or instant messages receive these fraudulent attempts at the same time as your customers. Having live data from such sources allows us to react quickly to the actual attack. While this can’t prevent the messages from being sent, a timely, well-organized reaction (see the article: To block or takedown: How to treat malicious activity on the Internet), can prevent most direct financial damage. To manage this, a team or service provider is needed to set up the spam collection system, monitor, filter, and prepare the messages for escalation.  

Messages will often use brand logos and names to appear legitimate, which can be detected through technical measures. Even when the brand isn’t directly mentioned, brand-related keywords can be detected, making it relatively easy to verify if your company or a competitor is being targeted.

While these measures might reduce the number of incoming reports, they are still far from optimal. To prevent the messages from being sent in the first place, we need to act even earlier.

     2. Passive DNS

Brand names and keywords are not only part of message texts and logos but are often also included in DNS labels to leverage a brand's good reputation. This means they can also be detected in domains and hostnames. By using passive DNS databases, these threats can be detected even earlier.

While normal name resolutions on the Internet are decentralized and only cached for a short time, passive DNS systems create centralized databases with known domains, hostnames, and their corresponding IPs for further investigation.

Operators populate the pDNS database from various sources and often see brand abuse in DNS names before they are actively used. This can occur during domain registration, setup, or during initial testing, before the fraudulent messages are sent. Legally, this is possible because the public DNS, containing public names and numbers, is free of personally identifiable information. 

Of course, these databases cannot turn the whole decentralized DNS into an entirely centralized database - there will always be gaps in detection. Nevertheless, passive DNS is a valuable way to detect unauthorized use of your brand even earlier.

However, even with these technical measures, not all kinds of brand abuse can be detected. So, what else can be done to further reduce the attack surface?

     3. Reduce criminal motivation

“You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.” This quote by Jim Butcher is often used in different various contexts, and can also be applied to brand abuse.

Naturally, you care about your brand’s reputation for many reasons. You want your customers to associate your brand with excellent product quality. Additionally, mail servers are more likely to accept your emails if past newsletters have been read, with minimal spam complaints. Every day, you work hard to uphold this reputation.

But what about your brand reputation among criminals? In this scenario, the desired outcome is opposite: you don’t want your brand to be attractive to those who are looking to abuse it. 

So, how can you make your brand appear less attractive? 

The key is to maximize the criminal’s costs when trying to abuse your good reputation and minimize their potential income so other brands appear more attractive. Although this might seem counterintuitive, if your brand is less attractive, criminals are more likely to target others. Here are three strategies to consider:

Account security: Implementing measures like two-factor authentication forces phishers to perform live phishing, as the collection of bare credentials is no longer sufficient to gain control of an account. React to suspicious events, such as logins from unexpected geolocations or new devices, by reducing functionality or additional verification steps for account activities. Sending notifications to a user’s mobile device to confirm important account actions adds another layer of security. And always be prepared to lock compromised accounts.

Marketing: Use just one domain and avoid creating new ones for special events: such as mybrand-christmast-sale.com. If needed, create subdomains instead: christmas.mybrand.com. This approach will help educate your customers to recognize that everything but “mybrand.com” is a scam or phishing attempt, reducing the success rate of attackers.

Takedowns: If brand abuse occurs, take efficient takedown measures to remove it quickly from the Internet.

The result?

By implementing the measures outlined here, you can stop abuse earlier, meet the requirements of cyber insurance - reducing both insurance premiums and expected damage costs - all while improving your brand’s reputation with legitimate customers. 

Together, these strategies not only protect your brand but also contribute towards improving trust and safety on the Internet. It’s a win-win!

Sven Krohlas is a detection engineer at Spamhaus Technology, responsible for detecting phishing attempts and assessing new contributors on the Spamhaus Threat Intel Community portal. With almost ten years of experience, Sven started his career in the email security team of a large mailbox provider. Afterward, he joined a German provider specializing in taking down malicious websites.

Interesting fact: Sven is a member of Retrogames e.V. and a self-confessed retro gaming addict who owns hundreds of retro games!