A third-party or supply chain attack happens when threat actors penetrate an organization’s system through outsiders, such as third-party vendors or providers. And with almost all enterprises outsourcing some of their business operations, the risk of third-party attacks has increased.
For this reason, third-party risk assessment has become one of the priorities of enterprises. It’s essential to understand the different ways by which third-party vendors could be exploited so organizations can choose the right tools and solutions to help them manage third-party risks.
Let’s start our list with typosquatting domain names or domains that imitate an organization’s third-party partners. This is a common malicious actor ploy to make victims think the spoofed company owns a fake website or sent a phishing email.
Transferwise, for example, can be misspelled in hundreds of different ways (e.g., transferwize, transfer-wise, and tronsferwise). Each typo can be partnered with countless terms of phrases, such as transferwise-demo and transferwizecshelp. Lastly, these misspellings can take on different top-level domains (TLDs) so threat actors can use transferwisecshelp[.]com, transferwisecshelp[.]net, transferwisecshelp[.]top, and more.
Keeping typosquatting domains in mind when dealing with third-party providers would be helpful for enterprises. Additionally, they could choose a third-party risk management solution that considers typosquatting domains.
Wild subdomains refer to those that contain the third-party vendor’s name but whose WHOIS records cannot be attributed to that company. One example is the subdomain account[.]paypal[.]security[.]bestcoininv[.]club. The WHOIS data of the root domain has been redacted so it can’t be publicly attributed to PayPal. The same is true for paypal[.]user-confirmation[.]com, which had been used in an actual phishing email. Below is a screenshot of that email taken from Consumer Fraud Reporting.
In a third-party vendor risk management study of the top online payment processors (i.e., Transferwise, PayPal, and Payoneer), 7,512 subdomains were uncovered. The research looked at the domain attack surface size of the top software providers and couriers, which are among the most common third-party providers enterprises use. The chart below shows the number of subdomains for each industry.
The courier and payment processing companies’ wild subdomains make up more than 99% of their domain attack surface, while the wild subdomains amount to 98%.
Third-party risk assessment could be more comprehensive when wild subdomains are considered. Like typosquatting domains, company staff could be lured into thinking that a malicious email or website belongs to a third-party provider.
Hardware and Software
Another point of entry for threat actors is a third-party vendor’s physical systems and applications that have security vulnerabilities. An unpatched software bug or unsecured network protocol, for instance, could serve as an attack vector. When a third-party provider’s system is compromised, its clients’ data could also be breached.
This scenario has occurred far too many times, but one of the most recent occurrences is the breach of General Electric (GE) employee data. One of its vendors, Canon Business Process Services, suffered a breach when an unauthorized person accessed an email account containing GE employees’ documents. As such, third-party vendor risk management should comprehensively include where and how vendors are storing client information.
Lastly, the employees of the third-party provider can also be considered as attack vectors. Attacks could be financially motivated by competitors, triggered by disgruntled employees seeking revenge, or due to human error, such as innocently downloading a malicious file. Adequate third-party risk assessment allows companies to limit access to certain information, thus reducing the risk of compromise caused by human factors.
Typosquatting domains, wild subdomains, and a third-party provider’s network, systems, and employees, are some of the attack vectors that organizations need to consider for comprehensive third-party risk management. When these possible vulnerabilities are mapped out, enterprises can better keep a lookout and protect themselves against cyber attacks.