Breaking the rules on counterfeit sales: the use of hidden links

Counterfeiting is big business. A 2021 study by the Organisation for Economic Cooperation and Development (OECD) estimated that the international trade in counterfeit and pirated products was worth up to $464 billion in 2019, or around 2.5% of all world trade^[1]. A significant proportion of this trade occurs via digital channels, where global annual expenditure on e-commerce is more than $4 trillion^[2]. A 2018 study by the US Government Accountability Office found that two in five branded products purchased online are counterfeits^[3]. Europol’s 2017 Situation Report on Counterfeiting and Piracy noted that counterfeit goods are increasingly distributed via online marketplaces, with many of the items originating from manufacturing centres in China and the Far East^[4]. Its updated 2022 study found that other online channels, including social media and instant messaging services, are also becoming more significant^[5]. Similar trends have also been noted by other recent studies^[6,7], with the COVID-19 pandemic having further driven an increased online trade in counterfeits^[8,9].

In response to the increasing size of this problem, several pieces of legislation have been developed or proposed to drive increased online safety. The US Shop Safe Act aims to place increased pressure on marketplaces to prevent infringing listings, by including requirements to ensure verified seller identities, proactive screening of items for counterfeit indicators, and the suspension of repeat infringers. Furthermore, the INFORM Consumers Act (an extension of the SANTA Act) requires regular marketplace verification and disclosure of details (where available) for high-volume sellers^[10]. This change in landscape is pushing many online marketplaces to develop more proactive programs to identify and remove listings offering infringing products.

Despite the safety and quality implications associated with counterfeit items, there remains a consumer appetite for replica products, particularly where the original branded products sell at a high price point. This demand has resulted in the emerging tactic of using hidden links to sell infringing items.

What are hidden links?

Hidden links are used to circumvent marketplace restrictions on the sale of counterfeit products. They involve an online seller creating an external listing for a counterfeit item (e.g. on a standalone e-commerce site) that links to a decoy marketplace listing. The item displayed on the marketplace is usually an unrelated generic product, and the referring site incorporates instructions for buying the counterfeit item via the marketplace listing. This may involve the buyer selecting a particular colour and size combination (Figure 1).

Figure 1: Example of a marketplace listing using a hidden link, that is in fact associated with the sale of counterfeit luxury watches

From a brand protection point of view, it is difficult to explicitly monitor for and detect hidden-link listings in isolation, since the only visible characteristics are a standalone e-commerce listing for a branded product, linking to a marketplace listing for an unrelated product. It is not even always straightforward just to search for the presence of an embedded link to the marketplace site in the referring listing, because the links often proceed via affiliate redirection URLs - meaning there may be no reference to the marketplace domain name in the HTML of the referring page.

That said, the counterfeiters often construct sites explicitly to promote the hidden links and give instructions on their use (Figure 2). In some cases, the referring sites may also infringe on the names of the brands or marketplaces being abused, by using official brand terms in the domain name or official branding on the page. Therefore, detection is usually based on a combination of monitoring for brand terms in conjunction with keywords relating to hidden links and other keywords, such as 'replica' (Figure 3). Similar content is typically also found on other channels like social media (Figure 4).

Figure 2: Example set of instructions on a site promoting hidden links

Figure 3: Examples of websites featuring hidden-link listings

Figure 4: Examples of a social media group and profile promoting hidden links

Insights for businesses

As a brand owner, monitoring for content relating to hidden links can form part of an online brand protection strategy that deals with counterfeit activity. It can help brands reveal instances where the sale of infringing items on the marketplaces themselves is not apparent from the content of these listings, and therefore may sit outside the platforms’ IP protection programmes.

From an enforcement perspective, taking down the marketplace listing is typically reliant on having the appropriate IP protection in place, and on proof of infringement. The exact requirements vary between marketplace platforms, but generally involve test purchases to verify the actual nature of the goods being shipped. An alternative option might be to carry out enforcement against the referring site, dependent on the presence of any IP infringements, since removal of the hidden-link instructions can essentially render the marketplace listing unusable.

References

[1] https://www.oecd.org/gov/global-trade-in-fakes-74c81154-en.htm

[2] https://business.adobe.com/resources/digital-economy-index.html

[3] https://www.gao.gov/products/gao-18-216

[4] https://www.europol.europa.eu/media-press/newsroom/news/europol-%e2%80%93-euipo-2017-situation-report-counterfeiting-and-piracy-in-eu

[5] https://www.europol.europa.eu/media-press/newsroom/news/counterfeit-and-pirated-goods-get-boost-pandemic-new-report-confirms

[6] https://ustr.gov/sites/default/files/IssueAreas/IP/2021%20Notorious%20Markets%20List.pdf

[7] https://www.retaildetail.eu/en/news/general/meta-platforms-centres-counterfeit-trade

[8] https://euipo.europa.eu/ohimportal/en/news/-/action/view/9231590

[9] https://www.infosecurity-magazine.com/news/counterfeit-pirated-imports-surge/

[10] https://www.buysafeamerica.org/informed-consumers-act

This article was first published on 25 April 2022 at:

https://www.cscdbs.com/blog/breaking-the-rules-on-counterfeit-sales-the-use-of-hidden-links/

Also published at:

https://circleid.com/posts/20220510-breaking-the-rules-on-counterfeit-sales-the-use-of-hidden-links

Creating a cost-effective domain name watching programme

Introduction

The management and monitoring of domain names are central components of the business administration and brand protection activities of any organisation with an online presence. Companies typically maintain a portfolio of official domains, which include:

• core domains used in the day-to-day execution of their business, such as those used to host the official company websites and email infrastructure; and
• a wider group of tactical domains, including defensive registrations (i.e. those held to avoid them being used by third parties) and others intended for potential future use, such as those relating to planned brand or product launches.

Careful management of these official domains - ideally using an enterprise-class service provider - is key to keeping them secure, maintaining business continuity and circumventing the threat vectors that can lead to phishing, and DNS (domain name system) or DDoS (distributed denial of service) attacks, among other things. A range of industry solutions can provide protection, including registry lock; DNSSEC (domain name system security extensions); enterprise-grade DNS hosting; and DMARC (domain-based message authentication, reporting and conformance).

However, no organisation can defensively register domains that contain every possible permutation of its brand name and associated keywords that could potentially be used by an infringer; it is neither sustainable nor cost-effective to do so. Accordingly, a brand protection programme - incorporating domain name monitoring - that tracks third-party activity outside the firewall (i.e. on the open Internet) is essential for any organisation looking to defend its brand online.

Third-party brand-related activity can comprise several threat types:

• lower threat brand abuse categories, such as negative comments or non-compliance with brand guidelines;
• instances of brand infringement, comprising contravention of IP protection; and
• actively criminal brand fraud activity, such as phishing or counterfeit sales.

A brand protection programme identifies these threats via Internet monitoring and, where possible or appropriate, takes down infringements using a toolkit of enforcement approaches. This not only directly defends revenue and reputation but also makes the brand less attractive for potential infringers to target.

All brand threats can occur across a range of online channels, although arguably the most significant are those occurring on websites hosted on brand-specific domain names. This is true for several reasons:

• branded domains typically rank higher in search engines, creating greater visibility to potential customers; and
• branded domains comprise more explicit abuse of IP rights, although this means more enforcement options are available.

Consequently, a domain monitoring component is vital to any comprehensive brand protection solution. There is a wide universe of domain names to consider. Verisign's Domain Name Industry Brief^[1] reported that, as of the end of Q3 2021, there were a total of 364.6 million registered domains.

Domain monitoring and brand protection

Domain name monitoring identifies the registration of third-party domains containing a brand name of interest (or variations) in as close to real time as possible. This allows content to be analysed and tracked, and - where found to be infringing - for enforcement actions, such as website or content takedowns, or domain disputes to be launched to minimise brand damage and revenue loss.

Domain detection can be key even when the domain has no active website content. In some cases, domains are registered purely for their e-mail functionality. This allows bad actors to construct e-mail addresses that appear confusingly similar to that of the official organisation being targeted.

The presence of an active mail exchanger (MX) record indicates that the domain is configured to send and/or receive e-mails. This can be an early indicator that the domain is intended for use in phishing or business e-mail compromise (BEC) scams. In other cases, pay-per-click links may be included on a domain parking page, which can be a source of revenue for the domain owner - hijacking web traffic that is arguably intended for the brand owner's organisation.

Domains containing a range of brand variants or keyword variations are often registered for short periods to determine which attract the greatest number of visitors, either through search engine queries or mistyped browser requests.

Methodology

A primary data source for domain name monitoring is the set of zone files, published by registry organisations on a regular, often daily, basis. These include lists of all registered domains across a particular domain name extension, or top-level domain (TLD). A wildcard search will identify all domains containing a brand term of interest. Comparing each version of a zone file with that from the previous day makes it possible to identify both new registrations and lapsed domains.

Zone files are typically available across a range of TLDs, particularly global or generic TLDs (gTLDs), such as .com and .net, and the range of new gTLDs^[2] launched since 2012. They are less readily available, and may be less comprehensive, across other extensions such as country-specific TLDs.

For this reason, an effective domain monitoring solution usually requires additional data sources to identify as many relevant domains as possible; however, completely comprehensive coverage is never possible. The additional techniques include:

• Parallel look-ups - this method involves performing queries based on the domains identified via zone file analysis to determine whether equivalently named domains (i.e. those with the same second-level domain name (the part of the domain name before the TLD)) exist across other extensions.
• Exact-match/direct queries - this approach is used when one or more search strings of high relevance exist (e.g. the brand name in isolation). It involves querying every possible domain name comprising just the string itself and any TLD to check whether the domain is registered.
• Internet meta-searching - this is the same method used to find general Internet content in a basic brand monitoring service. It involves submitting brand-related queries to search engines and, optionally, further crawling of relevant links on the pages identified.

A recent study^[3] by CSC highlighted that, following the launch of a new TLD, the registration of new domains by potential infringers is usually extremely rapid. This highlights the importance of having a brand monitoring programme that can cover new extensions as soon as they launch.

Furthermore, the most effective domain monitoring services cover not just the brand name itself but variations, such as misspellings. Infringers use domain names incorporating brand variants in numerous ways. These include constructing web addresses (URLs) or e-mail addresses that appear deceptively similar to those used by the genuine brand and the misdirection of web traffic through mistyped addresses or corrupted DNS requests (eg, bit-squatted domains^[4]). The domain name variants typically covered by a sophisticated monitoring programme might include:

• instances where any character in the monitored string (i.e. the brand name) is missing or has been replaced by another;
• instances where an additional character has been inserted; and
• other types of fuzzy match, such as Soundex (homophonic or metaphonic) variations.

The most effective monitoring solutions also cover domains featuring non-Latin characters (internationalised domain names), which might include the use of homoglyphs (a non-Latin character visually similar to a Latin one). These can be highly convincing in creating a deceptive domain name.

Similarly, the replacement of one standard Latin or other ASCII character with another (or a combination thereof) is frequently used to construct lookalike domain names.

The table below shows the most common character substitutions observed in phishing domains, as identified by CSC's 2021 Domain Security Report^[5].

The use of homoglyphs by infringers is a well-established and widely used technique. CSC's 2021 study found that 70% of homoglyph variants of official corporate domain names are owned by third parties, with 43% having active MX records and 6% actively resolving to impersonation sites or sites distributing malicious content.

Even covering all the above approaches, there may still be instances of threatening domains that cannot be detected easily. Examples might include phishing sites hosted on TLDs without zone file coverage, or with obscure or no brand variants in the domain name, and where most of the traffic is driven to the site via associated spam e-mails.

For this reason, it may be appropriate to augment the domain monitoring techniques discussed thus far with additional data sources specifically designed to detect fraudulent activity. This includes the use of spam traps and honeypots, as well as information derived from the brand owner's web server logs to detect instances of phishing sites drawing content from, or re-directing to, official corporate websites.

Creating a cost-effective solution

Detecting potentially infringing domain names is only part of the process of creating an effective brand protection solution. An enforcement programme for infringing domain names is also necessary to defend the brand and protect revenue.

Some enforcement approaches, particularly those involving domain disputes or acquisitions, can be time consuming and costly. They may also only be appropriate when the organisation or brand owner wishes to reclaim the domain for its own use.

It is therefore important to have a toolkit of enforcement approaches, including cease-and-desist notices, host-level content removal, registrar- or registry-level suspensions, etc., that allows the most effective approach to be selected in any given case while reserving other options for escalation.

The use of appropriate technology can help to automate the analysis and enforcement processes, making them more efficient. Technology-based analysis of site content, as offered by several brand protection service providers, can be an important element of the brand protection process for the following reasons:

• Detailed content analysis and automated categorisation of results by infringement type and severity can help identify the findings that require prioritised follow-up action. This is particularly important for brands where large numbers of results have been identified.
• A domain name of potential concern may not feature any significant content at the point of detection but have the potential for more egregious use in the future. In those cases, the enforcement options are limited, except where there is proof of fraudulent use. It may therefore be more appropriate to monitor the site on an ongoing basis, with a view to detecting the potential appearance of infringing content. Sophisticated brand monitoring tools include 'revisitor' technology to determine and quantify the extent of the change to the site content between successive visits. It can also monitor explicitly for the appearance of specific content types.

Clustering technology and artificial intelligence (AI) can establish links between otherwise apparently unrelated infringements, based on shared characteristics such as registrant contact details and hosting information. This can help build compelling cases of bad faith (e.g. where a domain owner can be determined to be a serial infringer) and can also provide the potential for bulk takedown actions, where several linked infringements can be taken down via a single action, increasing the efficiency of the enforcement process.

Quantifying the value of a brand protection programme that comprises both monitoring and enforcement can be the final part of the picture. There are a range of ways to calculate return on investment^[6], which may incorporate some or all of the following ideas:

• Calculating the value of a domain that has been reclaimed by an organisation or brand owner into its official portfolio via a dispute process. This is determined using the amount of web traffic (number of visitors) to the site and is based on the principle that any traffic from the reclaimed site can be redirected to the organisation or brand owner's main corporate transactional website.
• Calculating the value of goods sold through an infringing site featuring e-commerce content and determining the proportion of the revenue that is reclaimable. This calculation assumes that, following enforcement, a certain proportion of the users who would have bought an infringing item will instead buy a legitimate item from an approved source.
• Determining the amount of reclaimable revenue following the removal of infringing content that previously resulted in traffic misdirection. This calculation is based on factors such as the traffic received by the infringing site and the mix of different brands or content types featured on the site.

It may also be appropriate to consider other less defined concepts, such as the impact of pre-existing infringements^[7] on brand equity and value.

Conclusion

Consideration of domain names should be a core activity for any brand owner. As part of their business-as-usual activities, organisations typically own and operate a portfolio of domains that should be protected by a range of security products and services, defending them against threat vectors and protecting business operations and corporate revenue and reputation.

However, third-party branded domain names can be associated with a range of brand infringements and other threats. A domain name monitoring programme - generally as part of a wider brand protection initiative - is key to detecting infringements outside the firewall and enabling enforcement actions to take down damaging content.

For this programme to be efficient, comprehensive and cost-effective, the following points are relevant:

• Using an automated monitoring technology product yields numerous benefits:
• it encompasses a range of data sources and monitoring techniques to allow the monitoring coverage, across both brand name variants and TLDs, to be as comprehensive as possible;
• it can enable automatic analysis and prioritisation of concerning domains according to site content, resulting in more efficient and timely identification of the most threatening examples for enforcement action;
• a product incorporating AI and clustering technology can establish links between infringements, resulting in the determination of bad-faith activity by serial infringers and the ability for bulk takedowns; and
• use of revisitor technology can be used to monitor domains that do not currently feature significant live content to identify infringing content in the future.
• Infringements should be tackled with a timely enforcement process. This should incorporate a toolkit of possible approaches so that the most appropriate methodology can be selected for each individual case. This helps to avoid the unnecessary use of highly complex, costly techniques while retaining options for escalation if an initial enforcement action is unsuccessful.
• Automated technology should be complemented by a team of expert analysts, who can both prioritise the raw data, identifying the key targets for follow-up action, and establish and implement the most appropriate takedown routes.

The above ideas highlight the importance for organisations to partner with an enterprise-class service provider that can provide both the necessary products and services and the analyst insight to ensure the smooth running of domain management and brand protection services. Enterprise-class providers can also work with the brand owner to establish the most appropriate methodologies for quantifying the return on investment of these programmes and carry out the associated analysis.

References

[1] https://www.verisign.com/en_US/domain-names/dnib/index.xhtml

[2] https://newgtlds.icann.org/en/about/program

[3] https://www.cscdbs.com/blog/domain-registrations-associated-with-new-tld-launches/

[4] https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/

[5] https://www.cscdbs.com/en/resources-news/domain-security-report/

[6] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2021/article/return-investment-proving-protection-pays

[7] https://www.cscdbs.com/blog/brand-abuse-and-ip-infringements/

This article was first published on 15 April 2022 at:

https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

as part of the 'Anti-counterfeiting and Online Brand Enforcement: Global Guide 2022':

https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022

Also published at:

https://www.lexology.com/library/detail.aspx?g=be587323-dc0f-4bff-a16a-043015d4db03

The world of the subdomain

A web domain name is the foundational piece of Internet property allowing its owner (registrant) to construct and host an associated website. On a domain, the owner is also able to construct whatever subdomains they wish - a process that is technically achieved via the configuration of records on the authoritative DNS (domain name system) server. A subdomain name is the part of the URL before the domain name, and separated by a dot (e.g. 'blog' in the URL https://blog.cscglobal.com/). Subdomains can be used in the construction of web addresses for a number of different purposes, such as the creation of individual microsites for sub-brands or campaigns, or the production of region- or subject-specific subsites. Some Internet service providers (ISPs), known as private subdomain registries, also offer the sale of specific commoditised subdomains of their site, allowing users to create their own sites (e.g. 'second-level' domains such as blogspot.com, which allows users to register URLs in the form username.blogspot.com, for the creation of a personalised blog in this case).

Subdomain name abuse in general Internet content

From a brand monitoring point of view, the appearance of a brand name or other relevant keyword(s) in the subdomain name of a third-party URL can be associated with a variety of brand infringement types. Some areas of potential concern include:

• As a means of driving traffic to third-party content via misdirected search-engine queries
• Creating sites featuring claims of affiliation with the brand in question
• Reputation issues - e.g. creating sites containing information, customer comments, or activism-related material pertaining to a particular brand
• As a means of creating a URL appearing deceptively similar to that of an official brand site (e.g. for fraudulent activity, phishing, or the distribution of malware)

Brand-specific subdomains can be a source of confusion for Internet users - and thus an effective threat vector - because of their similarity to familiar, legitimate URLs. For example, the hypothetical and unofficial domain cscglobal.blog.com could be used to create a convincing fake version of the official blog.cscglobal.com.

In recent months, a number of (often SMS-based) phishing attacks have been observed to make use of a brand name in the subdomain name to create a highly convincing, deceptive URL in a particular way^[1,2], as shown in the example in Figure 1.

Figure 1: Example of a 2021 SMS-based phishing attack targeting HSBC customers

In this example, targeting UK customers of the bank, the phishing URL makes use of a reference to HSBC in the subdomain name, together with a domain name beginning with 'uk-' (uk-account[.]help), as a means of producing a URL that appears visually very similar to the real 'hsbc[.]co[.]uk/account-help'. The phishing site link also uses the HTTPS protocol, historically an indicator of trust, but now a characteristic shared by over 80% of phishing sites^[3] in response to the easy availability of SSL (secure sockets layer) certificates from free providers. This approach is particularly effective for a number of reasons, including the fact that it uses a new generic top-level domain (gTLD) extension that may be unfamiliar to some users, and the tendency for the displays in mobile devices to insert line-breaks after hyphens. Zone file analysis shows there are at least several hundred registered new gTLD domains with names of a similar format that have the potential to be used fraudulently. Identified examples include uk-authorization-online[.]support, uk-gov[.]tax, uk-insurance[.]claims, uk-border[.]agency, and uk-lottery[.]win.

Other recent identified examples of branded subdomains in phishing scams include hermes[.]online-parcel-reschedule[.]com (for logistics company Hermes); and o2[.]billing9k7j[.]com (for telecommunications organisation O2). This type of attack circumvents the requirement for the fraudster to register a brand-specific domain name (which is potentially easier to detect by a brand owner employing a basic domain monitoring service). In many cases, the whois records for the parent domains are anonymised, making it difficult to establish links between cases. These domains are also often registered immediately prior to the attack and are used for a short period, in an effort to circumvent detection and takedown efforts.

In general, brand-related subdomains on third-party sites are more difficult to detect than domain names themselves, which can much more easily be identified through wildcard searches of registry zone files. The most straightforward method for identifying subdomains is through search engine metasearching, providing the subdomains in question are linked from other sites and have been indexed by the search engines. Beyond this, the issue can partially be addressed through the use of other techniques, such as a detailed analysis of domain-name zone configuration information (e.g. passive DNS analysis), certificate transparency (CT) analysis, or via the use of explicit queries on particular domains for the existence of specific subdomain names.

Other issues include private subdomain registries being problematic because they are not necessarily regulated by ICANN (the Internet Corporation of Assigned Names and Numbers), and thus may lack dispute resolution procedures, abuse reporting processes, or records of any sort of whois information.

When considering enforcement against infringing subdomains, options can be relatively limited - particularly in comparison with the range of approaches available for domain names. It is sometimes possible to achieve engagement with the registry, registrar, hosting provider or DNS provider, but they may not be obligated to comply. Furthermore, many established dispute processes, such as UDRP (the Uniform Domain-Name Dispute-Resolution Policy), do not necessarily apply to subdomains. However, exceptions do exist in some cases, such as certain new gTLDs, instances where the host domain name corresponds to a country code (e.g. jp.com), or other limited circumstances (e.g. those covered by the Dispute Resolution Service (DRS) for .nz). Failing this, court litigation is often a last resort^[4].

Finally, the use of fraudulent domains in conjunction with wildcard MX records (which allow the domain owner to receive emails sent to any subdomain on the domain name) can also be a highly efficient way for criminals to intercept mail intended for trusted organisations, and thereby harvest sensitive information. This can be successful in cases where the recipient e-mail address has been mistyped (i.e. with an extra '.' inserted). If the domain name is carefully selected, it can enable attacks against a range of different organisations (e.g. *.bank.[tld] can be used to harvest mis-addressed e-mails intended for any organisation with an official domain name of the form [brand]bank.[tld]).

Subdomains of official domains within the brand owner’s own portfolio

Considering the domain security landscape, an area of primary concern for a brand owner is the existence of subdomains on domains under their own ownership.

Subdomain hijacking

Brand owners may use subdomains of official sites for a number of different purposes, as discussed previously. However, when they register a lot of subdomains - IBM has around 60,000 and Microsoft over 120,000 - subdomain management can become a significant endeavour. The associated risks make it possible for bad actors to take over the subdomains through exploitation of expired hosting services (an issue known as 'dangling DNS records'), DNS misconfigurations, or untrustworthy legitimate users. Compromise can also be achieved using pharming (DNS poisoning) attacks, where subdomain records are modified to re-direct traffic to a fraudulent IP address. This can give fraudsters the ability to create fake sites, upload content, monitor traffic, or hack official corporate systems^[5]. A 2021 study identified over 1,500 vulnerable subdomains across 50,000 of the world’s most important websites^[6].

A number of news stories have emerged in recent years of corporations being attacked in this way, including instances of official corporate subdomains being hijacked to re-direct to content including malware, pornography, and gambling-related material. Subdomains of the Xerox website, for example, were used in 2020 to drive traffic to sites selling fake goods, taking advantage of the trusted reputation of the official corporate domain to boost the search-engine ranking of the malicious content^[7]. In another case in 2019, GoDaddy shut down 15,000 abused subdomains that drove a massive spam campaign geared towards the sale of counterfeits^[8].

Brand owners can mediate these threats by analysing their own domain portfolio and being mindful of any subdomains pointing to external IP addresses.

Domain shadowing

Another risk is the possibility for criminals to create new, unofficial subdomains of official sites via DNS compromise through a method such as phishing or dictionary attacks - a practice known as 'domain shadowing'. This approach can also be used to drive users to threatening content, while taking advantage of the protections associated with being hosted on a trusted website (e.g. to circumvent site block-listing). In one reported example of this practice, a number of domains (primarily registered through GoDaddy) were compromised to create over 40,000 subdomains pointing to Russian IP addresses hosting a range of malware variants^[9,10].

This type of attack can be difficult to detect, both because it avoids the requirement to make changes on the official corporate webserver, and because the infringing content is typically hosted externally. The damage may only become apparent following complaints by users, or in response to the official domain being added to a block-list due to the malicious activity. Rigorous security measures are the primary preventative approach, including the use of strong passwords and two-factor authentication^[11].

A related attack vector is the use of wildcard DNS records, which can result in any arbitrary subdomain name being set to re-direct to a malicious external IP address. Bad actors can use randomised, changing subdomains to circumvent hostname-based block-listing (e.g. in coordinated phishing campaigns). This type of attack can be applied both to official (compromised) or third-party (standalone) domains^[12].

Overall, to mitigate these threats, brand owners should employ a robust domain security posture combined with a comprehensive programme of brand monitoring and enforcement.

References

[1] https://www.cscdbs.com/blog/phishing-scams-how-to-spot-them/

[2] https://thewebisround.xyz/2021/06/28/the-reality-behind-the-smishers/

[3] https://docs.apwg.org/reports/apwg_trends_report_q2_2021.pdf

[4] https://www.worldtrademarkreview.com/enforcement-and-litigation/subdomains-and-online-brand-protection-what-you-need-know-long-read

[5] https://www.networkworld.com/article/3623949/don-t-let-subdomains-sink-your-security.html

[6] https://www.eurekalert.org/news-releases/698257

[7] https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

[8] https://www.techradar.com/news/godaddy-shuts-down-15k-subdomains-used-in-massive-spam-campaign

[9] https://www.domaintools.com/resources/blog/domaintools-101-dns-shadow-hack-attacked

[10] https://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/126072/

[11] https://encyclopedia.kaspersky.com/glossary/domain-shadowing/

[12] https://www.phishlabs.com/blog/phishing-with-wildcard-dns-attacks-and-pharming/

This article was first published on 14 April 2022 at:

https://www.cscdbs.com/blog/the-world-of-the-subdomain/

Also published at:

https://circleid.com/posts/20220504-the-world-of-the-subdomain