David Barnett's Brand Protection Articles: Holistic brand, fraud and cyber protection using domain threat intelligence

Synopsis of a presentation for the CSC Cybersecurity and Brand Forums (Copenhagen and London) 2022

Introduction

As of July 2022, the global number of Internet users was estimated at 5.03 billion (over 63% of the total population)^[1], each spending an average of nearly 7 hours per day online. The Internet is accessible through a range of devices (including mobile phones, which now account for 56% of Internet usage). There are also 4.7 billion users of social media, with the list of most popular platforms topped by Facebook, YouTube and WhatsApp^[2]. Overall, the Internet generates an economy of around 15%^[3] of global GDP - equivalent to around $15 trillion^[4], and a figure which is growing two-and-a-half times faster than GDP itself.

This ubiquitous engagement with the online world means that the Internet is not only used by brand owners and their customers in the execution of their business, but also by infringers looking to abuse trusted brands to their own advantage. The Internet makes it very easy for criminals to gain an online presence, with the ability to create low-cost content in a context where relative anonymity is easily achievable.

Moreover, consumers are increasingly of the opinion that it the responsibility of brand owners to protect them from - and compensate them for - online harms^[5], viewing with distrust those companies which are repeatedly subject to infringement and abuse^[6]. These factors further strengthen the importance of organisations proactively protecting their brands online.

A number of key areas of threat are particularly relevant, as outlined below.

Cybersecurity - 9.7 million distributed denial-of-service (DDoS) attacks were reported in 2021, a year-on-year drop of 3%, but a 14% increase over 2019^[7], and with H1 2021 seeing a doubling of cases using multiple attack vectors. There was also a 30% year-on-year increase in the size of the largest DDoS attacks, with the largest attacks (to the end of 2021) reaching sizes of 2.4 Tbps and 2.3 Tbps (1 Tbps = 1 Terabit (10¹² bits) per second) (against Microsoft and Amazon, respectively). A trend towards larger numbers of smaller, short attacks was also observed, with Neustar reporting a 76% increase in the number of attacks mitigated between Q1 2020 and Q1 2021^[8]. The emergence of ‘ransom DDoS’ – where payment is demanded, usually after an initial ‘demonstration’ attack, in return for not launching a full DDoS – has also been observed^[9,10]. 88% of organisations were reported as having suffered at least one DNS attack (mostly DNS phishing, DNS-based malware or DDoS) in 2021, with each attack costing the enterprise an average of $942,000^[11]. Other types of attack, including DNS tunnelling and cache poisoning, were also noted in over one-third of cases. 61% of companies experienced multiple attacks within the previous 12 months, with 14% experiencing multiple hours of downtime^[12].

Furthermore, 28% of security incidents were attributed to the use of malware in 2021^[13], with ransomware showing a 69% growth in volume between Q3 and Q4 2020^[14]. 48% of businesses were subject to ransomware attacks in 2021, with an average period of downtime for those affected of 23 days. Overall, phishing is increasingly recognised as the most common attack vector for malware distribution^[15].

Finally, a 2021 study showed that 39 million pieces of information had been compromised from FTSE 100 companies, via more than 9,000 separate data breaches resulting from the use of re-used log-in details, weak passwords and data collected using keyloggers^[16].

Phishing - Figures from the Anti-Phishing Working Group show that more than 1 million distinct phishing attacks have been recorded in each of Q1 and Q2 2022, with both quarters experiencing the highest totals ever recorded, and over 600 distinct brands targeted each month^[17,18]. Overall, two-thirds of phishing campaigns are still geared towards credential theft^[19]. Even more concerningly, 82% of phishing sites employ SSL / TLS certificates (allowing use of HTTPS), up from 5% at end of 2016, and with 90% of certificates issued by free providers such as Cpanel and Let’s Encrypt. 69% of phishing sites are registered through just the top ten registrars^[20], and 57% of phishing domains are utilised within 14 days of registration (with more than half of these going active within 48 hours). For a large organisation, annual losses due to phishing activity are estimated at $15 million^[21].

Additionally, 71% of companies experienced a BEC (business e-mail compromise) attack utilising a spoofed e-mail account or website in 2021^[22], with the total loss to businesses (for 2020) estimated at $1.8 billion^[23]. The average amount requested in wire-transfer attacks was $109,000 in Q2 2022, up from $91,000 the previous quarter.

Brand threats - Other types of brand-related infringements also continue to pose significant threats. Some of the main areas include: counterfeiting and e-commerce infringements – with a global trade in counterfeit goods valued at $464 billion in 2019 (2.5% of the total global economy)^[24], as part of an overall annual spend on e-commerce of $4 trillion^[25]; and digital piracy – with more than 130 billion visits to piracy websites recorded in 2020 and one-quarter of Internet bandwidth used for the unauthorised sharing of copyrighted content^[26].

However, other types of brand-related content can also be of concern. Instances of traffic misdirection, false affiliation, potential brand confusion, activism, and so on can also have significant impacts on corporate revenue, customer experience, and brand value, reputation and trust.

Damaging brand-related content can take a variety of forms, and can be thought of as existing within a spectrum of severity classifications, from lower-threat 'brand abuse' (covering instances where the brand is being used in a way which is perhaps inconsistent with corporate guidelines, or incorporating negative comment or corporate disparagement, but where enforcement action may be neither necessary nor appropriate), through 'brand infringement' (where the content constitutes an contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal in intent, such as phishing or the sale of counterfeit goods) (Figure 1).

Threat type	Typical risks
Phishing	Compromise of customer details; financial losses; reputational damage
Other fraud issues (sites associated with advance-fee fraud, 'carder' sites, etc.)	(as above)
Duplicated site content	Fraudulent activity; unauthorised use of branded content; visibility of 'test' sites not intended to be in the public domain
Site framing	Potential for framed site to be non-legitimate; imposition of third-party content around framed site
Employee activity / postings	Leakage of sensitive information; risk of social engineering; undesirable brand association
Traffic diversion / brand 'seeding'	Loss of revenue; undesirable brand association; distribution of malicious content
Activism / negative comment	Brand / reputational damage; 'real-world' threats
Misuse of unofficial logo	False claims of affiliation; unauthorised use of IP; logos made available for potential creation of fake sites
Potential brand confusion	Customer confusion; loss of revenue
Claimed affiliation	Brand damage; loss of revenue; breaches of brand-usage standards

Figure 1: Examples of typical threat types identified through a brand monitoring service (for general Internet content), and the associated risks. (Increasing potential threat level from bottom to top.)

Connectedness of brand, fraud and cybersecurity issues

The areas of brand, fraud and cybersecurity issues are all linked, and this connectedness can manifest itself in a number of different ways.

Firstly, there is very often a correlation between real-world events and a resulting spike in associated cybersecurity issues and brand infringements. This has been highlighted in a variety of previous CSC studies, including the observations that specific events during the COVID pandemic were followed by peaks in COVID-related domain registration activity^[27], and that supply-chain issues such as those seen with the baby-formula shortage of 2021-2^[28] resulted in the appearance of infringing websites utilising industry-related keywords^[29]. In both of these cases, real-world issues presented an opportunity to the fraudsters to take advantage of, and monetise, the difficulties being experienced by consumers.

More generally, the intrinsically connected nature of domain names and DNS, and the increasing use by many organisations of extensive networks of suppliers, vendors and customers, provides opportunities to bad actors to launch cyber-attacks targeting the weakest point in the supply chain^[30].

Finally, it is increasingly recognised that the choice by corporations of an appropriate domain registrar with whom to partner for their domain management - and the associated adoption of appropriate domain security policies - comprises a significant input into their overall security posture. Specifically, a study by SecurityScorecard shows that the use of an enterprise-class registrar results in a security rating increase of between 0.5 and 1 grade^[31]. These factors also have significant other consequences, such as impacts on the levels of access to - and cost of - cyberinsurance^[32].

The above points highlight the importance of a holistic security programme, consisting of elements of both domain security (as part of a domain-management service) and brand protection (incorporating both monitoring and enforcement) This is illustrated by Figure 2, showing a schematic of how a robust security posture incorporates these multiple elements:

Domain management is concerned with domains under official ownership (the 'core' domains used in the day-to-day execution of business, such as providing hosting for websites and e-mails; and 'tactical' or defensive registrations, held in order to prevent third-party use and registered for potential future use regarding planned brand or product launches or geographical expansion)

Brand protection addresses third-party activity external to this corporate technical infrastructure ('outside the firewall') - part of the reason this is necessary is because it is neither sustainable nor cost-effective to register domains containing every possible permutation of brand variants and keywords^[33]. However, a truly effective brand-protection programme needs to consist of holistic monitoring covering a range of content types (such as general Internet content, domain names, social media, e-commerce marketplaces, mobile apps, etc.), as there is increasing inter-connection between these areas, which essentially just comprise different channels in which the same types of infringement can appear.

Figure 2: Schematic of how a robust security posture is composed of elements of domain management and brand protection

In these areas, branded domain names sit in a position of central importance (when considering both official corporate and third-party content). A domain name incorporating a brand name will generally have high visibility (in terms of its search-engine ranking in response to brand-specific search terms), will constitute a more explicit use (or abuse) of IP rights - and thereby yield greater enforcement options, and provides greatest potential for customer confusion or fraudulent use (e.g. in the construction of a convincing phishing site^[34]). Threat analysis and threat remediation for domains is therefore a key element of all cybersecurity initiatives.

Remediation

A range of security products and services can be deployed to address the threats described above. From a domain security point of view, a range of products offered by enterprise-class registrars can help to mediate the risks of an attack (Figure 3).

Domain security measure	Purpose
DNS hosting redundancy	Mediates against downtime and DDoS attacks
DNSSEC (Domain Name System Security Extensions)	Prevents hackers from taking control of an Internet browsing session with the goal of re-directing users to deceptive websites
SPF (Sender Policy Framework)	E-mail authentication standards which mitigate spam, spoofing, and phishing
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DKIM (Domain Keys Identified Mail)
MultiLock	Combines registry- and registrar-level locks and a whois lock to prevent unauthorised changes of DNS records and domain hijacking
CAA (Certification Authority Authorisation) records	Ensures that only authorised certification authorities can issue a certificate
Use of an enterprise-class registrar	Specialises in working with enterprises that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance and cybersecurity

Figure 3: Domain security measures used to mediate attacks

Considering the brand protection component of a security programme, most services will consist of an iterative four-part process, incorporating detection (monitoring), prioritisation of results, investigation and countermeasures, and action and reporting. Of these, enforcement (part of the 'action' stage) – i.e. the removal of infringing content – is of key importance, for a number of reasons:

It protects brand, revenue, reputation, and customers from the harmful effects of infringements

It provides a deterrent effect to infringers - essentially, making the brand a 'harder' target

Enforcement is often a pre-requisite for keeping IP protection in place, or may be a regulatory requirement

Having a 'toolkit' of enforcement approaches of varying complexity and cost allows the most efficient and cost-effective approach to be taken in any given case, while reserving options for escalation^[35].

The technology offered by enterprise-class brand protection service providers may incorporate clustering technology, allowing insights into links between infringements to be established. This has a number of benefits:

It enables identification of key or serial infringers, allowing prioritised enforcement action

It reveals instances of bad-faith activity (e.g. cases where multiple brands are targeted by the same infringer), yielding a more compelling case for enforcement

It can identify instances of linked infringements, raising the possibility for efficient bulk takedowns (e.g. where multiple sites are registered through the same registrar and can be enforced in a single action)

As part of this security initiative, determining the level of threat associated with a particular domain allows the brand owner to take focused action where most required.

Quantifying threat

A key feature of an effective domain-management programme is the ability to determine which portfolio domains are 'critical' and require the highest level of security protection. More generally, the extent of adoption by corporations of relevant security measures (as listed in Figure 3) for their official domains can provide a good general metric for their security risk exposure.

For brand protection, quantifying the level of potential threat posed by third-party content (e.g. a new domain registration) is (even) more complex. Numerous elements, such as the presence of a brand name (or variations) or keywords in the domain name, features relating to the content and technical configuration of any associated website, and registrant and registrar characteristics, can all be relevant. However, the ability to quantify threat is important for a number of reasons:

It provides a methodology to prioritise identified results, allowing determination of:

Which results should be considered primary targets for further analysis

Which results should be tracked in order to identify changes in content or configuration
Which results should be considered priority targets for enforcement

It provides insights into brand and keyword patterns and TLDs (domain extensions) which should be considered for defensive domain registrations

A number of previous studies have looked at features which may be relevant for determining the overall level of threat posed by a domain. Two examples include:

A study looking at the TLDs which are most frequently associated with malicious domains (phishing, spam or malware)^[36]. The analysis shows that the highest-threat TLDs tend to be those associated with the Africa, Asia, or Caribbean regions, and new-gTLDs. The TLDs most popular with infringers tend to be those which:

Offer free or low-cost registration, or have lax registration security policies
Are associated with regions with poorly defined or low reliability enforcement routes
Are associated with low-wealth countries, where ISPs may lack technical expertise, leaving the domains more prone to compromise

A study looking at domains with names similar to any of the top ten most valuable company brands, focusing on 'cousin domains', fuzzy matches (typos), and homoglyph character replacements, and considering the types of content present on these 'typo' domain names^[37]. The analysis is based on the assumption that a confusingly similar domain name is likely to have been registered for fraudulent use, and that the degree of similarity to the official corporate domain name may therefore be a key factor in determining the level of threat. The study identified almost 8,500 unique domain names over the course of one year, almost all of which were registered to third parties, and found that a range of types of infringing content were indeed present on the associated websites. Furthermore, around one-third of the active domains at the time of analysis were configured with active MX records, indicating that they may be being utilised for their e-mail functionality (e.g. in phishing or BEC attacks).

Key take-aways and discussion

The Internet landscape offers multiple opportunities for bad actors to launch cyber- and brand attacks, which can take a number of different forms. These can include direct attacks against domain or corporate infrastructure (such as DDoS, DNS attacks, and domain hijacking), other types of attacks (such as phishing, BEC, and malware attacks) and other brand infringements (including familiar areas such as counterfeiting and piracy).

Brand, fraud and cybersecurity issues are fundamentally interconnected, providing a push towards the introduction of digital governance teams within organisations, composed of representatives from marketing, IP / legal, security and domain operations, working together to mediate the threats.

Fundamentally, domain names are central to cybersecurity considerations, with an effective security programme requiring a combination of domain security measures and brand protection (composed of monitoring and enforcement). The ability to quantify threat is central to this endeavour, ensuring that mediating action can be applied where it is most needed. Unfortunately, however, many of the top global companies have significant shortcomings in their security postures, with CSC's Domain Security Reports 2021 and 2022 showing that many of the Global Forbes 2000 exhibit only limited adoption of significant domain security measures^[38,39].

References

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/

[2] https://datareportal.com/reports/digital-2021-global-overview-report

[3] https://www.worldbank.org/en/topic/digitaldevelopment/overview

[4] https://data.worldbank.org/indicator/NY.GDP.MKTP.CD

[5] https://www.globalsecuritymag.com/British-consumers-expect-brands-to,20211004,116709.html

[6] https://www.mimecast.com/blog/brand-impersonation-one-cyberattack-is-enough-to-lose-consumer-trust-and-custom/

[7] https://www.netscout.com/threatreport

[8] "Cyber Threats and Trends", Neustar (direct communication to CSC)

[9] https://www.home.neustar/blog/wave-of-ddos-ransom-attacks-target-voip-services

[10] https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip

[11] https://www.efficientip.com/wp-content/uploads/2022/05/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf