Trends in security & domain names
Phishers switch to 'exotic' domain names
As the year draws to a close, it's good to look back at what's happened in the field of domain names and security over the last twelve months. Although 2019 had none of the headline-grabbing incidents with .nl domain names seen in the past (politie, jeugdzorg), the year was far from uneventful. This SIDN News Special highlights three key trends involving domain names and security, and provides practical advice.
Go straight to:
Phishers switch to 'exotic' domain names
In recent years, the banks have consistently improved their security. Nevertheless, the amount of money that bank customers lost to phishing scams went up again this year. The rise was highlighted in data published at the end of November by the Dutch Payments Association and the Dutch Banking Association. If the year as a whole is in line with the first six months, bank customers will have lost more than six million euros by the end of 2019 to fraudsters who got hold of their security details. That's 25 per cent up on last year.
Cheap domain names
Although financial service providers have increasingly good security, the benefit is being eroded by the falling cost of setting up a phishing site. That's reflected in the stats for 'free' domain names. The abuse league tables in the Anti-Phishing Working Group's biannual reports are dominated by extensions such as .tk, where domain names can be registered for free. Domains with the most detected phishing URLs in Q3 2019 (source: apwg.org)
.COM / Legacy 1,088
.ORG / Legacy 80
.NET / Legacy 76
.BR / ccTLD (Brazil) 55
.GA / ccTLD (Gabon) 31
.INFO / Legacy 30
.ML / ccTLD (Mali) 27
.IN / ccTLD (India) 26
.ID / ccTLD (Indonesia) 24 / .ICU / nTLD 24
.TOP / nTLD 23
Worryingly from a Dutch perspective, Mali's .ml domain also figured prominently in a recent investigation of domain names and phishing. The domain's similarity to .nl inevitably gives rise to the fear that scammers who opt for .ml domain names may have Dutch targets in mind.
Domain names abused for CEO fraud
One form of cybercrime has been growing insidiously without attracting much attention. The economic cost of business e-mail compromise (BEC) fraud, better known as CEO fraud, now far exceeds that of traditional phishing. The scam involves an impostor posing as a firm's senior executive to trick more junior staff into paying a large amount of money into the fraudster's account. In 2018, the Netherlands was shocked by the Pathé case, and similar incidents have since been reported involving high-profile organisations elsewhere, including Nikkei. Some of the frauds have entailed huge sums.
Wide range of targets
In the Pathé case, the amount lost to the fraudsters was more than twice the annual cost of customer-targeted phishing scams to all Dutch banks collectively. The 'success' of BEC fraudsters is partly down to the wide variety of targets they choose. Unlike phishing aimed at bank customers, BEC fraud can hit any kind of organisation in any sector. The only condition is that the organisation is big enough to have an executive.
Abuse of lookalike domain names
BEC fraudsters then have the advantage that their activities don't show up in the DNS. With a fake website there's a tell-tale DNS traffic pattern, but with fraudulent mail there isn't. Many organisations ignore the registration of domain names that look suspiciously like their own names if the new domains show no sign of being used for malicious purposes. Unfortunately, that often means leaving the door ajar to CEO fraud. It's not unusual for a crook to configure a lookalike domain name to point to the target company's website, providing a veil of legitimacy for a domain that's intended for a fraudulent mail scam.
Keep an eye on mail domains
If your organisation monitors its domain name online, we therefore recommend keeping a close eye on any domain that looks like the domain you use for mail. If, for example, your CEO's address is based on yourname-mail.nl, a lookalike domain such as yourname-maill.nl should always be treated with suspicion. No matter that there's no fake website linked to it, your staff might soon be hearing from email@example.com.
Many organisations can still improve security
Reflecting the danger posed by CEO fraud, there's been a sharp upturn in the adoption of open e-mail standards. The value of enabling DANE, SPF, StartTLS, DKIM and DMARC is increasingly recognised in all sectors of the economy. Many organisations could nevertheless do more. A recent survey of government domains found that half of those scanned had e-mail security flaws.
Fake webshops use pre-owned domain names with link traffic
Unfortunately, fake webshops are by no means a thing of the past. Tens of thousands have recently been taken down all across Europe. Strikingly, many of the shops were using domain names that had once belonged to organisations in sectors completely unrelated to the products offered by the scammers. Designer trainers were touted on a site whose domain name used to belong to a wine merchant, for example. It seems that fraudsters look out for recently dropped domain names that are still widely linked to. The names are snapped up for scams so as to cash in on the flow of traffic generated by existing links on other sites, for example.
Don't drop unwanted domain names too soon
The risk of fraudulent re-use is one of the reasons why we recommend keeping redundant domain names for a while before cancelling. Are there still links to the unused domain on any of your sites or in your mail systems?
Fake webshops mushroom in run-up to the festive season
Sadly, many scammers see the present-buying season as their big opportunity to trick consumers. Starting in November, there's a sharp annual spike in the number of fake webshops going live. The fake webshop detection system (FaDe) launched by SIDN last year was working virtual overtime as the festive period approached.
Number of fake webshops detected by FaDe in the .nl zone (source: SIDN Labs)
Want to know more?
For more information about domain name abuse and how to protect your organisation, visit https://www.sidn.nl/en/product/dbs.
First DBS Meetup well attended
Our Domain Name Surveillance Service (DBS) protects hundreds of prominent Dutch brands by flagging up lookalike domain name registrations. More and more big organisations are using DBS to protect their names and reputations on line. With a view to delivering further added value, we recently organised a DBS Meetup in Utrecht, where subscribers were able to share their experiences.
Learning from each other
People from more than thirty leading public and private sector organisations were at the Grand Hotel Karel V to share their experiences of detecting, evaluating and taking down abusive domain names. Some high-profile brands can attract hundreds of lookalike domain name registrations a month. Many of those registrations are typically by in-company registrants, but lots of others are by third parties with dubious intentions. Deciding which are which and intervening in appropriate cases implies a slick monitoring and response set-up.
At the meetup, two DBS subscribers -- the Dutch Taxation Service and ICS Cards -- shared their expertise. The Taxation Service explained how they have integrated DBS into their systems so that alerts are quickly processed within the organisation. Credit card company ICS followed up by describing their strategy for getting suspect domain names and websites taken down.
Plans for Meetup 2020
The first DBS Meetup was a big hit with participants. So we'll definitely repeat the exercise next year.
Subscribe to SIDN News
SIDN's mission is to help build a safe and trustworthy internet for everyone. With that aim in mind, we keep our stakeholders and others updated on developments involving domain names, security and brand protection. One way we do that is by distributing a monthly newsletter. This month's edition focuses on key trends in security and domain names.
If you'd like to subscribe to the newsletter, please drop a line to firstname.lastname@example.org.