Deception has always been the keystone of cybercrime. Many attacks aim to trick victims into clicking malicious links or opening files that they believe are safe and genuine. One of the most effective ways to convince a victim that they are dealing with a trusted brand or individual is to create a malicious fake web domain.
This is called “typosquatting”. The domain seems extremely close to reality, but with letters, punctuation marks or modified words. Criminals rely on the eyes of their targets to navigate the differences.
Malicious domains can be used to lure victims through advertisements on other sites or search engines. Which? reports that a series of malicious fake Google ads from online banking Revolut have cost at least eight victims more than £ 67,000. Owning a domain also allows the threat actor to use it to send phishing emails, adding an additional layer of deception to common identity theft practices such as sender name changes.
Malicious domains masquerade as trusted brands like banks and retailers, or organizations like HMRC, and this tactic has become more popular during the pandemic as criminals try to exploit the fear and uncertainty around. of Covid. Interpol reports that more than 48,000 malicious URLs relating to Covid were recorded between January and March 2020 alone.
Why are malicious domains on the rise?
One of the reasons malicious domains are such a problem is that registering a new domain has never been easier or cheaper. Changing technology means hosting companies can now offer them for as little as £ 5 a year, and registration can often be completed in less than 24 hours. While this is great for individuals and businesses who want to log in, it also means that it’s easy for criminals to register similar domains en masse and quickly use them for attacks.
There are ways for registrars to curb this exploitation, such as requiring proof of identity and using a transparent payment method. However, the low average price per domain and the cost involved in the investigation mean that it is not economically feasible to examine every request, and that it is not reasonable to expect that they control the problem.
Likewise, deleting a malicious domain can be a slow process for individuals and businesses, as registrars have little incentive to terminate the service. Plus, during the time it takes to get a bogus site removed, authors can easily move on and move to another low-cost host, allowing them to continue running the brand.
Ironically, the task of identifying crooks creating malicious sites has been made more difficult with the introduction of GDPR. Tight regulatory controls over how personal data is used and shared have been a blow to security researchers and services like WHOIS that previously allowed domain name registrants to be identified. Unfortunately, the GDPR’s rock-solid right to anonymity applies just as strongly to potential criminals as it does to law-abiding individuals, so scammers have full rights to hide their identities.
The need for legislative support
The online security bill announced by the UK government on May 12 does not protect consumers against this type of fraud, with a focus on scams arising from in-app content. This forces consumers to seek help from organizations such as Which, which now provides scam alerts.
Given the growing scale of the threat, governments and other public bodies should do more to support the identification and removal of domain scammers to prevent these scams from happening in the first place. This is especially important given the frequency with which fraudsters use trusted identities of public bodies. The FBI, for example, recently warned of a slew of fake sites using his identity, while in the UK, the HMRC reported a 73% increase in phishing scams due to Covid. The NCSC Takedown Service, which protects government brands in the UK, is a case in point. It would be great to see this service extended to all UK organizations.
Attempts have been made to legislate domain registrations in the past. In the UK, the far-reaching Digital Economy Act 2010 included several points to prevent malicious domain abuse and other exploits such as cybersquatting, where a domain is registered to deprive a trademark of its use. However, the online world has changed dramatically over the past decade as technology and the economy have evolved, and new legislation is needed to stay relevant.
How can domain registrars fight fraudsters?
While many registrars have implemented at least some strategies to combat scammers, there are some simple steps that should be universal. For example, a cooling off period for each new domain could be an effective deterrent as it prevents criminals from creating multiple sites en masse. A mandatory waiting period before the domain is provisioned also increases the chances that a malicious rogue will be detected before it can be used, resulting in wasted time and resources for the attacker.
Additionally, registrars should make it easy for businesses and consumers to report suspected malicious domains. Registrars also need to ensure that they can react quickly when a domain withdrawal request is issued.
Companies must defend their identity
Businesses should also take a more proactive approach to protecting their trusted brand online. One of the most effective approaches is to use tools that can monitor domain records that appear to mimic the identity of the company. There are many such tools available, often at an affordable price for small businesses. One of the most useful is DN Pedia, which detects trademark registrations that incorporate a specified brand name, allowing the company to find both its own name and likely variants of typosquatting. Another tool, dnstwister, specifically identifies domains that appear to use typosquatting methods.
It is important to note that a malicious domain is not always used to create an actual website and the scammer can simply use it to launch phishing emails. With that in mind, organizations should consider tools that can enable the business to notify its customers that a phishing campaign using the domain is likely around the corner.
Smishing is also on the rise, with spammers sending SMS messages that contain links to fake URLs, another area outside the scope of the online security bill. In addition to monitoring typosquatting, businesses should have a clear policy covering SMS contacts – some banks have stopped sending links in text messages and HSBC is running an in-app campaign to raise awareness.
While increased legislative support, along with direct action from bodies like the NCSC, would help registrars deal with ever-changing scam artists, in the meantime, companies themselves can do more to mitigate the threat. Criminals have fully embraced the speed and flexibility offered by the latest online tools, and legitimate businesses must do the same, taking a more automated approach to identifying and eliminating fraudsters before they can exploit trusted identities. for attacks.
Jérémy Hendy, CEO, Skurio