The Retail & Hospitality ISAC Podcast 6.14.23
Ep 29 | 6.14.23

Homographs in Domain Spoofing & Rafia Noor Member Spotlight

Transcript

[ Music ]

Luke Vander Linden: Greetings everyone. You've found the Retail and Hospitality Information Sharing and Analysis Center podcast. I'm your host, Luke Vander Linden, welcome to the show. As always, thanks for joining us. You know, we at the RH ISAC are incredibly lucky, we have the most fascinating members. When we get a chance to work with them in one of our working groups, or to have the odd check-in call, or best of all, I get out to one of our in-person events and get to meet them in person, it's always a great opportunity to learn about some amazing people. Their experiences, their outlook, and of course the work they do. Just fascinating. I get to speak to two such members today. Rafia Noor is an information security engineer at Colgate-Palmolive, specifically, she's in the operation technology, or OT Division. Rafia is our member spotlight for this episode. I'm looking forward to discussing her career path, intelligence sharing at the RH ISAC and the trajectory of cyber security as she sees it. But first, I'm joined by Dom Lutz, also an information security engineer but at URBN. URBN owns a number of brands, including Urban Outfitters, Anthropologie, Free People. I got to meet Dom at one of those in-person events, our regional workshop, earlier this year, hosted by Rafia's employer, Colgate-Palmolive, at their headquarters in New Jersey. Dom has been working on an interesting project, kind of in his free time, in uncovering how threat actors are using homographs to spoof domains. Another tiny, yet very effective way for the bad guys to trick people into clicking on or responding to a link or an email. And of course, we all know how creative threat actors can be, whether it's using techniques like homographs or current events or even something as simple as the season that we're in. For those of us in the northern hemisphere, summer's here, or technically almost here. Lots of us hit the road for well-deserved vacations or holidays. There are of course threat actors taking advantage of this behavior. Last month researchers reported a phishing campaign where threat actors sent emails to users claiming to be from "HR departments" and providing the users with links to submit annual leave requests. The campaign's infection chain proceeds as follows; the user is informed via email that they must log onto their HR portal to verify their dates of annual leave. Once the user clicks the URL in the email they will be directed to a login page. The login page mimics the target employee's company login page with branding and colors. Once the user has entered and submitted their credentials to the form, it will actually fail on the first two attempts. This is a technique used by the threat actor to ensure the user is typing the password correctly, or to use a different password in an attempt to gather multiple credentials. At the third attempt, the credentials will appear to have been processed successfully and the user is redirected to the company's legitimate homepage. We go into more detail about this phishing campaign at the RH ISAC blog. That's actually where I'm reading this report. You can find it at rhisac.org/blog, or just go to our homepage and up in the navigation, click on resources and blog. There's a lot of great stuff in there. Particularly recently. In addition to the piece on that vacation-themed phishing, there is another report that provides insight into key trends and the increasing prevalence of sophisticated advanced persistent threats, or APTs, targeting small and medium-sized businesses. A few key takeaways of their report includes how APT actors use compromised small and medium business infrastructure in phishing campaigns. They're not keeping things up to date and this could be exploited. How APT actors engage in targeted state aligned financially motivated attacks against small and medium0sized financial services businesses and particularly of interest how APT actors target SMBs to initiate supply chain attacks. So, third party risk. These and lots of other great articles can be found at the RH ISAC blog at rhisac.org/blog, or again, in the navigation, click on resources and then blog. As always, if you care to opine about the podcast or even the blog, shoot us an email to podcast@rhisac.org, or if you're a member, you can try to find me on Slack or Member Exchange. All right, and now I'm joined by Dom Lutz, information security engineer at URBN. I got to meet Dom at, earlier this year, at one of our regional workshops that was hosted by Colgate-Palmolive in New Jersey, where he presented on this topic. Welcome to the RH ISAC podcast, Dom.

Dom Lutz: Thanks for having me, Luke.

Luke Vander Linden: Excited, we're going to be talking about homographs and domain spoofing today. What does that mean? Tell me all about it.

Dom Lutz: So, before I get started, I just want to say that my views are my own, my research is my own, and it's no reflection on my company.

Luke Vander Linden: Yes, thank you, thank you for making that clear. I forgot, I forgot to point that out.

Dom Lutz: No problem. And now that's out of the way though, so homograph domains, what are they? How does this affect us? You know, a little one-minute overview. A homograph is when a set of characters looks like another set of characters. You know, I think the easiest example for people to understand is when a lowercase L looks like an uppercase I. Or when a zero might look like an uppercase O. In the context of domain spoofing, it's been seen to be used when there will be a letter from a non-English alphabet used in substitution for an English letter. So you might have an a with an accent in place of the English a. So to give an example, I'm not sure what the domain name for RH ISAC is, but you might have rhisac.com in all Latin characters, you know, ASCII characters. A homograph domain would be rhisac where the a has a little accent over it.

Luke Vander Linden: Gotcha, and by the way, it's rhisac.org, in case any of our listeners want to visit. Although I think we own the dot com, just because we own, you know, as many organizations do, dozens of names. So, this sounds like a lot like typosquatting, or at least what we think we know about typosquatting, but there seems to be a little difference to it.

Dom Lutz: There is, so typosquatting, you know, it usually relies on a misspelling of a word, or adding an extra character at the end, but with this, the goal is usually to imitate the actual domain name as closely as possible. So it should look visually very similar. Just like with typosquatting, but the goal with this is to make it look even closer than a typosquated domain because it's easier to notice an extra character than it is to maybe notice a dot over a letter.

Luke Vander Linden: Right, right. I guess that makes sense. So, you mentioned a with an accent, I'm thinking about you know, when I insert, when I'm typing the name of one of our members who lives in France that I have to go in and insert symbol, what are some of the common characters that we might find that threat actors would use?

Dom Lutz: So, currently you'll find, you'll find characters from Latin based alphabets. In the past, you might find, you know, Russian characters, [inaudible] characters or something put in with Latin characters but nowadays, thanks to some protections that have been put in place, you'll just find characters from Latin based alphabets usually. So for instance, French, Polish, Spanish.

Luke Vander Linden: That's right, I remember in your presentation you kept picking on this L, Polish L character.

Dom Lutz: I do like the Polish L, it's, for those of you that don't know, Polish alphabet has an L with a slash through it, and I did some proof of concept work using that character.

Luke Vander Linden: Right, you found like a huge number of Fortune 500 companies have an L in their name and then it's not registered, they don't have that domain registered with that L in it.

Dom Lutz: Well, I can neither confirm nor deny which companies I looked at. But I found that a good amount of companies and organizations are susceptible to that.

Luke Vander Linden: I don't know if you can answer this either, but what kind of domains or which domains are commonly spoofed?

Dom Lutz: So the type of domains that are commonly spoofed are the type of domains that are commonly targeted with phishing attacks. Really, it's you know, payment processors, tech companies, business tools. If you think of a major organization where you get emails from them, then chances are they're going to be a target.

Luke Vander Linden: Yeah, that makes sense. So I guess one of the big differences between this and typosquatting is that typosquatting is more reactive. They're counting on me to type in something, a domain wrong, if I'm, especially if I'm navigating to it on the internet, this would be more proactive on the behalf of the threat actor, like they're using this to try to trick people in email attacks and things like that.

Dom Lutz: Exactly, and so there's a few main threat models involving homograph domain attacks that I've been focused on. One of them might be using a homograph domain to spoof a company and then send emails to potential customers or victims. Another would be using a homograph domain to attack companies within the company that's being spoofed and then there's also, so you know, those are just more traditional social engineering attempts, but then what's recently been seen in the last few years, more so, is using homograph domains as a tactic to deploy malware.

Luke Vander Linden: Just like any kind of email attack, right? Get people to click on things. So it is being weaponized is what you're saying. It's not something that you've just discovered, but it is out there being weaponized.

Dom Lutz: No, so this has actually been around for 20 some odd years, it's been in academic papers for that long, it's been with, talked about within the cyber security community, and you know, back 20 years ago it wasn't weaponized as much as it is today, but it is still relatively niche.

Luke Vander Linden: So it does seem, since it's been around for decades, and it seems like something that should have been anticipated, frankly, shouldn't there be protections in place to prevent spoofing like this. Like everybody from registrars to browsers should have ways to protect, right?

Dom Lutz: Yeah, and so there are some mitigations currently in place, Punycode is the big one. It takes a string containing Punycode characters and then it basically transforms it to a string that just has ASCII characters. So instead of rhisac.org with an accent, it would be xn-- and then the ASCII character is already in place, flowed by another substring of ASCII characters. I know that's a little bit in the weeds, but this is a hard topic to talk about without --

Luke Vander Linden: Without the visual, right. So for people like me, dumb guys like me, it makes it from a pretty URL into an ugly URL and maybe draws my attention.

Dom Lutz: Exactly, it's, how I like to think about it, it turns it from something that, you know, your grandma wouldn't notice to something your grandma would notice if an attacker was trying to phish.

Luke Vander Linden: So, with that, with Punycode, that should solve the problem. Right?

Dom Lutz: In theory, but the problem with Punycode is it has to be implemented. So, you know, your email applications, your business communication applications, your browsers have to reliably display Punycode for it to be effective. Through my research I've found most of them don't display Punycode. They'll display it if you have, you know, a mix of Latin characters and then Cyrillic characters, but if you just have a domain name typed with Polish characters, chances are the application will not display this Punycode.

Luke Vander Linden: Wow, so it protects us from the characters least likely to be used in this kind of, kind of trickery.

Dom Lutz: Exactly, because you know, at one point in time, people were able to register domains with different scripts, you know, such as Latin and Cyrillic. Nowadays that's prevented when you actually go to register a domain with mixed scripts, it comes back with an error and it doesn't let you register it.

Luke Vander Linden: Oh wow, okay. So that's one other way to protect but still not all, if it was all Latin characters, it's still not going to stop you.

Dom Lutz: Exactly. So it prevents, you know, some of the more blatant attacks but there's still quite a number of you know, potential homograph domains out there.

Luke Vander Linden: So, what can companies do? What can individuals do? What can companies do to try to protect themselves?

Dom Lutz: So, I like to say that companies can socialize this issue, but I realize that little idealistic, you know, people forget about it, goes under the radar for a few more years and then will pop up again. But really what security practitioners can do now is they can add in more monitoring and prevention. So, they can look at email headers for instance, within the organization. If you see the prefix xn-- in an email header, then chances are that domain name that's coming, the email is coming from or is attached to, includes Unicode. Now not all Unicode containing domain names are bad, but you can throw in some monitoring and then check that list. You can also look at DNS requests because DNS requests, they do not translate Punycode to the Unicode display, they don't render it that way. So again, you'll see that xn--. So if you take a closer look within your organization at traffic going to xn-- domains, or emails coming from xn-- domains, then you can really see if anyone in your company is associating with these homograph domains.

Luke Vander Linden: So there's not one tool right now that'll, you know, that a company can install to solve all the problems, but there's a number of techniques they can use to kind of guess which, what traffic and what issues might exist.

Dom Lutz: Exactly. There are some tools out there that have a very limited scope or you know, they'll pick up 10 homograph domains, but there's no de facto tool for preventing this or addressing this.

Luke Vander Linden: Okay. Wow, well this is not something that we think about on a regular basis but something that you stumbled upon again, in your own time and not on behalf of your employer. And you know, I want to thank you for bringing it to our attention, both at the workshop and now on the podcast.

Dom Lutz: Of course, and one last thing, I, sometimes I forget to mention this, because it seems very simple, but I think this might be my most important point, is what security practitioners can do to address this at a companywide level is train your employees.

Luke Vander Linden: Sure.

[ Inaudible ]

Exactly. A little 30-second snippet on this can help, you know, we can't really quantify how much it'll help, but the hope is that it'll prevent at least one attack.

Luke Vander Linden: Right, and that's, you can only hope, right, security awareness is what it is.

Dom Lutz: Exactly.

Luke Vander Linden: Dom, thank you very much for joining us, thank you for all you do for your employer, URBN and for the RH ISAC and looking forward to seeing you again soon.

[ Music ]

All right, I'm joined now by Rafia Noor, who's an information security engineer in the OT Division of Colgate-Palmolive. Thank you very much for joining us on the podcast, Rafia.

Rafia Noor: Thank you for having me, Luke. It's a pleasure.

Luke Vander Linden: I probably messed up your title there, so give me a little, give me a little bit about what you do at Colgate-Palmolive, and what fills your day.

Rafia Noor: I am the OT security team lead here at Colgate. Should I elaborate a little bit on what ICS or OT security is in general for the audience or?

Luke Vander Linden: Yeah, I think they would appreciate it, I would appreciate it too.

Rafia Noor: All right, so OT, or operation technology, is basically hardware, software, to control our industrial equipment, you know, the machineries running the plant, so, centrifuges to conveyor belts to robotics, are all part of OT. Now at Colgate, my team and I are responsible for ensuring that our manufacturing plants and facilities are protected, so our team is fairly new. So a lot of our focus is on establishing the fundamentals, so getting the basics, getting asset visibility, et cetera. Now that we're getting a good handle on that, my personal focus is on improving our vulnerability management program for the plants. That means like managing vulnerabilities not only for traditional ID servers and applications but also to gain a risk-based approach in managing our PLCs, HMIs, thin clients, line equipment that, you know, still have some Windows XP, Windows 7 machines, vision systems, IOT devices and other connected devices that you see on the plan force. So, it's not an easy task, the breath is quite, quite deep. In addition to vulnerability management, like I said, where are pretty much in charge of our entire manufacturing facility security. So we're also working on improving our detection capabilities, incident response preparedness for the manufacturing environment specifically. As a team, we are running our first IR tabletop for OT. That is a big deal, we're excited for that.

Luke Vander Linden: So Colgate-Palmolive hosted one of our regional workshops a couple weeks ago at their offices in their headquarters in New Jersey, you weren't there because you are remote, as we discussed. But part of that workshop was we got a tour of their, some of their manufacturing facilities on-site, which are very, very minor, it's just to make prototypes and things like that. And it's kind of a proof of concept facility. But your manufacturing facilities are all around the globe I imagine. So, this is kind of a big job from your perch in an office in the U.S.

Rafia Noor: For sure, so our team is actually global, we have a Mumbai, we have some members in Mumbai, and then here in the U.S. and we're all remote in U.S. currently. So, yes, it's a global team, we work across different regions, different time zones, with different topologies at times, that have been acquired over different decades, so it's a challenging role for sure. But exciting nonetheless.

Luke Vander Linden: If these facilities were set up at different times, obviously with different technology, you're trying to get a bunch of stuff that maybe wasn't intended to work together, to work well together, right? And to be protected together.

Rafia Noor: You hit it right on the head. Yes.

Luke Vander Linden: So how did you get into that specifically? Was it your plan? Did you have a specialty in OT or was it something you kind of fell into from another cyber security area?

Rafia Noor: Yes, the other way around; I started off as an automation systems engineer, working in the field, you know, programming PLCs, HMIs, DCS systems. Also like improving process control systems, commissioning in the field. Then maybe about four or five years ago I was chatting with one of my former directors at a different role and he mentioned that he is putting together an ICS security team and it's in oil and gas, so they're a little bit more advanced at times than us here in the manufacturing. But he was putting together an ICS security team and it sounded fascinating, and one thing led to another and here I am.

Luke Vander Linden: That's interested, so you come into it in a different direction so you might be more aware of where you might be accidently creating friction and trying to work toward the business ends and not just the security ends.

Rafia Noor: Yes, I think that's one of my strength, when it comes to like you know, this unique environment, because it's both IT and OT working together, my background in ICS being on the field and plants and in oil and gas environment, like I understand the struggle, I went through that so I think it puts me in a unique position when I can translate like, you know, the need for the plant folks to IT security and vice versa. So, kind of a mediator at times.

Luke Vander Linden: Excellent, so many times you've said how interesting, oh thought the security thing might be interesting, but what is the most interesting thing about your job and what are you enjoying most?

Rafia Noor: So what I enjoy most is probably the uniqueness of it and no two days are alike. The challenges are hard but they are also just as rewarding when you make progress in them. Like I mentioned, our team is pretty new, right? So which means I'm contributing how the OT security program shapes here in Colgate, I can actually see our vision coming to life as we are implementing new technologies, are building new procedures and processes. And there's just a lot of room to grow in this space and within Colgate because there is no shortage of security measures we need to take. And it's very cross functional so I get, I touch like a multitude of discipline on a daily basis, right? I get to collaborate with other teams, not just within like cyber security, so we have our individual, you know, IM group, you have into the RH ISAC program here at Piscataway. So you said, it's a pretty good sized security team, we have multiple functions so I get to work cross functional with them but not just them, but with IT supply chain and operations. That's really enjoyable so you get to touch a lot of different things.

Luke Vander Linden: That's great, so you I guess, you weren't I assume part of the decision process to join the RH ISAC, Colgate's only been a member for a couple of years. How did you discover where you could benefit from RH ISAC membership and where are you most active in our community and how do you use the membership most often in your role?

Rafia Noor: I actually was part of a different ISAC before joining to Colgate, so I was familiar with the concept and it's always been great communities.

Luke Vander Linden: Was that the ONG ISAC?

Rafia Noor: It was.

Luke Vander Linden: We work closely, there's about two dozen ISACs in the National Council of ISAC, so we work with each other when we see the need.

Rafia Noor: Actually when I first joined, our CISO, Alex Schuchman, mentioned that, you know, Colgate is the part of RH ISAC, I was excited to be a part of it. And maybe last year or it was late 2021, Suzie Squier, the president of RH-ISAC put out a call for to participate in the OT steering community so I jumped at the opportunity and since then I've been part of that community, you know, participating in working sessions and round tables, and special interest groups. Just been a great learning opportunity for me as well.

Luke Vander Linden: That's great, you know honestly, we appreciated working that community. You know, our core members are retailers obviously, so companies that have a direct relationship with consumers and have consumer data, but as the ecosystem and as the definition of retail kind of grows, we find more and more that we not only want to serve, you know, traditional stores, but also obviously ecommerce, we've grown to include hospitality and restaurants, but now also the companies that make the products that are purchased by our other members and so Colgate's not our only consumer goods manufacturer so you know, as an active member of the leadership of the OT working group, how do you find the intelligence or the information shared between that working group and kind of our regular information and collaboration outside of that working group? How do you feel that those work together?

Rafia Noor: The IT section of it, like the traditional security sections is like very robust and mature. I see those information always coming in. For OT, we're still kind of getting there, there are a lot more room to grow and collaborate. I think a lot of the cases at OT we're still grappling with the basics, we're trying to get the basics of security. Threat intelligence is great to layer on top, but at times it's still not mature enough to deal with that, if that makes sense.

Luke Vander Linden: Well you know, like I said, I appreciate your help and helping the industry become more mature in its preparations and if we could, what we can do to help OT we'll love to do. So I guess since you came into this career from a little, from the side as opposed to in a traditional way, what advice would you give others either who are starting off and want to get into cyber security, or who may be considering coming in from the, from a nontraditional way like you did?

Rafia Noor: I mean, to be honest, I never feel like in a position to dole advices out to people, but from my experience, what I can say what worked for me, is not be afraid to learn new things or taking risks, right? So I'll see a lot of people actually move to cyber security from other tangential disciplines, like network, help desk, stuff like that. But always try to learn, be curious, there is no short of like you know, free resources online nowadays. We have webinars, conferences, but also vendors put out free white papers and annual reviews, stuff like that. The other thing, don't underestimate the power of soft skills, right? Like build genuine relationship, if there is anything to take away from my little background. If I always try to build relationships and keep in touch with folks I have worked with before and actually be friends, not just like coworkers, right? And that changed my life. If I wasn't chatting with my director that I worked like three years back before and didn't know like you know, he had this opportunity, I wouldn't be here where I am now.

Luke Vander Linden: All right, so in the interest of building rapport, tell me a little bit about your hobbies, your interest outside of work, what keeps you busy when you're not working for Colgate?

Rafia Noor: Oh, to be honest, right now I don't have a lot of time for hobbies. My husband and I recently had our first child.

Luke Vander Linden: Congratulations.

Rafia Noor: Thank you, he's eight months old so we've been pretty busy with that. Like between navigating parenthood, the pandemic has been just crazy couple of years. Before the pandemic though, like my husband in I used to love exploring national, you know, state parks, hiking, camping. I do miss those adventures, but I look forward to getting back to them when the little one is a little older maybe.

Luke Vander Linden: Yes, we had our first right before COVID started and then a second one about a year ago, and I think that has made a bigger impact in our lives than COVID did just because you know, it totally changes your life. So, be a little visionary for me, tell me what you think the trajectory of cyber security is going for like the next 5-10 years. Can you prognosticate for us within your crystal ball?

Rafia Noor: I mean I may be a little biased here, right? But one of the areas that I think is going to become more critical in the next decade is definitely the ICSOT security. We have to address the ITOT convergence. It's not something that's far away. It's already here, right? As more critical systems, like infrastructure and manufacturing processes become attempted, interconnected, and whether bad actors specifically target those ICS systems or not, the consequence of the cyber-attack can easily spill into the physical operational like we see with colonial pipeline, right? So we need robust security measures to protect these infrastructure in our just manufacturing physical world. But given the importance, I think we'll see a lot of focus on like developing a specializing, specialized cyber security solutions and we'll need expertise in that area. So, you know how I moved from the field to cyber security, we need to do those steps of cross functional training a lot in build our expertise before, you know, this becomes even more critical. Also, you cannot forget AI, right? Right now that's all the rage. I'm sure we'll see a lot more use of that. I'm excited to see how the use of AI trends in cyber security, we're already hearing now we're being, you know, coded and all that, but also like there is so much potential, like we can also automate our response, right?

Luke Vander Linden: It's so powerful and so much opportunity for bad and for good.

Rafia Noor: Exactly, so that is definitely something that's on the pipeline and we'll probably see a lot more coming up in the next few years.

Luke Vander Linden: Absolutely. Excellent, well Rafia Noor, thank you very much for taking the time to talk to us and join us on the podcast today. I'm looking forward to meeting you in person at our summit in Dallas in October. But again, thank you very much and thanks for being such a good member and helping out our OT group.

Rafia Noor: Thank you for having me, and I likewise hope to see you in October.

[ Music ]

Luke Vander Linden: You know how Rafia described her own career trajectory and how it was nontraditional led me right back to the RH ISAC blog I was talking about earlier. There's a great article there on how college graduates can attain a career in cyber security, regardless of educational background. Rafia talked about soft skills, not necessarily being a coding or technical expert, and still playing a fundamental role in cyber security. Cyber security leaders are increasingly seeking candidates with varied skillsets to create a more all-encompassing, more holistic teams. Job candidates who view tasks from different perspectives are usually more effective at problem solving while embracing creativity. A willingness to learn and enthusiasm are also tremendously important and in demand. This article and lots of other great articles can be found at the RH ISAC blog at rhisac.org/blog, or again, in the navigation, click on resources and then blog. We'll even do a version of our member profile of Rafia there. As always, a huge thank you to our own production team at the RH ISAC and Annie [inaudible] and Marie [inaudible], and for making us sound good, the folks at CyberWire; our Jennifer Eiben, Tre Hester, and Elliot Peltzman. We'll be back in a couple weeks with a new episode. In the meantime, stay safe out there.

[ Music ]