I’m not surprising anyone by saying that Pokemon Go ranks among the largest and fastest-ramping phenomena of the Internet age to date. Whether it’s the players stumbling around staring at their phones, the snarky jokes about those players, or the inevitable memes, the game is ubiquitous (even if Niantic did seemingly throw a stick into its own spokes with the revision that took away the footstep counting tool). Sadly but predictably, anything that captures the public imagination this widely is bound to attract fraudsters, and the Pokemon Go juggernaut is no different. Any time a Big Thing happens, whether a news story, a product release, a fashion trend, a hit song, there’s a land-grab of online properties that capitalize on the attention. When it comes to craze-inspired Internet domains, some are innocuous, like fan sites or humor sites; some are questionable, like misleading look-alikes designed to capture clicks (and the concomitant advertising revenue); and some are downright dangerous, such as phony login pages that harvest usernames and passwords, or look-alike sites that trigger drive-by downloads of malware onto a victim’s computer.
Some numbers help to illustrate how extensive the spread is. Research using DomainTools Iris shows an abundance of potentially dangerous Pokemon-themed domains, many of them registered very recently. Check out this chart of the daily numbers of registrations of one (albeit large) slice of such domains over the month of July:
These domains, 7442 in all, have the following characteristics:
- They begin with “pokemon”
- They are not registered by Niantic, Nintendo, or the Pokemon Corporation
- They were registered on the days depicted in the chart
If you find the sheer numbers surprising, note that these are only the domains that begin with “pokemon.” There are thousands more that incorporate the word somewhere inside the domain name.
While some, or even a lot, of these domains may be relatively innocuous fan sites, any time the registration isn’t by the legitimate owner of a trademarked name, it’s important to be cautious. There are widespread reports of malware-laden ripoff apps that are capitalizing on the craze to infect victims.
What it means for your organization
Besides its obvious productivity-sapping potential, a Pokemon-level Internet craze can raise your risk exposure because, quite simply, “folks gonna click.” This means that all enterprises–large and small–have to deploy multiple measures to defend against the threats. The countermeasures aren’t unique to Pokemon; it just serves to underscore their importance.
It’s basic blocking-and-tackling stuff that should be practiced by everyone.
- Phishing protection: deploying a combination of tools (messaging security appliances, cloud services, or a combo) and user education (teach people to think before they click) can help reduce exposure. They won’t eliminate it but they can cut down on the noise. Then, the security team also needs to have a response plan in the event that a phish gets through. It is worth noting, incidentally, that a phish that is spotted by an employee but not acted upon can give the security team a potentially valuable forensic artifact; information such as the domains used in the attack can be studied to trace back to the attacker and learn about them, which can help the organization’s defenses.
- Secure the endpoint: anything as device-centric as Pokemon reinforces the utility of endpoint security and MDM (mobile device management) tools which can be set to block unauthorized app installations. For one thing, many organizations wouldn’t allow employees to install something like Pokemon on company-owned assets, and secondly, these tools can prevent installations of malicious apps that started to occur without the user’s knowledge or consent.
- Watch those access levels! Don’t give users admin access to their machines; live by the principle of least privilege–any given account should run with the fewest system privileges necessary to allow work to get done. This makes it harder (though not impossible) for malicious apps to take root, for credentials to be stolen, etc. Like the anti-phishing measures, it can cut down on the noise level the security team has to deal with.
- Institute, or refine if you already have it, threat hunting. There are super-advanced hunt team techniques, but in some senses it’s almost as much a mentality as a specific set of techniques. Your security team should always have the attitude “bad stuff is already happening; it’s our job to ferret it out, rather than to wait to be alerted to it.” Easier said than done, but the first step is doable by anyone: make the decision to adopt the mindset.
Pokemon Go probably doesn’t represent an existential threat to your organization, but an ill-defined or cavalier security posture could. Just as in the game, your goal with security incursions is to catch ‘em all. Also like the game, that will prove elusive–but a solid effort in that direction could help prevent a nasty attack or breach.