Domain abuse is the infringement of intellectual property that is used for illegal, improper, fraudulent or malicious purposes. Cyber-criminals use domain name abuse to steal data, scam the target business or government agency and/or their customers and suppliers or trick consumers into thinking that they are dealing with a legitimate brand.
Common Domain name abuse scenarios include:
- Cybersquatting – is the practice of registering a company, brand name or trademark term, as domain names, with the aim of reselling them at a profit (applephones.com)
- Typosquatting and misspelling registrations – is the method of just changing the spelling of the domain name to make it look like the real thing (apqle.com).
- Domain name registration under another Top Level Domain (apple.xyz).
- Replacing country code TLD’s (apple.com.ai).
- Homographic domains – are words that share the same written form as another word but have different meaning or pronunciation. For example, a domain name may replace a latin letter with a cryllic symbol (Дpple.com) to confuse consumers.
Perpetrators of these attacks victimize users through some form of deception; for example, they use domain names or hyperlinks that “look like” high value brands or organizations they have targeted. They also use persuasion (social engineering) to compromise or hijack domain names that can lend temporary legitimacy to their attacks.
Cyber-attack perpetrators commonly acquire domain names from registrars that focus on volume and whose business practices in a domain registration marketplace make lookalike domain names easy and cheap to acquire in bulk. The commodity nature of this marketplace leaves little margin or incentive for registrars to implement measures to protect their customer accounts against attack. The combined effect of these factors streamlines the “weaponization” of domain names for criminal or malicious use and exposes risks to enterprises that typically are not addressed proactively.
The scale of the problem is significant, ICANN (the global domain regulator) identified that in June 2021 alone there were 966,366 domain names associated with at least one of four kinds of security threats: phishing, malware distribution, botnet command-and-control, and spam.
Domain name abuse can occur on isolated once-off domain name registrations to more sophisticated multi-domain name attacks. Often domain name abuse occurs shortly after the domain name is registered so quick countermeasures should be applied to address them.
At present, there is an overemphasis on attack response and underemphasis on pro-active, preventative measures to detect, identify, and mitigate threats before an attack can occur.
Bad actors register a domain name and within days launch the attack either via a fake website or email. The speed in which an attack occurs can be lightening and often the attack is over by the time the IP owner has been alerted by their customers, suppliers or partners. However, there are early indicators to an attack such as a domain name registration.
Proactive domain name monitoring provides organisations the ability to get on the front foot, quickly identify issues and take steps to bring down a domain name before to mitigate the attack’s impact.
A good domain name monitoring solution will be able to identify an identical and confusingly similar variation. For example, if a bad actor transposes some letter to confuse customers, such as goolge.com the tool should able to pick that up. A good monitoring tool should be able to pick up basic typos but also complex variations and improve as attacks change.
bandsec is a corporate domain name management and brand protection company that looks after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.