IBM Security Global Forum

 View Only

Brandjacking Is a Massive Ongoing Threat to Businesses, And Memcyco Has a Solution

By Andrej Kovacevic posted Wed June 14, 2023 10:15 AM


In recent months, media outlets all over the world have gone all-in on hyping up the potentially ominous threat that AI-powered fraud could soon pose to the general public. The idea is that the average internet user is about to get inundated with phishing attempts and other social engineering attacks laced with deep-faked audio, video, and photographic media designed to trick users into coughing up privileged information. And while all of that is a distinct possibility, the current obsession with AI-related threats obscures the very real fact that there's already an epidemic of a similar sort already well underway—brandjacking.

Brandjacking, or brand website impersonation, is a preferred tactic used by cybercriminals and the scourge of the world's best-known brands. It involves an attacker posing as a well-known company or brand to lure that company's unsuspecting customers into divulging their authentication credentials or other personally identifiable information. It's an attack vector that's extraordinarily effective and can have a disastrous impact on both its victims and the exploited brand itself. Worse still, it's a type of attack that, except for PSA-style consumer education campaigns, brands couldn't do much about. Until now, that is.

Enter Memcyco, an Israeli real-time website impersonation security startup, which aims to introduce a new digital trust mechanism that offers businesses a way to ensure their customers don't fall victim to a brandjacking scam. To elaborate, here's some background information on the brandjacking epidemic and how Memcyco plans to bring it to heel.

The ABCs of Brandjacking

Brandjacking is a phenomenon that takes a handful of forms. The most common form involves an attacker mass-emailing people a realistically mocked-up email from a well-known company. The hope is that some percentage of the recipients will have legitimate accounts or business interests with the company and click through to an attacker-controlled website that emulates the colors, branding, and design of the real thing. With their defenses down, the victim will then feel comfortable entering their account details or other personal information, believing they can trust the site they're on.

This approach, of course, assumes that the target can't easily tell the difference between a clone of a real company's site and the real thing. That's a critical security weakness inherent in the internet's URL scheme—that a single company may use more than one URL, and customers don't necessarily know every possible legitimate URL a company might be using. It is that exact weakness that Memcyco aims to solve.

A Proof of Source Authenticity System

The heart of Memcyco's customer-facing platform is what they're calling a Proof of Source Authenticity (PoSA™) system. It's an agentless security tool that displays a Red Alert warning on an end user's screen if they visit a branded site that's not who it claims to be. Memcyco is then able to transfer the full details of the attack attempt - the identity of the victim, the scope of the damage, etc. - directly to the brand, which can mobilize its security teams accordingly to assess and prevent further damage. They don't stop there, however. Memcyco combines that functionality with a suite of tools businesses can use to detect future brandjacking attempts using their branded names, and a digital watermark for brands to prove the legitimacy of their web properties to end users.

According to Memcyco co-founder and COO Gideon Hazam, most companies start with those backend discovery tools before expanding to proactive consumer notifications. He says, "We developed — and continue to develop — an AI algorithm that we can use to search for and find the scam before there is an attack," giving businesses advance notice so they can act against the scammers. However, as most cybersecurity experts would note, that's a bit like playing a game of whack-a-mole, with attackers jumping between domains faster than businesses can act against them.

That, however, is where the watermark functionality comes into play. On that, Memcyco CEO Israel Mazin says, "We have introduced a new paradigm for preventing website impersonation by providing multiple layers of protection for companies and their customers," which includes a customizable site overlay including an individual and customizable user secret. It's a self-explanatory system that helps users know a business's real site from a clever forgery.

A Team of All-Stars and Well-Known Backers

It's also worth pointing out that Memcyco's hardly alone in trying to push its new anti-brandjacking standard and system. They've recently completed a $10 million seed funding round headlined by Capri Ventures and Venture Guides, two venture capital firms known for supporting early-stage innovators. And the young company's ranks feature scores of experienced entrepreneurs and developers hailing from all over the industry and beyond.

On the depth of its talent bench, Mazin noted that "between all of us founders, there are many years of experience of building startups from scratch to worldwide companies—private funding, public funding, partnership with strategic partners like IBM and others," and that "now we mix our knowledge and our long experience with very young people that came from [the Israel Defense Force's elite cybersecurity unit] 8200 and other units from the IDF." In other words, it's a team that understands both the needs of businesses and the intricacies of front-line cybersecurity operations.

Defending Against the Previously Indefensible

The bottom line here is that Memcyco looks to have a platform that addresses the threat of brandjacking from multiple angles. In doing so, it's giving businesses a credible means of defense against a threat that was previously all but impossible to stop in real time. In an age where digital fraud is about to enter an even more dangerous phase, fraught with AI-powered fakery, it's comforting to know that defensive measures can and do exist to help keep businesses—and the customers that they depend on—safe from the clutches of digital villains.