The vast majority of websites that link to joebiden.com and donaldjtrump.com do not use basic DNS security controls, new research shows.
In August CSC's Digital Brand Services division identified 988 outgoing and referral domains that link to the two presidential campaign sites – and found more than 90% of them do not use registry locks, says Mark Calandra, executive vice president of CSC DBS. These type of sites include major US news outlets, political sites, and donation-driven pages.
These domains could be exposed to unauthorized changes to WHOIS information, DNS modifications, deletions, and other risks. A registry lock delivers an additional level of authentication and security to safeguard domains against such unauthorized changes. It protects DNS- and domain-name hijacking, which CSC says has become a preferred attack vector by cybercriminals and state-sponsored actors.
Calandra adds that without registry locks, the reputable sites could get redirected to bad sites that could potentially spread disinformation or steal credit-card information from donors. There's strong potential for nefarious activity here because more than 75% of the domains studied are registered with retail-grade registrars that don't offer advanced DNS security protections, he notes.
In addition, Calandra says organizations should more closely monitor their domain names and report any bad domains either to their ISPs or domain registrars – or even the FBI.
"While security teams focus on deploying firewalls, endpoint software, and monitoring, they've lost sight of something simple like DNS security. We're not saying they should ignore these core security technologies, but they should also pay attention to DNS security," Calandra says.
So far there's no evidence these issues with DNS security have led to a major disinformation campaign or credit card fraud with presidential campaign donor sites, he adds.
Meanwhile, there are some "typo" campaign domain sites CSC studied (for example, donaldtrump.com vs. donaldjtrump.com) that could confuse users. Some 60% are still available for registration, thereby posing future threats.
More than one-third of these typo domains are linked to third parties, so CSC believes only a handful of typo domains are legitimately owned by the campaigns themselves. Of the domains being used by third parties, nearly 40% point to advertising-related pages, 20% point to destinations that have malware associated with them, and 10% promote campaign-related content and materials.
Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ, broke CSC's data into three categories: intent, ease, and impact.
On intent, Reiber says nation-states like Russia spread disinformation around race, immigration, and use of the Confederate flag. On the ease issue, he says CSC's recent data demonstrates how easy it has become for bad threat actors to exploit sites without registry locks, creating opportunities to transfer users from reputable news or political sites to those that spread disinformation.
When it comes to impact, Reiber says the COVID-19 period has made the country more vulnerable.
"We are stressed, unemployed, and spending more time online so the disinformation will land on fertile ground," he says.
Husayn Kassai, co-founder and CEO of Onfido, says effective identity management can help deter some fraudsters, such as identity solutions where people have to go through a more rigorous security regime before they are granted a domain and can post information to the website.
"You won't stop everyone, but better identity management is something we can do to attack the problem," Kassai says, especially when it comes to posting disinformation on social media and thwarting the launch of bad websites.
Here are some domain security best practices recommended by CSC:
• Secure access to domain and DNS management systems, including two-factor authentication, IP validation, and federated ID.
• Gain control of the user's role and permissions within the company's domain and DNS management systems, with insights into elevated access controls and an authorized contact policy.
• Make use of advanced security features, including vital domain identification, DNSSEC, CAA records, registry lock, and DMARC.
• Develop end-to-end expertise that can detect, analyze, and mitigate digital brand and fraud threats, including the ability to execute takedowns worldwide.
• Work with an enterprise-class domain name registrar.