Tuesday, 31 January 2023

Four new case studies of domain registration activity spikes driven by real-world events

Introduction

A variety of previous studies have demonstrated how real-world events can trigger subsequent spikes in domain registrations and infringement activity. Previous CSC articles and reports have focused on issues as diverse as the COVID pandemic[1], the war in Ukraine[2], supply-chain issues affecting the baby-milk and semiconductor industries[3], the Euro 2020 competition[4], the Black Friday and Cyber Monday holiday shopping events[5], and the Reddit stock manipulation campaign targeting the GameStop organisation[6]

When a high-impact event or news story takes place, there is typically a resulting burst of public interest and online searches for associated content, and bad actors can take advantage of this 'buzz' for their own gain. There are a number of ways in which this can be implemented, including: the production of content (which can include areas such as the sale of goods via e-commerce sites) relating to the issue at hand; misdirection of users to infringing, unofficial or potentially malicious websites; phishing activity utilising branded domain names to host fraudulent websites or for their e-mail functionality; or monetisation of dormant high-traffic domains through the emplacement of pay-per-click (PPC) links. In some cases, potentially desirable names may also be seized with the intention of subsequent sale to the infringed brand owner (i.e. cybersquatting) or any other interested party. 

In this article, I look at four recent events or news stories, and focus on the manifestation of associated spikes in potential infringements, by considering patterns in domain registration activity. The analysis includes consideration of new registrations ('N'), re-registrations ('R') and domain drops (lapses) ('D').

Findings

Study 1: Changes of UK Prime Minister (Summer 2022)

Summer 2022 was a time of rapid political change in the UK, resulting in two changes of Prime Minister. The associated analysis considers registration activity of domains containing the names of the three leaders, specifically: (i) 'liz' plus 'truss'; (ii) 'rishi' plus 'sunak'; and (iii) 'borisjohnson' (or typos / variations). The findings are shown in Figure 1, where peaks in registration activity can be seen to correspond to associated key news events.

Figure 1: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and dropped ('D') domains, with names relating to the three 2022 UK Prime Ministers (Boris Johnson (top), Liz Truss (middle), Rishi Sunak (bottom)). Key events in the news timeline[7,8] are denoted according to the key shown below.

A: Boris Johnson announces resignation (07-Jul-2022)
B: Liz Truss enters leadership contest (10-Jul-2022)
C: Rishi Sunak frontrunner in leadership contest following second round of voting (13-Jul-2022)
D: Liz Truss confirmed as new Conservative leader and PM following party-member vote (05-Sep-2022)
E: Boris Johnson tenders resignation (06-Sep-2022)
F: Liz Truss faces political rebellion following economic turmoil (04-Oct-2022)
G: Liz Truss announces resignation following appointment of new Chancellor and reversal of 'mini-budget' policies (20-Oct-2022)
H: Rishi Sunak confirmed as new Conservative leader and PM (24-Oct-2022)

In this case, many of the registrations were associated with websites featuring satirical or commentary-related content (Figure 2), though some were of greater concern (misdirection to third-party content or potential phishing activity) (Figure 3). In general, political content can also be of particular concern in cases where it is found to be associated with the spread of misinformation, or be attempting to manipulate voting patterns[9].

Figure 2: Examples of satirical websites identified in the registration dataset - second-level domain names (SLDs) (i.e. the part of the domain name to the left of the dot) are: borisjonson (registered 07-Sep-2022) (top); liztrussgame (registered 23-Oct-2022) (middle); hasrishisunakresignedyet (registered 15-Oct-2022) (bottom)

Figure 3: Examples of other websites identified in the registration dataset - SLDs are: trussliz and wetruzzliz (but displaying content relating to the UK opposition party) (registered 02-Jun-2022) (top); rishisunakforpm (registered 25-Oct-2022) (bottom)

Study 2: FIFA World Cup Qatar 2022

In this study, I consider domain registration activity relating to the 2022 FIFA World Cup competition which took place in Qatar between 20-Nov and 18-Dec 2022. The initial searches focused on all domains containing the keywords 'qatar' or 'world(-)cup', for which over 10,000 registration activity events were identified (comprising 8,690 unique domain names) during a one-year analysis period from December 2021 to December 2022. Continuous activity was identified throughout the year, though unsurprisingly with a ramp-up in new registrations towards the time of the event itself (Figure 4).

Figure 4: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R'), and dropped ('D') domains with names containing 'qatar' or 'world(-)cup'

In order to take a deeper dive into the highest-relevance domain names, I then focus on searches utilising keywords indicating that the domains under consideration are likely to pertain specifically to the event, rather than just referencing the more generic terms 'Qatar' or 'World Cup'. Specifically, this considers domains with names containing:

  • 'world(-)cup' AND 'qatar'

        OR

  • ['world(-)cup' OR 'qatar'] AND ['football' OR 'futbol' OR 'soccer' OR '2022' OR 'fi(-)fa']

The methodology also considers only those domains which were still active as of the time of analysis (02-Dec-2022) (i.e. those for which the most recent activity event was not a domain drop ('D')). 

This focused analysis yields a dataset of 977 domains, for which the pattern of registration activity (considering only the most recent activity event for each unique domain name) is shown in Figure 5.

Figure 5: Daily (top) and monthly (bottom) numbers of new registrations ('N') and re-registrations ('R') combined, for high-relevance domain names relating to the Qatar World Cup (considering the most recent activity event for each unique domain name)

In this more focused dataset, the overall activity pattern is broadly similar, though an additional peak in registrations is also apparent in early April 2022. This relates to what appears to be one or two specific, short-lived, coordinated registration campaigns of domains with names of the form 'qatar-2022-iX.xyz' and 'worldcup2022-jYYX.buzz' (where 'X' is an additional digit and 'Y' is an additional character). Although none of these domains was found to resolve to any live site at the time of analysis, the .xyz and .buzz new-gTLD domain extensions have been noted as previously being frequently associated with malicious or infringing content[10,11].

Of the 977 high-relevance domains overall, 633 were found to yield an active website response (i.e. an HTTP status code of 200) at the time of analysis. Within this set, a range of (where non-official) potentially infringing or high-threat content types were observed (Figure 6).

Figure 6: Examples of live websites relating to the Qatar World Cup, representing a range of content types of potential concern (with the SLD shown in each case in square brackets) - top to bottom: potential phishing [qatar2022]; piracy [worldcuplivefifa]; gambling [worldcupbet]; ticket sales [qatar-worldcup]; other e-commerce [qatarfootballcup]; cryptocurrency-related [qatarfifaworldcup]; NFT-related [worldcupnft2022]

Study 3: New Year 2023

The new year can be a prime time for brand owners to launch new products, campaigns and marketing activity, and one way in which this can be promoted in a topical fashion is through the registration of new domains making explicit reference to the year. However, similar tactics can also be employed by bad actors, through the registration of desirable domain names. In some cases, these domains may be registered well in advance of the start of the new year itself, as a way of 'getting ahead of the curve'. Accordingly, this study considers activity associated with the registration of domains with names beginning or ending with the string '2023' (i.e. 'left- or right-matches') throughout the calendar year 2022.

Over the course of 2022, 6,730 domain activity events (representing 6,458 unique domain names) were identified for '2023-specific' domains, as shown in Figure 7. 

Figure 7: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names beginning or ending with '2023'

Figure 8 shows the growth across 2022 of the cumulative total number of registered domains with names beginning or ending with '2023'.

Figure 8: Daily cumulative total number of registered domains with names beginning or ending with '2023'

Unsurprisingly, the greatest levels of activity (dominated by new registrations) occurred during the latter parts of 2022 (particularly in December), but it is significant that registrations were taking place throughout the year, with a continual growth in the number of registered '2023' domains. It is also worth noting that there were already 2,380 such domains registered at the start of 2022 (compared with 7,524 at the end).

Considering the unique domains represented in the 2022 activity dataset, a range of TLDs (domain extensions) were represented (Figure 9), including significant numbers of new-gTLDs, many of which are of concern due to the previously-noted frequency of their association with infringing activity[12].

Figure 9: Top TLDs amongst the unique '2023' domains represented in the 2022 activity dataset

Significant numbers of these domains were found to be associated with potentially infringing websites, including several with names including top brand names (Figure 10). 

Figure 10: Examples of potentially infringing websites with domain names including references to both '2023' and a brand name from the Interbrand top 20 list of 'best global brands'[13] (SLDs shown in square brackets): (top) potentially fraudulent cryptocurrency-related site [2023-tesla] (registered 27-Dec-2022); (bottom) traffic misdirection / re-direction to a site offering potentially unauthorised or unofficial informational content [2023bmw] and [2023-toyota] (both registered 07-Oct-2022)

A variety of other sites of potential concern were also identified in the dataset, including a range of examples where no brand name was present in the domain name itself. Some of these were, however, found to feature website content which appears to be infringing against specific brands (Figure 11).

Figure 11: Examples of websites offering the sale of potentially counterfeit products and with domain names including a reference to '2023' (SLDs are replicascamisetanba2023 and 2023freerunshoesshop)

Many of the domain names incorporate popular keywords, in apparent attempts to attract traffic in response to common web searches. These included examples such as 'nft' (present in 7 domains) and 'blackfriday' (present in 5 examples, despite Black Friday 2023 being 11 months away). Significantly, 'covid' and 'corona' both appeared in only one example each, perhaps indicating that the online buzz associated with the pandemic is subsiding. The dataset also included some more surprising examples, such as 'keto' (present in 522 domains in the dataset, in addition to several others featuring misspellings such as 'keeto'), perhaps reflective of the continuing popularity of keto diets. Many of these 'keto' domains appear to be part of one or more coordinated registration campaigns, with large numbers of examples with SLDs beginning '2023keto' followed by strings of random characters, across new-gTLDs such as .cyou, .click and .buzz. Even amongst groups of such domains registered on the same day and TLD, a range of content types were observed, including nutrition-related sites, sites advertising a business promotion service provider, and even adult content.

Study 4: Southwest Airlines’ logistics crisis

In December 2022, US air operator Southwest Airlines experienced a 'travel meltdown' in which a series of logistical failures resulted in the cancellation of more than 16,000 flights between 21-Dec and 31-Dec, resulting in tens of thousands of customer refund claims per day, and overall losses to the organisation of between $725 million and $825 million[14]

In this case, I considered domains with names containing 'southwest' (or variants), over a one-month period between 12-Dec-2022 and 11-Jan-2023, to determine whether the story generated activity in response to the increased interest in the company and the desire by customers to claim refunds.

Overall, 708 domain activity events, representing 674 unique domain names, were identified during the monitoring period, including a general spike in overall registration activity around the 11-day period in which the incident took place (Figure 12).

Figure 12: Daily numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names containing 'southwest' (or variants)

Since the term 'southwest' is relatively generic, I then focused on the subset of ('high-relevance') domains which appear relate specifically to Southwest Airlines and the associated events of the story. This was done by considering those domain names which also feature relevant keywords (such as 'air' (but excluding false positives such as 'repairs', 'fairs', etc.), 'aviation', 'aerospace', 'bookings', 'claim' or 'classaction'), or where the domain name itself is a misspelling of Southwest's official website (southwest.com). This yielded a dataset of 46 domain activity events, comprising 43 unique domain names. Within this reduced dataset, the spike in activity around the time of interest can be seen to be much more pronounced (Figure 13).

Figure 13: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and drops ('D'), for high-relevance domains with names containing 'southwest' (or variants)

Of the 36 registration or re-registration events within the dataset of high-relevance domains, 30 (83%) occurred in the four-day period between 27-Dec and 31-Dec.

Of the 43 unique high-relevance domain names in total, 10 were inactive as of the date of analysis (12-Jan-2023). Of the remainder, 27 (68% of the total) resolved to parking pages featuring pay-per-click (PPC) links, indicating an effort by the site owners to monetise the traffic received by the sites. One domain resolved to a site which may be associated with a recruitment scam (Figure 14), one re-directed to the website of a legal-service provider (apparently abusing the Southwest brand name in order to attempt to take advantage of the potential customer desire to take legal action against the company), and one generated a browser warning indicating that dangerous content was formerly present, in addition to other content types.

Figure 14: Example of a website associated with a possible recruitment scam, hosted on a high-relevance, brand-specific domain name

Four (9%) of the high-relevance domain names are configured with MX records, indicating the ability to send and receive e-mails, and suggesting that the domains may be associated with phishing or brand-impersonation activity.

Within the dataset, two instances of domain 'tasting'[15] were identified, comprising domains (with SLDs of southwest-air-line and southwest-bookings) being registered and then dropped the following day, and possibly indicating efforts by the owners to determine the levels of traffic received by the sites, or to launch short-lived (and thereby difficult to detect) phishing attacks.

31 of the high-relevance domains had registration (whois) information available, all of which used privacy-protection providers or had redacted contact information, possibly indicating efforts by the owners to maintain anonymity and potentially nefarious intentions.

Additionally, several individual 'clusters' of domains, potentially representing coordinated registration campaigns by specific entities, were identified. These included:

  • One group of 12 domains all registered on 28-Dec-2022, comprising misspellings of 'southwest.com' and hosted on a group of four consecutive IP addresses
  • One group of five domains all registered on 30-Dec or 31-Dec and all hosted at the same IP address, with names comprising references to 'southwestairlinesclassaction' (or variants)
  • One group of eight domains all registered on 29-Dec or 30-Dec and all hosted at the same IP address

All of the above domains resolved to parking pages featuring PPC links at the time of analysis.

Conclusion

The above news stories or events are all of different types, including examples which are regional or global in scope, and those which may be relevant mainly to specific corporations or industry areas. However, in all cases, resulting spikes in associated domain registration activity were observed. In general, this activity incorporates a mixture of both legitimate and non-legitimate (potentially threatening) registrations, comprising responses both by the official organisations concerned, and by nefarious bad actors.

The findings highlight that, in addition to the construction and maintenance of official domain portfolios by brand owners - and the protection of critical domains using appropriate domain security measures[16,17] - monitoring for third-party activity remains of crucial importance. Particular additional focus must be taken when external events drive increased public interest in associated content, which can result from industry-relevant events, news stories, marketing activity or product releases, corporate changes, and a range of other factors. Accordingly, the monitoring strategy needs to be flexible enough to evolve in response to emerging issues as they develop. Also key to the protection of the brand is a robust enforcement programme incorporating a wide range of approaches, to ensure the swift takedown of damaging infringing content.

It is also striking that so much of the observed activity is carried out so far in advance of the date of the events themselves, showing the significance of proactivity and timeliness in brand protection initiatives, combined with a robust strategy of defensive registrations, to obtain required domains in advance of their registration by wily third parties.

References

[1] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/ 

[2] https://www.cscdbs.com/blog/how-to-manage-the-online-effects-of-the-ukraine-war/

[3] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[4] https://www.cscdbs.com/blog/euro-2020-part-3-domains-revisited-and-other-channels/

[5] https://www.cscdbs.com/blog/holiday-shopping-events-part-2/

[6] 'The GameStop saga - how online activity and news stories can create feedback loops', Brand Journal, issue no. 21 (April 2021) (internal CSC publication)

[7] https://www.euronews.com/2022/10/14/truss-timeline-key-events-in-three-months-of-political-chaos-in-british-politics

[8] https://www.cnn.com/uk/live-news/uk-prime-minister-announcement-monday-gbr-intl/index.html

[9] https://www.ox.ac.uk/news/2021-01-13-social-media-manipulation-political-actors-industrial-scale-problem-oxford-report

[10] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

[11] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[12] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[13] https://interbrand.com/best-global-brands-2022-download-form/

[14] https://www.cnn.com/travel/article/southwest-airlines-dot-complaints/index.html

[15] https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/

[16] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[17] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 31 January 2023 at:

https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/

at No comments:
Labels: , , , , , , , , , , , ,

Tuesday, 24 January 2023

Patterns and trends in domain tasting of the top ten global brands - Part 2: Trends over time (18-month study)

by David Barnett, Jason Hayden and Elliott Champion

Introduction

In the first article of this series[1], we considered short-lived domains with names including the top ten global brand names (or variants), based on a one-month monitoring period. In this second article, we extend the study to consider trends over time, again using the domain monitoring component of CSC's 3D Domain Security and Enforcement[2] technology, based on an 18-month period from 01-May-2021 to 01-Nov-2022 - a time period that is long enough to capture any annual cycles (if present).

This new study considers only those domain names where the brand name appears at the start (so-called 'left-match' domains), as a way of focusing on the results with the highest relevance, and through the exclusion of fuzzy matches, reducing any false positives that may arise in cases where the brand name is relatively short or generic (e.g. 'visa').

In this follow-up, we also consider only those domains that are active for five days or less, with the aim of focusing specifically on 'true' domain tasting events (i.e. where the domain is dropped within the ICANN grace period), in addition to other short-lived domains, such as those that are rapidly taken down following the identification of infringing content. The previous article showed that a lifespan of five days or less actually accounts for the vast majority (1,469 out of 1,753 considered instances, or 84%) of short-lived domains. Furthermore, focusing only on these shortest-lived domains has the effect of localising each result within a short window, so trends over time can be seen more easily. Finally, this methodology allows us to neglect domains that are dropped according to normal registration and lapse processes (such as domains that expire at the end of a standard one-year registration period).

Findings

Overview

Across the top 10 global brands, 9,284 domain tasting events - where the domains were active for five days or less - were identified across the 18-month period. Figure 1 shows the total numbers of events for each brand.

Figure 1: Total numbers of domain tasting events (delay ≤ 5 days; 'left-match' domains only) in an 18-month period, by targeted brand

This analysis broadly shows the same pattern as the previous study, with the rankings of the brands also unchanged (apart from a swap in the positions of 'vuitton' and 'tencent', at the bottom of the list).

Figures 2 and 3 show the trends over time for the top five brands, by numbers of identified tasting events.

Figure 2: Daily total numbers of domain tasting events, by targeted brand

Figure 3: Monthly total numbers of domain tasting events, by targeted brand

Figures 4 and 5 show the total numbers of events, categorised by the delay between registration and drop for the domains in question. The statistics show that for most domain tasting events, the domains are active only for a very short time - with lifespans of one or two days accounting for 62% of all cases - a trend that is consistent across all brands. Across the whole domain tasting dataset, the average domain lifetime was 2.35 days. This figure is, unsurprisingly, somewhat smaller than in our previous study, where tasted domains that were active for longer periods were also included in the analysis.

Figure 4: Total numbers of domain tasting events in an 18-month period, by delay between registration and drop

Figure 5: Total numbers of domain tasting events in an 18-month period, by delay between registration and drop, and by targeted brand

Table 1 shows the top-level domains (TLDs) represented within the dataset. Again, the patterns are similar to those observed in the previous study, with the list dominated by a mixture of legacy gTLDs (generic TLDs) and new gTLDs.

TLD
                          		 No. domains
                          		 % domains
                          
  .com 4,642 50.00%
  .shop 968 10.43%
  .xyz 494 5.32%
  .online 432 4.65%
  .net 247 2.66%
  .store 229 2.47%
  .site 225 2.42%
  .co.uk 223 2.40%
  .buzz 209 2.25%
  .club 168 1.81%
  .org 149 1.60%
  .info 148 1.59%
  .live 129 1.39%
  .pro 120 1.29%
  .top 107 1.15%

Table 1: Top TLDs within the dataset of tasted domains

Also as seen previously, the dataset incorporates a number of domains with keywords of interest. Of particular concern are those that are frequently associated with phishing activity, with popular keywords including 'verif-' (for 'verify' or 'verification'), appearing in 182 domains, 'secur-' (for 'secure' or 'security'), appearing in 180 domains, and 'login', appearing in 99 domains.

Four stories from the dataset

1. Amazon Japan domains

Overall, the dataset shows a broad decrease in the monthly total numbers of domain tasting events for the ten brands over the 18-month period (Figure 3). However, this overall pattern is dominated by the activity seen for the Amazon brand, with these two trend lines tracking each other fairly closely.

Within the Amazon activity dataset, the dominant feature is what appears to be a single coordinated campaign of tasting events (1,091 over the 18 months) relating to domains containing the brand name 'amazon' together with 'japan' or 'jp' (Figure 6). The number of such events is sufficiently large that it comprises the main driver for the overall pattern of activity for the brand as a whole (as shown by the similarity between Figure 6 and the trend-line for Amazon in Figure 3 - particularly the large peaks in the early part of the dataset).

Figure 6: Monthly total numbers of tasting events for domains containing 'amazon' at the start, together with 'japan' or 'jp'

Within this dataset, numerous sub-groups of closely related domain names can be observed, including:

  • 562 domains with names of the form 'amazon-jpAAAAAA.shop', where 'AAAAAA' is a six-character string (75 domains between 06-May-2021 and 21-May-2021; 94 between 11-Jun-2021 and 18-Jun-2021; 393 between 20-Jul-2021 and 04-Aug-2021)
  • 84 domains with names of the form 'amazon-jpAAAA.pro' or 'amazon-AAAAjp.pro', where 'AAAA' is a 1-4 character string (between 21-May-2021 and 19-Jun-2021)

2. Probable phishing domains

Among the wider dataset, we also see other groups of related domains whose name structure or associated keywords suggests they are intended in use for phishing activity. Some examples include:

  • Several domains with names of the form 'google-site-verificationAAAAAAAA.com', where 'AAAAAAAA' is a long string of apparently random characters. These domains are likely to be spoofing the format of the configuration text used in Google's site verification process[3]. Actually, only three such domains were included in the 'formal' domain-tasting dataset, but we see larger numbers if we also include domains active for longer than five days. Across the 18-month period, 16 domains with names in the above format (including one on the .app TLD) were observed, active for between 1 and 395 days.
  • 16 domains with names of the form 'apple-idXXXX-secure.com' between 16-Jun-2022 and 28-Jun-2022, 66 'apple-supportidXXXX.com' between 10-Mar-2022 and 18-Mar-2022, 295 'apple-caseidXXXX.com' between 14-Dec-2021 and 18-Mar-2022, and 55 'apple-ticketidXXXX.com' between 07-Dec-2021 and 07-Dec-2021, where 'XXXX' is a four-digit string in each case.
  • Numerous Amazon domains with names containing keywords such as 'verify', 'billing', 'serv' and 'ticket', and ending with an apparently random alphanumeric string.

By definition, all domains determined as being associated with tasting events will be inactive at the point of identification, however, significant numbers of the above examples display browser warnings indicative that deceptive content was formerly present.

In general, active domain monitoring combined with timely analysis allows for the identification of active infringements (Figure 7), which is the basis of domain- and brand monitoring. Accordingly, by combining analysis of tasted domains with ongoing domain monitoring, it is possible to identify similar examples while still live, and thereby confirm the nature of their use. This methodology is key to identifying trends in the name structures of malicious domains, which can help to drive brand protection and defensive domain registration initiatives.

Figure 7: Examples of potential fraudulent or malicious sites with names incorporating the Visa (top) and Amazon (bottom) brands, registered (respectively) four and one days prior to analysis

3. Google SEO domains

A spike of tasting activity for the Google brand was identified on 23-Feb-2022, comprising 51 domains with names beginning 'googleseo', across the UK extensions .uk, .co.uk, and .org.uk. This batch of domains may be associated with a search engine optimisation project, possibly with the intention of determining which domains attract high volumes of traffic. Such analysis has been noted as one of the 'classic' goals of domain tasting[4].

4. Facebook .top domains

The domain tasting dataset includes 18 domains of the format 'facebookcomXXXXXX.top', where 'XXXXXX' is a long numeric string, covering the period from October 2021 to June 2022 (plus an additional 16 such domains that were active for longer periods, of between 7 and 22 days). Additionally, the start of what may be a new pattern was also observed on 31-Aug-2022, with the drop of a tasted domain of the form 'facebookdomainverificationYYYY.top', where 'YYYY' is an alphanumeric string. The nature of the intended use of these domains is unclear, but .top is one of the domain extensions previously identified as being most frequently associated with malicious activity (at position 18 in our overall list[5]).

Discussion

This deeper-dive analysis has shown that domain tasting continues to be a popular tactic for registrants and is used for much wider purposes than simply cybersquatting and monetising domain names (e.g. using pay-per-click links), and determination of levels of web traffic.

Of particular concern are those domains actively used for fraudulent purposes, and the analysis shows that at least a significant proportion of tasted domains are likely to be used for phishing and other brand infringements.

It is also clear, through the identification of coordinated groups of similar domain names, that certain types of domain use are closely associated with domain tasting specifically, rather than more traditional cycles of domain registration and lapse, making study of domain tasting a key component of a wider brand protection initiative in its own right.

CSC's Domain Security and Enforcement technology incorporates functionality to make this type of analysis possible, through the identification of a range of domain registration activity events (registrations, re-registrations and drops), and the ability to monitor a range of different brand variants and association with relevant keywords.

References

[1] https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/

[2] https://www.cscdbs.com/en/brand-protection/brand-monitoring-services/domain-name-monitoring/

[3] https://developers.google.com/site-verification/v1/getting_started

[4] https://www.techopedia.com/definition/15657/domain-tasting

[5] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

This article was first published on 24 January 2023 at:

https://www.cscdbs.com/blog/trends-over-time-in-domain-tasting-of-the-top-10-brands/

Re-published on 1 February 2023 at:

https://www.linkedin.com/pulse/patterns-trends-domain-tasting-top-ten-global-brands-david-barnett/

at No comments:
Labels: , , , , , , , ,

Wednesday, 18 January 2023

Patterns and trends in domain tasting of the top ten global brands - Part 1: One-month study

by David Barnett, Jason Hayden and Elliott Champion

Introduction

Domain tasting is a long-established practice involving the short-lived existence of a domain, which is allowed to lapse a few days after its initial registration. The practice arose in response to an ICANN (Internet Corporation for Assigned Names and Numbers) policy allowing a domain to be cancelled - with all fees refunded - within a five-day grace period, intended to address the issue of accidental registrations[1]. However, the practice is open to abuse by infringers.

Historically, domain tasting was frequently used for determining the amount of web traffic received[2]. Large numbers of domains could be speculatively registered and monetised through the placement of pay-per-click (PPC) links. The domains could also be used for sending spam e-mails, for example. At the end of the grace period, those receiving significant amounts of web traffic could be retained for further use, or sold at a profit, with the others being allowed to drop.

However, numerous previous studies have also established that many domains used for phishing are also only active for a short period of time - potentially as part of a means of evading detection and takedown[3] - whether being dropped inside the formal five-day grace period or after it.

In this study, we consider short-lived domains with names targeting any of the top ten most valuable brands in 2022[4,5], and look at patterns and trends in these registrations. This analysis follows on from CSC's general observation of the threats posed by branded domain names is of central importance in cybersecurity initiatives[6].

Methodology and findings

CSC used the domain monitoring component of its 3D Domain Security and Enforcement technology to consider registration activity events (new registrations ('N'), re-registrations ('R') or domain drops (lapses) ('D')) for domains with names containing any of the top ten global brand names - including variants such as fuzzy matches and homoglyph matches - over a one-month period across September and October 2022.

In this study, we define a domain tasting event as an instance of a specific domain name being both registered ('N' or 'R') and then subsequently dropped ('D') within that one-month period. It is important to note that this will include both true tasting events (where the domain is allowed to lapse within the five-day ICANN grace period) and other instances of short-lived domains. These might include examples where a domain is dropped by its owner - potentially outside the grace period - after a period of use (say, for launching a phishing attack) or taken down by a brand owner or service provider following identification of an infringement.

Across the ten brands, 1,753 domain tasting events were identified within the one-month period, with the breakdown by brand shown in Figure 1. Within the dataset, six individual domain names were tasted twice within the monitoring period.

Figure 1: Total numbers of domain tasting events in a one-month period, by targeted brand

Figure 2 shows the daily total numbers of observed tasting events for each brand.

Figure 2: Daily total numbers of domain tasting events, by targeted brand

Figure 3 shows the total numbers of domain tasting events, categorised by the delay between registration and drop. The vast majority of the tasted domains (1,469 out of the 1,753, or 83.8%) were live for five days or less, consistent with the ICANN grace period, although several were active for somewhat longer, with the longest observed delay between registration and drop in the dataset being 28 days (for one example). Across all observed tasting events, the average (mean) delay was 3.70 days.

Figure 3: Total numbers of domain tasting events in a one-month period, by delay between registration and drop

Table 1 shows the top-level domains (TLDs) or top domain extensions represented in the dataset. The most popular extension was .com by a significant margin, though a number of new generic TLDs (gTLDs) were also popular. These extensions have been previously noted as being popular with infringers[7,8,9].

TLD
                          		 No. domains
                          		 % domains
                          
  .com 1,301 74.22%
  .online 61 3.48%
  .info 40 2.28%
  .shop 38 2.17%
  .org 36 2.05%
  .xyz 23 1.31%
  .co.uk 22 1.25%
  .top 21 1.20%
  .site 21 1.20%
  .store 18 1.03%
  .net 16 0.91%
  .link 15 0.86%
  .vip 15 0.86%
  .support 12 0.68%
  .website 11 0.63%
  .live 11 0.63%

Table 1: Top TLDs within the dataset of tasted domains

It is also informative to consider the frequently-occurring keywords present in the tasted domains alongside the targeted brand names. Figure 4 shows a selection of the most popular keywords, and indicates that many of these are either: (i) keywords frequently associated with phishing-related content (e.g. 'verif-', 'account', 'login' or 'secur-'); or (ii) generic popular keywords that might be expected to attract significant volumes of search-based web traffic (such as 'support', 'online', 'service', 'help', 'apps', 'shop' and 'store').

Figure 4: Frequency of occurrence of popular keywords within the dataset of tasted domains, by targeted brand

From this analysis, a variety of specific patterns can be identified. For example, keywords such as 'service' and 'help' appear commonly in tasted domains in conjunction with the brands Apple, Amazon and Visa, while phishing-related keywords are frequently associated with Apple, Amazon, Microsoft, and Facebook. Other observed trends were less predictable, such as the large numbers of Amazon-related 'apps' domains. The majority of these are domains of the form apps-amazon-XXXYYY.com or apps-XXX-amazonYYY.com, where XXX is an additional keyword (such as 'billing', 'payment', 'service' or 'support') and YYY is a string of digits. Domains with consistent name structures of this type can be used for a variety of purposes - either infringing or legitimate - including phishing activity, as part of the build process for new websites, or for security or penetration-testing audits.

Discussion

One aspect of domain tasting which may be particularly attractive to fraudsters is the ability to register large numbers of similar domain names, at low (or no) cost. This strategy provides the potential to effectively 'hide' the much smaller subset of domain names that may be intended to be 'weaponised' for (say) phishing activity. Additionally, the observation of the drop activity for those domain names that are not used can also provide a false sense of security to the brand owner. Furthermore, other attack types such as spam and malware distribution, and the construction of botnets for attacking infrastructure, can also benefit from bulk registration of domains[10].

Overall, these observations highlight the importance of brand owners proactively monitoring domain registration activity by third parties. CSC's 3D Domain Security and Enforcement technology provides an effective overview of such activity, including the ability to look at brand variations, generate data on the time interval between domain registrations, drops, and re-registrations (thereby giving insight into tasting events), and provide details on the associated keywords used in the domain registrations. This information can yield valuable guidance on the highest-risk domain-name structures, keywords and TLDs, which can help drive an informed policy on defensive registrations. A defensive strategy will, however, only take a brand owner so far, because of the infinite permutations of brand terms and keywords that can be used by bad actors[11]. It is for this reason that a defensive domain registration programme should always be accompanied by a domain and brand monitoring programme to track ongoing activity by third parties 'outside the firewall'.

References

[1] https://en.wikipedia.org/wiki/Domain_tasting

[2] https://www.techopedia.com/definition/15657/domain-tasting

[3] https://www.worldtrademarkreview.com/article/energy-crisis-related-scams-highlight-how-bad-actors-seek-capitalise-global-events 

[4] https://en.wikipedia.org/wiki/List_of_most_valuable_brands

[5] https://www.kantar.com/inspiration/brands/what-are-the-most-valuable-global-brands-in-2022; the brand terms used in our analysis are: apple; google; amazon; microsoft; tencent; mcdonalds; visa; facebook; alibaba; vuitton.

[6] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[7] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[8] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[9] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[10] https://interisle.net/sub/CriminalDomainAbuse.pdf

[11] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

This article was first published on 18 January 2023 at:

https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/

Also published at:

https://circleid.com/posts/20230215-patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands

at No comments:
Labels: , , , , , , , ,

Tuesday, 17 January 2023

Holistic brand, fraud and cyber protection using domain threat intelligence

Synopsis of a presentation for the CSC Cybersecurity and Brand Forums (Copenhagen and London) 2022

Introduction

As of July 2022, the global number of Internet users was estimated at 5.03 billion (over 63% of the total population)[1], each spending an average of nearly 7 hours per day online. The Internet is accessible through a range of devices (including mobile phones, which now account for 56% of Internet usage). There are also 4.7 billion users of social media, with the list of most popular platforms topped by Facebook, YouTube and WhatsApp[2]. Overall, the Internet generates an economy of around 15%[3] of global GDP - equivalent to around $15 trillion[4], and a figure which is growing two-and-a-half times faster than GDP itself.

This ubiquitous engagement with the online world means that the Internet is not only used by brand owners and their customers in the execution of their business, but also by infringers looking to abuse trusted brands to their own advantage. The Internet makes it very easy for criminals to gain an online presence, with the ability to create low-cost content in a context where relative anonymity is easily achievable.

Moreover, consumers are increasingly of the opinion that it the responsibility of brand owners to protect them from - and compensate them for - online harms[5], viewing with distrust those companies which are repeatedly subject to infringement and abuse[6]. These factors further strengthen the importance of organisations proactively protecting their brands online.

A number of key areas of threat are particularly relevant, as outlined below.

  • Cybersecurity - 9.7 million distributed denial-of-service (DDoS) attacks were reported in 2021, a year-on-year drop of 3%, but a 14% increase over 2019[7], and with H1 2021 seeing a doubling of cases using multiple attack vectors. There was also a 30% year-on-year increase in the size of the largest DDoS attacks, with the largest attacks (to the end of 2021) reaching sizes of 2.4 Tbps and 2.3 Tbps (1 Tbps = 1 Terabit (1012 bits) per second) (against Microsoft and Amazon, respectively). A trend towards larger numbers of smaller, short attacks was also observed, with Neustar reporting a 76% increase in the number of attacks mitigated between Q1 2020 and Q1 2021[8]. The emergence of ‘ransom DDoS’ – where payment is demanded, usually after an initial ‘demonstration’ attack, in return for not launching a full DDoS – has also been observed[9,10]. 88% of organisations were reported as having suffered at least one DNS attack (mostly DNS phishing, DNS-based malware or DDoS) in 2021, with each attack costing the enterprise an average of $942,000[11]. Other types of attack, including DNS tunnelling and cache poisoning, were also noted in over one-third of cases. 61% of companies experienced multiple attacks within the previous 12 months, with 14% experiencing multiple hours of downtime[12].

Furthermore, 28% of security incidents were attributed to the use of malware in 2021[13], with ransomware showing a 69% growth in volume between Q3 and Q4 2020[14]. 48% of businesses were subject to ransomware attacks in 2021, with an average period of downtime for those affected of 23 days. Overall, phishing is increasingly recognised as the most common attack vector for malware distribution[15]

Finally, a 2021 study showed that 39 million pieces of information had been compromised from FTSE 100 companies, via more than 9,000 separate data breaches resulting from the use of re-used log-in details, weak passwords and data collected using keyloggers[16]

  • Phishing - Figures from the Anti-Phishing Working Group show that more than 1 million distinct phishing attacks have been recorded in each of Q1 and Q2 2022, with both quarters experiencing the highest totals ever recorded, and over 600 distinct brands targeted each month[17,18]. Overall, two-thirds of phishing campaigns are still geared towards credential theft[19]. Even more concerningly, 82% of phishing sites employ SSL / TLS certificates (allowing use of HTTPS), up from 5% at end of 2016, and with 90% of certificates issued by free providers such as Cpanel and Let’s Encrypt. 69% of phishing sites are registered through just the top ten registrars[20], and 57% of phishing domains are utilised within 14 days of registration (with more than half of these going active within 48 hours). For a large organisation, annual losses due to phishing activity are estimated at $15 million[21].

Additionally, 71% of companies experienced a BEC (business e-mail compromise) attack utilising a spoofed e-mail account or website in 2021[22], with the total loss to businesses (for 2020) estimated at $1.8 billion[23]. The average amount requested in wire-transfer attacks was $109,000 in Q2 2022, up from $91,000 the previous quarter. 

  • Brand threats - Other types of brand-related infringements also continue to pose significant threats. Some of the main areas include: counterfeiting and e-commerce infringements – with a global trade in counterfeit goods valued at $464 billion in 2019 (2.5% of the total global economy)[24], as part of an overall annual spend on e-commerce of $4 trillion[25]; and digital piracy – with more than 130 billion visits to piracy websites recorded in 2020 and one-quarter of Internet bandwidth used for the unauthorised sharing of copyrighted content[26]

However, other types of brand-related content can also be of concern. Instances of traffic misdirection, false affiliation, potential brand confusion, activism, and so on can also have significant impacts on corporate revenue, customer experience, and brand value, reputation and trust.

Damaging brand-related content can take a variety of forms, and can be thought of as existing within a spectrum of severity classifications, from lower-threat 'brand abuse' (covering instances where the brand is being used in a way which is perhaps inconsistent with corporate guidelines, or incorporating negative comment or corporate disparagement, but where enforcement action may be neither necessary nor appropriate), through 'brand infringement' (where the content constitutes an contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal in intent, such as phishing or the sale of counterfeit goods) (Figure 1).

Threat type
                                                                                                                              		 Typical risks
 
  Phishing Compromise of customer details; financial losses; reputational damage
 
  Other fraud issues (sites associated
  with advance-fee fraud, 'carder'
  sites, etc.)
 		 (as above)
  Duplicated site content Fraudulent activity; unauthorised use of branded content; visibility of 'test' sites not intended to be in the public domain
 
  Site framing Potential for framed site to be non-legitimate; imposition of third-party content around framed site
 
  Employee activity / postings Leakage of sensitive information; risk of social engineering; undesirable brand association
 
  Traffic diversion / brand 'seeding' Loss of revenue; undesirable brand association; distribution of malicious content
 
  Activism / negative comment Brand / reputational damage; 'real-world' threats
 
  Misuse of unofficial logo False claims of affiliation; unauthorised use of IP; logos made available for potential creation of fake sites
 
  Potential brand confusion Customer confusion; loss of revenue
 
  Claimed affiliation Brand damage; loss of revenue; breaches of brand-usage standards
 

Figure 1: Examples of typical threat types identified through a brand monitoring service (for general Internet content), and the associated risks. (Increasing potential threat level from bottom to top.)

Connectedness of brand, fraud and cybersecurity issues

The areas of brand, fraud and cybersecurity issues are all linked, and this connectedness can manifest itself in a number of different ways. 

Firstly, there is very often a correlation between real-world events and a resulting spike in associated cybersecurity issues and brand infringements. This has been highlighted in a variety of previous CSC studies, including the observations that specific events during the COVID pandemic were followed by peaks in COVID-related domain registration activity[27], and that supply-chain issues such as those seen with the baby-formula shortage of 2021-2[28] resulted in the appearance of infringing websites utilising industry-related keywords[29]. In both of these cases, real-world issues presented an opportunity to the fraudsters to take advantage of, and monetise, the difficulties being experienced by consumers. 

More generally, the intrinsically connected nature of domain names and DNS, and the increasing use by many organisations of extensive networks of suppliers, vendors and customers, provides opportunities to bad actors to launch cyber-attacks targeting the weakest point in the supply chain[30].

Finally, it is increasingly recognised that the choice by corporations of an appropriate domain registrar with whom to partner for their domain management - and the associated adoption of appropriate domain security policies - comprises a significant input into their overall security posture. Specifically, a study by SecurityScorecard shows that the use of an enterprise-class registrar results in a security rating increase of between 0.5 and 1 grade[31]. These factors also have significant other consequences, such as impacts on the levels of access to - and cost of - cyberinsurance[32]

The above points highlight the importance of a holistic security programme, consisting of elements of both domain security (as part of a domain-management service) and brand protection (incorporating both monitoring and enforcement) This is illustrated by Figure 2, showing a schematic of how a robust security posture incorporates these multiple elements:

  • Domain management is concerned with domains under official ownership (the 'core' domains used in the day-to-day execution of business, such as providing hosting for websites and e-mails; and 'tactical' or defensive registrations, held in order to prevent third-party use and registered for potential future use regarding planned brand or product launches or geographical expansion)

  • Brand protection addresses third-party activity external to this corporate technical infrastructure ('outside the firewall') - part of the reason this is necessary is because it is neither sustainable nor cost-effective to register domains containing every possible permutation of brand variants and keywords[33]. However, a truly effective brand-protection programme needs to consist of holistic monitoring covering a range of content types (such as general Internet content, domain names, social media, e-commerce marketplaces, mobile apps, etc.), as there is increasing inter-connection between these areas, which essentially just comprise different channels in which the same types of infringement can appear.

Figure 2: Schematic of how a robust security posture is composed of elements of domain management and brand protection

In these areas, branded domain names sit in a position of central importance (when considering both official corporate and third-party content). A domain name incorporating a brand name will generally have high visibility (in terms of its search-engine ranking in response to brand-specific search terms), will constitute a more explicit use (or abuse) of IP rights - and thereby yield greater enforcement options, and provides greatest potential for customer confusion or fraudulent use (e.g. in the construction of a convincing phishing site[34]). Threat analysis and threat remediation for domains is therefore a key element of all cybersecurity initiatives.

Remediation

A range of security products and services can be deployed to address the threats described above. From a domain security point of view, a range of products offered by enterprise-class registrars can help to mediate the risks of an attack (Figure 3).

Domain security measure
                                                                                                                                                                                     		 Purpose
 
  DNS hosting redundancy
 		 Mediates against downtime and DDoS attacks
  DNSSEC (Domain Name
  System Security Extensions)
 		 Prevents hackers from taking control of an Internet browsing session with the goal of re-directing users to deceptive websites
  SPF (Sender Policy
  Framework)
 		 E-mail authentication standards which mitigate spam, spoofing, and phishing
  DMARC (Domain-based
  Message Authentication,
  Reporting and Conformance)
 
  DKIM (Domain Keys
  Identified Mail)
 
  MultiLock Combines registry- and registrar-level locks and a whois lock to prevent unauthorised changes of DNS records and domain hijacking
 
  CAA (Certification Authority
  Authorisation) records
 		 Ensures that only authorised certification authorities can issue a certificate
  Use of an enterprise-class
  registrar		 Specialises in working with enterprises that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance and cybersecurity
 

Figure 3: Domain security measures used to mediate attacks

Considering the brand protection component of a security programme, most services will consist of an iterative four-part process, incorporating detection (monitoring), prioritisation of results, investigation and countermeasures, and action and reporting. Of these, enforcement (part of the 'action' stage) – i.e. the removal of infringing content – is of key importance, for a number of reasons:

  • It protects brand, revenue, reputation, and customers from the harmful effects of infringements
  • It provides a deterrent effect to infringers - essentially, making the brand a 'harder' target
  • Enforcement is often a pre-requisite for keeping IP protection in place, or may be a regulatory requirement
  • Having a 'toolkit' of enforcement approaches of varying complexity and cost allows the most efficient and cost-effective approach to be taken in any given case, while reserving options for escalation[35].

The technology offered by enterprise-class brand protection service providers may incorporate clustering technology, allowing insights into links between infringements to be established. This has a number of benefits:

  • It enables identification of key or serial infringers, allowing prioritised enforcement action
  • It reveals instances of bad-faith activity (e.g. cases where multiple brands are targeted by the same infringer), yielding a more compelling case for enforcement
  • It can identify instances of linked infringements, raising the possibility for efficient bulk takedowns (e.g. where multiple sites are registered through the same registrar and can be enforced in a single action)

As part of this security initiative, determining the level of threat associated with a particular domain allows the brand owner to take focused action where most required.

Quantifying threat

A key feature of an effective domain-management programme is the ability to determine which portfolio domains are 'critical' and require the highest level of security protection. More generally, the extent of adoption by corporations of relevant security measures (as listed in Figure 3) for their official domains can provide a good general metric for their security risk exposure. 

For brand protection, quantifying the level of potential threat posed by third-party content (e.g. a new domain registration) is (even) more complex. Numerous elements, such as the presence of a brand name (or variations) or keywords in the domain name, features relating to the content and technical configuration of any associated website, and registrant and registrar characteristics, can all be relevant. However, the ability to quantify threat is important for a number of reasons:

  • It provides a methodology to prioritise identified results, allowing determination of:
    • Which results should be considered primary targets for further analysis
    • Which results should be tracked in order to identify changes in content or configuration
    • Which results should be considered priority targets for enforcement
  • It provides insights into brand and keyword patterns and TLDs (domain extensions) which should be considered for defensive domain registrations

A number of previous studies have looked at features which may be relevant for determining the overall level of threat posed by a domain. Two examples include:

  • A study looking at the TLDs which are most frequently associated with malicious domains (phishing, spam or malware)[36]. The analysis shows that the highest-threat TLDs tend to be those associated with the Africa, Asia, or Caribbean regions, and new-gTLDs. The TLDs most popular with infringers tend to be those which:
    • Offer free or low-cost registration, or have lax registration security policies
    • Are associated with regions with poorly defined or low reliability enforcement routes
    • Are associated with low-wealth countries, where ISPs may lack technical expertise, leaving the domains more prone to compromise
  • A study looking at domains with names similar to any of the top ten most valuable company brands, focusing on 'cousin domains', fuzzy matches (typos), and homoglyph character replacements, and considering the types of content present on these 'typo' domain names[37]. The analysis is based on the assumption that a confusingly similar domain name is likely to have been registered for fraudulent use, and that the degree of similarity to the official corporate domain name may therefore be a key factor in determining the level of threat. The study identified almost 8,500 unique domain names over the course of one year, almost all of which were registered to third parties, and found that a range of types of infringing content were indeed present on the associated websites. Furthermore, around one-third of the active domains at the time of analysis were configured with active MX records, indicating that they may be being utilised for their e-mail functionality (e.g. in phishing or BEC attacks).

Key take-aways and discussion

The Internet landscape offers multiple opportunities for bad actors to launch cyber- and brand attacks, which can take a number of different forms. These can include direct attacks against domain or corporate infrastructure (such as DDoS, DNS attacks, and domain hijacking), other types of attacks (such as phishing, BEC, and malware attacks) and other brand infringements (including familiar areas such as counterfeiting and piracy). 

Brand, fraud and cybersecurity issues are fundamentally interconnected, providing a push towards the introduction of digital governance teams within organisations, composed of representatives from marketing, IP / legal, security and domain operations, working together to mediate the threats. 

Fundamentally, domain names are central to cybersecurity considerations, with an effective security programme requiring a combination of domain security measures and brand protection (composed of monitoring and enforcement). The ability to quantify threat is central to this endeavour, ensuring that mediating action can be applied where it is most needed. Unfortunately, however, many of the top global companies have significant shortcomings in their security postures, with CSC's Domain Security Reports 2021 and 2022 showing that many of the Global Forbes 2000 exhibit only limited adoption of significant domain security measures[38,39]

References

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/ 

[2] https://datareportal.com/reports/digital-2021-global-overview-report

[3] https://www.worldbank.org/en/topic/digitaldevelopment/overview 

[4] https://data.worldbank.org/indicator/NY.GDP.MKTP.CD

[5] https://www.globalsecuritymag.com/British-consumers-expect-brands-to,20211004,116709.html

[6] https://www.mimecast.com/blog/brand-impersonation-one-cyberattack-is-enough-to-lose-consumer-trust-and-custom/

[7] https://www.netscout.com/threatreport

[8] "Cyber Threats and Trends", Neustar (direct communication to CSC)

[9] https://www.home.neustar/blog/wave-of-ddos-ransom-attacks-target-voip-services

[10] https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip

[11] https://www.efficientip.com/wp-content/uploads/2022/05/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf

[12] https://www.helpnetsecurity.com/2021/10/26/organizations-dns-attacks/

[13] https://www.raconteur.net/report/fighting-fraud-2021/

[14] https://www.mcafee.com/enterprise/en-us/lp/threats-reports/apr-2021.html

[15] https://www.cisa.gov/stopransomware/general-information

[16] https://spycloud.com/resource/2021-ftse-100-breach-exposure/

[17] https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf

[18] https://docs.apwg.org/reports/apwg_trends_report_q2_2022.pdf

[19] https://cofense.com/annualreport

[20] https://interisle.net/PhishingLandscape2021.pdf

[21] https://www.proofpoint.com/uk/resources/analyst-reports/ponemon-cost-of-phishing-study

[22] https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf

[23] https://securityboulevard.com/2021/03/64-times-worse-than-ransomware-fbi-statistics-underline-the-horrific-cost-of-business-email-compromise/

[24] https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/documents/reports/2021_EUIPO_OECD_Report_Fakes/2021_EUIPO_OECD_Trate_Fakes_Study_FullR_en.pdf

[25] https://business.adobe.com/resources/digital-economy-index.html

[26] https://www.go-gulf.com/online-piracy/

[27] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[28] https://www.cnbc.com/2022/08/02/what-you-need-to-know-about-the-us-baby-formula-shortage.html

[29] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[30] https://www.csoonline.com/article/3672155/global-companies-say-supply-chain-partners-expose-them-to-ransomware.html

[31] https://securityscorecard.com/resources/the-impact-of-enterprise-class-domain-registrar-utilization-on-overall-security-ratings

[32] https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000

[33] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[34] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[35] https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

[36] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[37] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[38] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[39] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 17 January 2023 at:

https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

at No comments:
Labels: , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)

Unregistered Gems Part 6: Phonemizing strings to find brandable domains

Introduction The UnregisteredGems.com series of articles explores a range of techniques to filter and search through the universe of unregis...