Jeremy Hendy at Skurio looks at the harm caused by malicious domains and suggests solutions for addressing the damage they can cause
Cyber-attacks using lookalike web domains to fool their victims are a serious issue for businesses. All organisations want to build a reputable brand that customers can trust, but criminals abuse this relationship to reach their victims. Threat actors use malicious URLs to trick consumers into believing that they are in contact with a genuine brand or organisation before stealing their data, infecting them with malware, or convincing them to buy fake goods and services.
As well as the direct harm caused by malicious domains, they also damage the reputation of trusted brands.
The NCSC removed 217,173 malicious domains in 2019, and the number of bogus sites is rising, particularly with COVID-themed sites taking advantage of the public’s uncertainty around the pandemic.
The scale of the problem is evident and, although internet service providers (ISPs) and domain registrars have taken steps to combat this threat, criminals still find ways to register malicious domains. Businesses must protect themselves and identify threat actors attempting to exploit their brand so they can move quickly to protect their reputation and keep customers safe.
The rise of malicious domains
Threat actors will try to convince users that they are visiting a genuine site using a technique called typosquatting. They register a name that looks similar to a genuine brand and could be as simple as inserting a hyphen – changing yourbrand.com to your-brand.com. They will also use different spellings to mislead visitors – yourbrand.com could become yourband.com for instance.
Savvier web users may spot these tricks, particularly if they are familiar with the brand, but the changes can be easily overlooked.
Cybercriminals also took advantage of the COVID pandemic as consumers sought out more information from their favourite brands, such as social distancing policies, retailer opening times, and any charitable action brands are taking.
This makes them more likely to search for URLs that contain words related to the pandemic, whether genuine or not. At the height of the pandemic, 6,000 URLs related to “COVID” and “coronavirus” were created weekly.
Research from Trend Micro shows that there was a 47.4 percent increase in malicious domains between Q2 and Q3 in 2020. It also highlights that more than a million users tried to access malicious URLs in Q3 2020.
The increase in malicious domains last year, particularly pandemic related, has led to significant losses for businesses. COVID-related cybercrime is projected to have cost businesses more than $1 trillion globally in 2020, according to new figures released by McAfee and the Center for Strategic and International Studies.
Preventing the spread of malicious domains
On paper there are several steps registrars could take to prevent the misuse of domain registrations, such as attempting to authenticate the identity of applicants. If a domain is registered that appears to be similar to one that already exists, the owner of that website could be notified. In practice, however, this simply isn’t feasible given the high volume of registration requests and low transaction cost, researching each request is not economically viable. Having a cooling-off period could be effective at deterring cybercriminals from registering a fake domain as any time wasted reduces the amount of money they make while increasing their chances of getting caught.
What can businesses do?
There are steps businesses can take to protect their website from typosquatting. One strategy is to beat the scammers to the punch by registering possible lookalike domain names first. However, this is an expensive and difficult process given the possible number of domain name combinations. A third-party partner can make it easier to purchase and manage domains, but this comes at a cost.
A more accessible option is to use online tools to keep track of new domain registrations to identify potential typosquatting registrations. Determining if registered domains are being used for emails – and most likely for phishing attacks – is also helpful. DN Pedia, for example, detects domain registrations that incorporate a specified brand name, and dnstwister, identifies domains that appear to be using typosquatting methods to imitate a brand, providing risk indicators. Keeping up to date can, however, prove a challenge as it may be necessary to use multiple tools to cover all domain types and track changes to the status of a domain.
Another approach is to invest in a typosquatting service, where analysts will research and resolve issues as they emerge. For those firms that are constantly targeted by domain fraud, keeping control of their brand can be worth the expense. Alternatively, automated typosquatting alert services can quickly detect fraudulent registrations at a more affordable price point.
Cybercriminals will always try to exploit the good names of legitimate businesses for their own gains. Registrars and hosting companies cannot be relied on to police and prevent typosquatting. So, businesses must take steps to reduce the risk of their URLs being imitated – ultimately protecting themselves and their customers.
Jeremy Hendy is CEO at Skurio, delivering the strategic vision of the company. He has more than 30 years’ experience, combining both business and marketing expertise alongside technical acumen at advanced technology industries, ranging from semiconductors and electronics to telecoms technologies and cybersecurity.
Main image courtesy of iStockPhoto.com