Bad actors have accelerated their purchase of domains that look similar to the brands of the largest 2,000 companies in the world, with 60% of such domains registered to risky third parties, not the companies themselves,.
A new study published this week by domain-name management firm Corporation Service Company (CSC) analyzed the domain records of companies in the Forbes Global 2000 and used a fuzzy-matching algorithm to detect domains that were similar to those companies' domain names — so-called "homoglyphs." CSC found that 70% of similar domains had been registered by third parties, with more than half of homoglyphs (60%) registered in the past two years.
Despite the existence of what are likely bad actors, however, 81% of large enterprises do not take basic domain security precautions, such as using the registry lock protocol, says Vincent D’Angelo, global director at CSC Digital Brand Services.
"There are all these proactive controls that companies could put in place to prevent hijacking," he says. "While there is no single magic bullet, the use of several of these controls make [their domains] that much harder to compromise."
Domain hijacking is not uncommon, and when attackers gain access to a domain, they can cause significant damage to both the brand and to users' systems.
Perl Domain Stolen
On Jan. 27, for example, Perl.com, a site dedicated to articles about the Perl programming language, had its domain stolen by bad actors. The original surreptitious transfer happened in September 2020, and may have resulted from stolen credentials. In January, the cybercriminals behind the theft listed the domain for sale for $190,000 on the AfterNIC marketplace before the auction was pulled down. Within a week, Perl.com had returned to the original owner, but other domains were stolen at the same time.
The CSC report found that typical uses of domains that are similar to known brands — often called typosquatting — include taking advantage of accidental visitors by hosting advertising and pay-per-click Web content. While more than half (56%) pointed to such profit-seeking schemes, and another 38% led to inactive websites, only 6% led to outright malicious content and malware.
"From the analysis of these domains owned by third parties, many have a high propensity to be used as malicious domains for cyber attacks," CSC stated in the report. "The registrants typically hide behind privacy services or redacted WHOIS to mask their identities, register domains that look confusingly similar to known brands, and use tactics to look legitimate to entice an end user to click on a link, or trust a site that is infringing on a brand."
Risky domain registrations include those domains that appear similar to the original corporate domains — a so-called homoglyph — and are registered by third party with a consumer-grade registrar, according to CSC. While the company did not disclose the number of fuzzy-matched domains, the vast majority use privacy services to hide the owner of the domain, and 43% have their MX records configured, allowing them to send and receive email.
The large enterprises lag behind in security measures, according to CSC's report. Only 19% had the registry lock enabled on their domain, which protects the domain from being easily transferred. In addition, only 17% of companies had redundant DNS services to protect against denial-of-service attacks.
While 84% of companies had their Sender Policy Framework (SPF) records set, only 11% also had their DomainKeys Identified Mail (DKIM) configured, and only 50% had DMARC set up.
Overall, companies in only two of 27 industries — media and information technology — had a risk-mitigation effectiveness of "moderate," according to CSC. The vast majority were moderately poor, while two others ranked "poor."
Companies will not be able to just reserve domain names similar to their domain. With the expansion in top-level domains and attackers accelerating attempts to reserve homoglyphs, such an approach would be too expensive to work, says CSC's D'Angelo.
"It makes sense to own domain names that are high-value targets. Especially if you are a multinational operating in a particular country, you should own your brand in that country," he says. "But with the growth in the number of third-party registrations, it becomes virtually impossible to have a defensive domain portfolio."
Instead, companies should monitor registrations to be aware if their brand is being attacked, and harden their domain registration services, he says.