Lookalike Domain Attack Wreaks Havoc, and the Trucking Industry Must Fight Back

Joe Ohr - February 15, 2024

In late January, a user of the DAT Freight & Analytics load board was the victim of a meticulous and nasty lookalike-domain attack. The results were disastrous for everyone involved. A shipment was redirected and the freight was stolen. The intended recipients never received their goods. The carrier never got paid.

And it was all because a very clever hacker—in this case based in Russia—did an excellent job of fooling a user into giving up log-in credentials.

This is a cautionary tale to everyone in the trucking industry to be on the lookout for phishing attacks that use lookalike domains.

What’s a Lookalike Domain

A lookalike domain is a domain that’s so similar to the one it’s pretending to be, you can hardly notice the difference. Sometimes they will substitute a .org for a .com. Other times they might add a letter or make a sneaky substitution—such as a numeral 1 for a lower-case I.

The objective is to convince an e-mail recipient that they have received a message from a legitimate sender, and that it’s OK to do what the sender is telling them to do.

In this case, the hacker had created a fake website that perfectly mirrored the real one associated with the domain it was mimicking. The email recipient was told to go to the site and enter log-in credentials. Everything looked normal—from the sender email address to the website that popped up after the click.

But it wasn’t the site it appeared to be at all. It was a fake set up by Russian hackers, and once the user entered the requested log-in credentials, the hackers were then in possession of those credentials. They promptly used them to log into the real site and re-direct the shipment so the waiting thieves could steal the goods.

“Think of it as somebody redirecting your Amazon order,” said Antwan Banks, director of enterprise security for the National Motor Freight Traffic Association (NMFTA). “That’s what they’re doing. They’re basically going in and pulling the shipment off the load board.”

Putting in the Work

One of the truly astonishing things about a hack like this is how much work the hackers put into it.

“This all was very methodical,” said Joe Ohr, chief operating officer of NMFTA. “Someone went and bought a domain that was very similar to the DAT domain. Then there’s a company out there that will then build a lookalike site. And then they phished for someone to go into the lookalike site and enter the credentials. Then they capture the credentials on this other lookalike site.”

Another thing the hackers did was to create fictitious loads, which a number of carriers signed on to pick up and deliver – only to eventually have to let the load board know the loads had been fake.

There are several effective methods companies can use to guard against such attacks. One is to use email filters such as Domain-based Message Authentication, Reporting & Conformance (DMARC) or DomainKeys Identified Mail (DKIM), which detect fake emails from look-alike domains. Another is to deploy cyberthreat intelligence.

Banks also recommended that trucking companies who are using Microsoft E3 should switch to Microsoft E5, which has much more robust security features.

Another option is to increase the frequency with which multi-factor authentication (MFA) is required to access email. While employees typically don’t like to take this step because it’s an added inconvenience, it is a critical security measure. Many sites allow MFA credentials to be remembered for as long as 30 days. That gives hackers a very long window to wreak havoc once they’ve got someone’s credentials. It’s better for a system to only remember this information for a very short time—possibly a day or less.

By the same token, many systems allow email passwords that are far too simple—and thus too easy to figure out. Ideally, users should change their email passwords every 90 days or fewer, with complex passwords, and with no way to reuse the same password inside of a year.

It is also a good idea to enact geographic restrictions on who can log in. If a user is based in the United States, there is no reason someone should be using their account to log in from Russia or Algeria—both locations of recent hacks.

Banks warned that successful lookalike domain attacks can have other kinds of repercussions as well. One frequent attack being attempted at the moment is for a hacker to send someone an email that appears to be from a colleague, letting them know their bank information has been changed, and asking the recipient to click a link to enter new information so the person can continue to get paid.

This is a phishing site, and once the log-in information is entered, the hacker can use it to manipulate financial accounts.

In other cases, hackers are trying to gain access to email accounts of system administrators. If they can do so, they essentially become system administrators, and they can do just about anything they want to a company’s enterprise system. A good practice for system administrators is to have two separate work accounts—one for normal communication, and a second one that is much more secure and only used for system administrator functions.

Hackers Doing Their Homework

Remember, hackers are doing their homework to get to know a target company.

“They only create lookalike domains after they have scouted your company and surveilled your company,” said Banks. “I’ve done this when I used to be a project manager and worked with hackers. I would go to your social media site and I’m going to see who’s the CEO. I want to identify who is the CFO. I want to identify who all the key players are. I’m going to go to your job postings to see who you’re hiring, what type of equipment you got, what are you buying, who you’re doing business with.”

That gives the hackers an idea of who might email whom within the company, so their phishing emails not only look real but seem to make sense to those receiving them.

This is what the trucking industry is up against and there’s no option of taking it lightly. Take every action you can to protect your enterprise and your assets—using the information in this article as a guide.

If you need help, connect with a member of NMFTA’s cybersecurity team, at cyber@nmfta.org.

Joe Ohr
Joe Ohr

Joe is the chief operating officer at the NMFTA. He brings to the organization over 20 years of experience in engineering product software, gained from roles at Omnitracs, Qualcomm, and Eaton. Ohr has provided strategic guidance, vision, and a roadmap for addressing long-term customer challenges. He has played a key role in accelerating revenue growth and has collaborated closely with IT, product, and engineering teams to foster stronger partnerships with strategic customers and peers.