The 'Millennium Problems' in Brand Protection

As the brand protection industry approaches a quarter of a century in age, following the founding of pioneers Envisional^[1] and MarkMonitor^[2] in 1999, I present an overview of some of the main outstanding issues which are frequently unaddressed or are generally only partially solved by brand protection service providers. I term these the 'Millennium Problems' in reference to the set of unsolved mathematical problems published in 2000 by the Clay Mathematics Institute^[3], and for which significant prizes were offered for solutions. Like their mathematical counterparts, the unsolved problems in brand protection will present significant benefits for any service providers able to develop and offer comprehensive solutions.

Brand protection basics

In their most basic sense, brand protection solutions generally consist of two components: monitoring (or, strictly, detection) of brand-related content on the Internet, and enforcement action to achieve the removal of infringing material. Monitoring is most usually carried out using technological solutions intended to identify relevant material on the Internet, across a range of relevant channels, typically using a combination of methodologies, namely: (i) Internet metasearching (i.e. the submission of relevant query terms to search engines) and web crawling; (ii) analysis of domain-name zone files (see Problem 2), to identify domains with names including brand-related terms (or variants); (iii) direct monitoring / searching on known sites of interest (see Problem 1); and (iv) other techniques, such as the use of spam traps and webserver logs, as used in phishing detection technologies^[4]. Many service providers will also make use of automated analysis tools, which can inspect the content of the identified webpages, and categorise and prioritise these results accordingly.

The 'Millennium Problems'

1. Social media monitoring

Whilst monitoring of content across social media platforms is a well-established element of many brand-protection service providers' product suites, it frequently remains extremely difficult to achieve anything approaching a comprehensive level of coverage. There are a number of reasons why this is the case. In general, social media content is most usually addressed using the 'direct site searching' approach (that is, using the search functionality typically in-built to the platforms themselves as a means of returning results), though some providers also have access to direct data feeds from the platforms (e.g. through an API). In general, a variety of types of content may be of interest, including brand references in usernames (e.g. associated with fake profiles), and the content of postings (e.g. associated with fraud, the sale of counterfeits, the spread of malware, brand disparagement, etc.) and elsewhere (including imagery, sponsored advertisements, and so on).

The main difficulty with the 'direct search' approach is that results presented to a user are often limited (sometimes significantly) unless the user is logged in to the social media platform. This can be circumvented by configuring a brand-protection monitoring tool to present itself to the platform as if it is a real user (with a registered account, handle (username) and password), or simply through the use of manual searches. Both of these approaches typically require the use of 'dummy' accounts and may be in contravention of the terms and conditions of the platforms themselves.

Other technological issues may also be problematic. Many social media platforms return results on an 'infinite scroll' basis (where additional results are continually added to the webpage as the user continues to scroll down through them), often with no indication of the total numbers of results which may be present, and many platforms also have specific access requirements, such as functionality only to be accessed via a mobile app (see Problem 7). Similarly, monitoring can be further complicated by sites where content is protected via the requirement to enter a CAPTCHA code, for example. It is also typically the case that the exact results returned to a user will be highly personalised, and dependent on their browsing history, interests, location, and personal demographic.

Some of these issues can be addressed through the development of partner relationships by brand-protection service providers with the platforms themselves. However, even in cases where the platforms are amenable to this approach, some of the above technological issues may remain difficult to address.

2. Comprehensive ccTLD monitoring

Another of the core elements of many brand protection service offerings is often a domain monitoring capability; that is, the ability to identify domains whose names include the name of the brand being infringed (and/or other relevant keywords). As a special subset of general Internet content, branded domain names are often of particular interest by virtue of their greater visibility (e.g. higher ranking in search-engine results) and the more explicit nature of the IP abuse (and an associated greater range of enforcement options)^[5]. Branded domain names have been noted in many previous studies as being popular with bad actors in the creation of infringing content of a variety of types, including phishing sites^[6], sites offering the sale of counterfeits, and sites claiming false affiliation or including disparaging content.

The primary source of data for domain monitoring is usually the analysis of zone files, which are data files published by the registry organisations responsible for overseeing the infrastructure of each individual TLD (top-level domain, or domain extension - such as .com), and which contain a list of all existing registered domains across that extension. By comparing the content of a zone file with that from the previous day, it is possible to identify new domain registrations (as well as dropped, or lapsed, domains) and filter this list for those examples containing a brand name or keyword of interest. Domain monitoring solutions can (and, in general, should) also make use of zone-file analysis to allow identification of the full pre-existing 'landscape' of registered domain names of interest, across the TLDs in question, at the commencement of monitoring (so-called 'baseline' analysis). The most sophisticated domain monitoring solutions can also automatically check for variations of the brand strings (such as typos), which are frequently used by infringers to construct deliberately deceptive domain names^[7,8].

Zone files are generally available for most gTLDs (generic, or global, TLDs such as .com, .net, etc.) plus the new-gTLDs which have been launched in the period since 2012^[9], but are often not published (or may not be comprehensive) by the registry organisations responsible for other TLDs, particularly the country-specific examples (ccTLDs). For this reason, detection of relevant domains across ccTLD extensions is typically incomplete, and a number of techniques may typically be used in order to fill in the gaps. These might include parallel look-ups (checks for domains with the same second-level domain name - i.e. the part of the domain name to the left of the dot - as examples identified through zone-file analysis), exact-match queries (regular searches for the existence of domains with second-level domain name strings of particular relevance, such as a brand name), and Internet metasearching. However, each of these approaches has its own limitations and, even when all taken together, there can always be domain names of potential concern which are not detected through any of these methods. The next generation of domain monitoring solutions will need to better address these shortcomings, potentially involving factors such as the use of improved algorithms to 'guess' candidate domain names for checking, and/or the use of more comprehensive indexes of Internet content. Additionally, the building of specific relationships with country registries - potentially combined with regulatory changes regarding the availability of zone files - may also be relevant.

3. Third-party subdomain monitoring

The subdomain is the section of a URL prior to the domain name, from which it is separated by a dot (e.g. 'translate' in 'translate.google.com'). The owner of a domain name can create whatever subdomains they wish, and can point these URLs to associated web content (via the configuration of DNS settings). Accordingly, subdomains can be used to create brand-related URLs, and can be associated with many of the same types of infringements as domain names themselves^[10]. Subdomain-based abuse can also be particularly attractive to infringers, both because it avoids the requirement to register a brand-specific domain name^[11] (which bad actors know can easily be detected by brand owners employing domain-monitoring services) and because there can be a low cost associated with the creation of the URL, particularly where a service provider allowing the free registration of personalised subdomains (such as blogspot.com) is used.

Consequently, the ability to monitor generally for brand references in the subdomain name of arbitrary URLs can be of great value. Note that this is distinct from the (relatively much simpler) problem of monitoring the existence and content of subdomains of official domains under the ownership of the brand owner 'internal' subdomain monitoring), since all of the relevant information is contained in the DNS configuration files held by the brand owner's domain-name management service provider.

Conversely, the identification of brand-related subdomains on third-party ('external') domain names is much more difficult. In many cases, this is achieved purely using Internet metasearching techniques (i.e. finding only content which is indexed by search engines in response to brand-specific query terms). Whilst this does mimic the search techniques used by general Internet users (and thereby identify the 'highest-visibility' content), it will in general not find all potentially threatening content (e.g. URLs to which traffic is driven through other means, such as links in spam e-mails). This problem can be mediated to some degree through the use of other techniques, such as passive DNS analysis or certificate transparency (CT) analysis, or via explicit queries for the existence of specific subdomain names of interest. However, these techniques require prior identification of the specific domains to be monitored; generalised identification of brand-related subdomains remains a much harder problem to solve.

4. Circumventing site blocking and geoblocking

Site blocking and geoblocking are two long-established problems in brand monitoring. The former arises when a monitored site becomes aware of repeated search queries from a particular source, and restricts access to the site from the IP address in question. A site owner may choose to do this for a number of reasons, including protection of website performance (e.g. in preventing DDoS attacks), or for compliance with their own terms and conditions (e.g. where they state that information is not to be collected for commercial purposes, such as by brand-protection service providers). Geoblocking (or geotargeting) is a related issue, whereby the visible content of a website may vary depending on the geographical location of the visitor. Again, this may be implemented by a site owner for a range of reasons, including the tailoring of content to a local audience, search-engine optimisation, security, or legal compliance^[12]. However, geoblocking can also be employed by infringers as a means of evading detection, and can also present difficulties in enforcement, where it may be necessary to demonstrate exactly what content is visible from a specific remote location.

The solutions to these issues, from a brand-protection point of view, are relatively simple in principle, generally involving the use of proxies (standalone external machines serving as intermediate 'hops' through which search queries from a brand-protection service provider are routed, so as to 'mask' the originating IP address) in a range of remote locations, and/or (particularly for site blocking) the building of relationships with the sites being monitored, so that the monitoring service provider can gain permission for collecting the data. However, in practice this requires a great deal of investment in building the required infrastructure (such as hosting and maintaining the necessary proxies, and configuring the monitoring software to communicate with them) and establishing the necessary relationships. Furthermore, the construction of appropriate user interfaces to visualise and interpret the relevant information (such as the ability to compare the content of a particular website across a range of different user (i.e. proxy) locations, in cases where geoblocking or geotargeting may be an issue) can also be a complex prospect.

5. Clustering and open-source intelligence analysis

The subject areas of clustering and open-source intelligence (OSINT) are generally of greatest relevance for entity investigations, i.e. the process of using Internet searches to build a portfolio of information relating to an identified individual or website of interest. Such information can be used for a range of purposes, including background for on-the-ground investigations or goods seizures, or for legal cases, but can also be useful background for enforcement actions (e.g. in identifying clusters of related infringements for efficient bulk takedowns in a single action).

A number of technological solutions exist for visualising the links behind related entities, on the basis of common shared characteristics (such as e-mail addresses, telephone numbers, web-hosting information such as IP addresses, and so on) - i.e. 'clustering', but it is often the case that the characteristics themselves require identification through manual analysis processes. A great deal of additional efficiency can be built into the process, however, through the use of monitoring and analysis tools which can identify and extract this information automatically. This is relatively more straightforward in cases where the data can be extracted in a consistent manner (e.g. performing an IP-address look-up for any identified website of interest), and/or where the information is contained in a known location on a webpage with a fixed, pre-defined format (the 'contact details' section of a social-media profile page), such that a web scraper can be configured to pull out the content. It is a considerably more difficult enterprise to extract such information from general webpages where the structure of each page is not known in advance. In these cases, the approach generally needs to be based on the configuration of monitoring tools which are able to extract text-strings with the general format of (say) an e-mail address or telephone number. This then typically requires an element of post-processing to 'clean' and standardise the data. The next generation of clustering tools are likely to make extensive use of artificial intelligence in order to do this, in addition to also then drawing out insights between the clusters thus produced.

6. Dark Web monitoring

Dark Web content is the general name given to online material for which there are special access requirements; however in the context of online brand monitoring, it is usually taken to refer to content which is only accessible via the Tor network (a decentralised network involving the use of encrypted communications, and connections via multiple hops between Tor servers (proxies) - also known as relays or nodes). The Tor network - which is accessed using specially enabled browsers - can be used to view regular ('surface web') Internet content (and is one option open to users for whom anonymity is important), but is more usually used to access websites with the .onion extension, i.e. those which are only accessible from within the network^[13].

The Tor network of .onion websites includes a range of different content types, but is notorious for illegal and infringing content and, as such, can be a key area of interest for brand monitoring. However, many brand protection service providers offer only limited capabilities in this area. This is for a number of different reasons. One significant factor is that the Dark Web is essentially unregulated, frequently with no available links to 'real-world' contact details, and extremely limited enforcement options against infringing content. However, even in cases where takedown is not possible, intelligence on the content can be extremely valuable - one example may be on 'carder' websites, on which stolen financial credentials are traded; if (say) a financial services company can determine that the details for a particular credit card or bank account are being offered for sale, this provides the opportunity for the account to be 'locked' or deactivated.

It can also be extremely difficult to configure monitoring software to search the Dark Web. Whilst it is technically relatively straightforward to configure systems to be Tor-enabled (although connections are typically rather slow), there are generally no robust indexes of Dark Web content (such as the search engines and zone files used to search surface-web content), not least because the .onion addresses for any given website - which usually consist of long, random alphanumeric strings - are generally short-lived and change over time. A number of Dark Web search engines do exist, together with ad-hoc indexes of Dark Web content posted by users on sites such as Pastebin, but the information on these sources typically becomes out-of-date rather quickly.

The nature of the content on the Dark Web also means that security concerns can be an issue for brand-protection service providers wishing to build their capabilities in this area.

7. Mobile-based technologies

As Internet engagement has continued to grow over recent years, an increasing proportion of Internet use is conducted over mobile devices^[14,15], using a wide ecosystem of mobile apps. Many platforms are now almost exclusively mobile-based, often with little or no corresponding web presence - popular examples might include the WeChat / Weixin platforms, public groups on messaging services such as WhatsApp, and e-commerce platforms such as Pinduoduo. Many brand-protection service providers use legacy monitoring technologies which were designed specifically for analysing HTML content on the regular Internet and are often poorly equipped to address mobile technologies. In some cases, the work-around is to make use of standalone mobile devices or emulators - on which significant proportions of the monitoring is conducted manually - and there typically remains significant work to be done in order to fully integrate the relevant technologies into core monitoring capabilities.

8. Addressing the Web3 landscape

Web3 (also known as 'Web 3.0') is a general term referring to decentralised content on the Internet, with a particular focus on blockchain technologies. Blockchains are publicly accessible digital ledgers in which transactions are recorded, and form the basis of many digital currencies (or 'cryptocurrencies') (such as Bitcoin), in addition to a number of other applications, such as supply-chain control by brand owners. From a brand-protection viewpoint, the main related areas of interest are typically NFTs and blockchain domains^[16].

NFTs (non-fungible tokens) are digital files whose ownership is recorded on a blockchain. They are most commonly associated with graphics files (such as artworks and branded imagery) or other types of digital content (such as audio or music files). However, brand owners are increasingly incorporating NFTs into their business models, including areas such as the production and trade of virtual branded items (e.g. items to be worn by avatars in virtual-reality environments within the 'metaverse', the name given to a generalised connected environment of 3D virtual worlds). Consequently, unofficial branded NFTs can be a source of concern for brand owners.

Blockchain domains - which are recorded (together with their ownership details) on a blockchain, rather than using traditional registrars and web hosting - have a number of similarities to 'classic' domain names, and can be utilised in a number of ways. The most common uses are the creation of decentralised websites on peer-to-peer (P2P) platforms, to be accessed via specially-enabled browsers, or as addresses for sending and receiving cryptocurrency. However, the blockchain domain ecosystem is essentially unregulated, and nothing analogous to domain-name zone files is available. The system is made additionally more complicated by the fact the infrastructure allows for the possibility of domain-name 'clashes' - i.e. the potential for the same name to exist independently on distinct blockchains. As with traditional domain names, blockchain domains with brand-specific names can be threat to brand owners, and a potential source of confusion for customers.

Both NFTs and blockchain domains can be traded on NFT marketplaces (such as OpenSea), and the monitoring of these sites is typically the primary source of intelligence utilised by those brand-protection service providers offering capabilities in this area. For blockchain domains particularly, this approach is less than satisfactory, and offers nothing approaching the sort of comprehensive coverage as is available for regular gTLD domain names via zone-file analysis. Some additional information on the existence of registered blockchain domains is typically available through direct searches within databases provided by blockchain domain registrars and nameserver providers; however, the problem of more comprehensive detection is much more difficult to solve, potentially involving analysis of the content of the individual blockchains directly.

Another difficulty to be overcome in service offerings relating to NFTs and blockchain domains is the issue of enforcement against infringing content. In some cases, enforcement can be carried out through the submission of a DMCA (Digital Millennium Copyright Act) notice, and some NFT marketplaces have specific takedown procedures for content which infringes protected IP. However, in many cases, this simply involves the item being 'delisted' from the marketplace in question. In the future, we may see a move towards more rigorous enforcement, potentially involving forced transfers of ownership. Part of the problem is that the legal issues surrounding NFTs and blockchain domains are, in many cases, still not well-defined and are rapidly evolving, complicated by factors such as the fact that ownership of an NFT ownership does not necessarily grant ownership of copyright for the embedded content.

Beyond #8: Other emerging technologies

As new Internet technologies continue to emerge and develop, they will bring with them new risks for brand owners and associated challenges for brand-protection service providers, who will need to continue to observe and innovate in order to stay ahead of the curve.

At any given time, it is unclear where the next area of concern will come from. Currently, there is a great deal of buzz and speculation about artificial intelligence (AI) technologies and chatbots such as ChatGPT, but it is less obvious how these may affect brand-protection considerations. In this context, I am referring to content associated with, or produced by, AI applications. (Conversely, however, it seems highly likely that AI capabilities will be increasingly built into technologies used to facilitate the brand-protection process - i.e. tools to assist with monitoring, prioritisation, clustering and enforcement.)

Users are able to communicate with AI technologies such as ChatGPT via natural language, which are then able to construct responses based on information with which they have been 'trained'. This means that the information available from a chatbot is only as good as the data with which it has been trained (essentially, in the case of ChatGPT, including large volumes of Internet databases^[17,18]), and should really be treated with at least as much caution as the old "I'm Feeling Lucky" button on Google, where the user is just presented with a single response (not necessarily the most reliable one!) to any given query. This point is all the more valid given the ability of chatbots to extrapolate, and provide responses based on incomplete information. What this all means is that chatbots pose the risk of providing information about (say) a company or brand which is misleading or otherwise damaging to corporate reputation. However, since responses are generated dynamically in response to queries (rather than being 'fixed', as in the content of an HTML webpage), it is not clear how these issues might be addressed from a brand-protection point of view. Further complications surround issues such as the ownership of rights to content produced by AI technologies^[19].

Where chatbots may be of particular concern from a brand-protection and cybersecurity point of view is in their ability to rapidly create content of a wide variety of types, in a range of different styles - including the ability to write and de-bug computer code. What this may mean is that the entry barrier for infringers wishing to create compelling phishing e-mails^[20], or write malicious programs ('malware')^[21] may be significantly diminished. The likelihood is - at least in the first generations of AI technologies - that AI will not so much change the types of attack which are possible, but rather the ease with which they can be executed^[22].

Another issue surrounds use-cases in which AI systems are 'trained' with confidential corporate information as part of the process of creation of company materials (such as marketing releases). These scenarios raise the possibility for the information to be accessed by third parties, either directly via hacking, or via content included in the responses provided to other users, depending on the ways in which information is 'shared' within the infrastructure of the AI technology itself^[23]. 

References

[1] https://www.cst.cam.ac.uk/ring/halloffame

[2] https://www.markmonitor.com/download/ds/MarkMonitor-Corporate-Overview.pdf

[3] https://www.claymath.org/millennium-problems

[4] https://www.linkedin.com/pulse/assessing-mediating-digital-risk-landscape-brand-david-barnett/

[5] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[6] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[7] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[8] https://www.linkedin.com/pulse/hyphenated-domain-infringements-david-barnett/

[9] https://newgtlds.icann.org/en/about/program

[10] https://www.cscdbs.com/blog/the-world-of-the-subdomain/

[11] https://www.linkedin.com/pulse/exploring-domain-hostname-based-infringements-david-barnett/

[12] https://www.cscdbs.com/blog/do-you-see-what-i-see-geotargeting-in-brand-infringements/

[13] 'Brand Protection in the Online World: A Comprehensive Guide' by David Barnett (2016). Chapter 11: ''Deep' and 'Dark' Web'

[14] https://www.statista.com/statistics/617136/digital-population-worldwide/

[15] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[16] https://www.linkedin.com/pulse/rise-nft-david-barnett

[17] https://www.sciencefocus.com/future-technology/gpt-3/

[18] https://techcrunch.com/2023/03/23/openai-connects-chatgpt-to-the-internet/

[19] https://intellectual-property-helpdesk.ec.europa.eu/news-events/news/intellectual-property-chatgpt-2023-02-20_en

[20] https://securityboulevard.com/2023/01/what-does-chat-gpt-imply-for-brand-impersonation-qa-with-dr-salvatore-stolfo/

[21] https://www.digitaltrends.com/computing/chatgpt-created-malware/

[22] https://venturebeat.com/security/security-risks-evolve-with-release-of-gpt-4/

[23] https://blogs.blackberry.com/en/2023/04/is-chatgpt-safe-for-organizations-to-use

This article was first published on 25 May 2023 at:

https://circleid.com/posts/20230525-the-millennium-problems-in-brand-protection

Four new case studies of domain registration activity spikes driven by real-world events

Introduction

A variety of previous studies have demonstrated how real-world events can trigger subsequent spikes in domain registrations and infringement activity. Previous CSC articles and reports have focused on issues as diverse as the COVID pandemic^[1], the war in Ukraine^[2], supply-chain issues affecting the baby-milk and semiconductor industries^[3], the Euro 2020 competition^[4], the Black Friday and Cyber Monday holiday shopping events^[5], and the Reddit stock manipulation campaign targeting the GameStop organisation^[6]. 

When a high-impact event or news story takes place, there is typically a resulting burst of public interest and online searches for associated content, and bad actors can take advantage of this 'buzz' for their own gain. There are a number of ways in which this can be implemented, including: the production of content (which can include areas such as the sale of goods via e-commerce sites) relating to the issue at hand; misdirection of users to infringing, unofficial or potentially malicious websites; phishing activity utilising branded domain names to host fraudulent websites or for their e-mail functionality; or monetisation of dormant high-traffic domains through the emplacement of pay-per-click (PPC) links. In some cases, potentially desirable names may also be seized with the intention of subsequent sale to the infringed brand owner (i.e. cybersquatting) or any other interested party. 

In this article, I look at four recent events or news stories, and focus on the manifestation of associated spikes in potential infringements, by considering patterns in domain registration activity. The analysis includes consideration of new registrations ('N'), re-registrations ('R') and domain drops (lapses) ('D').

Findings

Study 1: Changes of UK Prime Minister (Summer 2022)

Summer 2022 was a time of rapid political change in the UK, resulting in two changes of Prime Minister. The associated analysis considers registration activity of domains containing the names of the three leaders, specifically: (i) 'liz' plus 'truss'; (ii) 'rishi' plus 'sunak'; and (iii) 'borisjohnson' (or typos / variations). The findings are shown in Figure 1, where peaks in registration activity can be seen to correspond to associated key news events.

Figure 1: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and dropped ('D') domains, with names relating to the three 2022 UK Prime Ministers (Boris Johnson (top), Liz Truss (middle), Rishi Sunak (bottom)). Key events in the news timeline^[7,8] are denoted according to the key shown below.

A: Boris Johnson announces resignation (07-Jul-2022)
B: Liz Truss enters leadership contest (10-Jul-2022)
C: Rishi Sunak frontrunner in leadership contest following second round of voting (13-Jul-2022)
D: Liz Truss confirmed as new Conservative leader and PM following party-member vote (05-Sep-2022)
E: Boris Johnson tenders resignation (06-Sep-2022)
F: Liz Truss faces political rebellion following economic turmoil (04-Oct-2022)
G: Liz Truss announces resignation following appointment of new Chancellor and reversal of 'mini-budget' policies (20-Oct-2022)
H: Rishi Sunak confirmed as new Conservative leader and PM (24-Oct-2022)

In this case, many of the registrations were associated with websites featuring satirical or commentary-related content (Figure 2), though some were of greater concern (misdirection to third-party content or potential phishing activity) (Figure 3). In general, political content can also be of particular concern in cases where it is found to be associated with the spread of misinformation, or be attempting to manipulate voting patterns^[9].

Figure 2: Examples of satirical websites identified in the registration dataset - second-level domain names (SLDs) (i.e. the part of the domain name to the left of the dot) are: borisjonson (registered 07-Sep-2022) (top); liztrussgame (registered 23-Oct-2022) (middle); hasrishisunakresignedyet (registered 15-Oct-2022) (bottom)

Figure 3: Examples of other websites identified in the registration dataset - SLDs are: trussliz and wetruzzliz (but displaying content relating to the UK opposition party) (registered 02-Jun-2022) (top); rishisunakforpm (registered 25-Oct-2022) (bottom)

Study 2: FIFA World Cup Qatar 2022

In this study, I consider domain registration activity relating to the 2022 FIFA World Cup competition which took place in Qatar between 20-Nov and 18-Dec 2022. The initial searches focused on all domains containing the keywords 'qatar' or 'world(-)cup', for which over 10,000 registration activity events were identified (comprising 8,690 unique domain names) during a one-year analysis period from December 2021 to December 2022. Continuous activity was identified throughout the year, though unsurprisingly with a ramp-up in new registrations towards the time of the event itself (Figure 4).

Figure 4: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R'), and dropped ('D') domains with names containing 'qatar' or 'world(-)cup'

In order to take a deeper dive into the highest-relevance domain names, I then focus on searches utilising keywords indicating that the domains under consideration are likely to pertain specifically to the event, rather than just referencing the more generic terms 'Qatar' or 'World Cup'. Specifically, this considers domains with names containing:

• 'world(-)cup' AND 'qatar'

        OR

• ['world(-)cup' OR 'qatar'] AND ['football' OR 'futbol' OR 'soccer' OR '2022' OR 'fi(-)fa']

The methodology also considers only those domains which were still active as of the time of analysis (02-Dec-2022) (i.e. those for which the most recent activity event was not a domain drop ('D')). 

This focused analysis yields a dataset of 977 domains, for which the pattern of registration activity (considering only the most recent activity event for each unique domain name) is shown in Figure 5.

Figure 5: Daily (top) and monthly (bottom) numbers of new registrations ('N') and re-registrations ('R') combined, for high-relevance domain names relating to the Qatar World Cup (considering the most recent activity event for each unique domain name)

In this more focused dataset, the overall activity pattern is broadly similar, though an additional peak in registrations is also apparent in early April 2022. This relates to what appears to be one or two specific, short-lived, coordinated registration campaigns of domains with names of the form 'qatar-2022-iX.xyz' and 'worldcup2022-jYYX.buzz' (where 'X' is an additional digit and 'Y' is an additional character). Although none of these domains was found to resolve to any live site at the time of analysis, the .xyz and .buzz new-gTLD domain extensions have been noted as previously being frequently associated with malicious or infringing content^[10,11].

Of the 977 high-relevance domains overall, 633 were found to yield an active website response (i.e. an HTTP status code of 200) at the time of analysis. Within this set, a range of (where non-official) potentially infringing or high-threat content types were observed (Figure 6).

Figure 6: Examples of live websites relating to the Qatar World Cup, representing a range of content types of potential concern (with the SLD shown in each case in square brackets) - top to bottom: potential phishing [qatar2022]; piracy [worldcuplivefifa]; gambling [worldcupbet]; ticket sales [qatar-worldcup]; other e-commerce [qatarfootballcup]; cryptocurrency-related [qatarfifaworldcup]; NFT-related [worldcupnft2022]

Study 3: New Year 2023

The new year can be a prime time for brand owners to launch new products, campaigns and marketing activity, and one way in which this can be promoted in a topical fashion is through the registration of new domains making explicit reference to the year. However, similar tactics can also be employed by bad actors, through the registration of desirable domain names. In some cases, these domains may be registered well in advance of the start of the new year itself, as a way of 'getting ahead of the curve'. Accordingly, this study considers activity associated with the registration of domains with names beginning or ending with the string '2023' (i.e. 'left- or right-matches') throughout the calendar year 2022.

Over the course of 2022, 6,730 domain activity events (representing 6,458 unique domain names) were identified for '2023-specific' domains, as shown in Figure 7. 

Figure 7: Daily (top) and monthly (bottom) numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names beginning or ending with '2023'

Figure 8 shows the growth across 2022 of the cumulative total number of registered domains with names beginning or ending with '2023'.

Figure 8: Daily cumulative total number of registered domains with names beginning or ending with '2023'

Unsurprisingly, the greatest levels of activity (dominated by new registrations) occurred during the latter parts of 2022 (particularly in December), but it is significant that registrations were taking place throughout the year, with a continual growth in the number of registered '2023' domains. It is also worth noting that there were already 2,380 such domains registered at the start of 2022 (compared with 7,524 at the end).

Considering the unique domains represented in the 2022 activity dataset, a range of TLDs (domain extensions) were represented (Figure 9), including significant numbers of new-gTLDs, many of which are of concern due to the previously-noted frequency of their association with infringing activity^[12].

Figure 9: Top TLDs amongst the unique '2023' domains represented in the 2022 activity dataset

Significant numbers of these domains were found to be associated with potentially infringing websites, including several with names including top brand names (Figure 10). 

Figure 10: Examples of potentially infringing websites with domain names including references to both '2023' and a brand name from the Interbrand top 20 list of 'best global brands'^[13] (SLDs shown in square brackets): (top) potentially fraudulent cryptocurrency-related site [2023-tesla] (registered 27-Dec-2022); (bottom) traffic misdirection / re-direction to a site offering potentially unauthorised or unofficial informational content [2023bmw] and [2023-toyota] (both registered 07-Oct-2022)

A variety of other sites of potential concern were also identified in the dataset, including a range of examples where no brand name was present in the domain name itself. Some of these were, however, found to feature website content which appears to be infringing against specific brands (Figure 11).

Figure 11: Examples of websites offering the sale of potentially counterfeit products and with domain names including a reference to '2023' (SLDs are replicascamisetanba2023 and 2023freerunshoesshop)

Many of the domain names incorporate popular keywords, in apparent attempts to attract traffic in response to common web searches. These included examples such as 'nft' (present in 7 domains) and 'blackfriday' (present in 5 examples, despite Black Friday 2023 being 11 months away). Significantly, 'covid' and 'corona' both appeared in only one example each, perhaps indicating that the online buzz associated with the pandemic is subsiding. The dataset also included some more surprising examples, such as 'keto' (present in 522 domains in the dataset, in addition to several others featuring misspellings such as 'keeto'), perhaps reflective of the continuing popularity of keto diets. Many of these 'keto' domains appear to be part of one or more coordinated registration campaigns, with large numbers of examples with SLDs beginning '2023keto' followed by strings of random characters, across new-gTLDs such as .cyou, .click and .buzz. Even amongst groups of such domains registered on the same day and TLD, a range of content types were observed, including nutrition-related sites, sites advertising a business promotion service provider, and even adult content.

Study 4: Southwest Airlines’ logistics crisis

In December 2022, US air operator Southwest Airlines experienced a 'travel meltdown' in which a series of logistical failures resulted in the cancellation of more than 16,000 flights between 21-Dec and 31-Dec, resulting in tens of thousands of customer refund claims per day, and overall losses to the organisation of between $725 million and $825 million^[14]. 

In this case, I considered domains with names containing 'southwest' (or variants), over a one-month period between 12-Dec-2022 and 11-Jan-2023, to determine whether the story generated activity in response to the increased interest in the company and the desire by customers to claim refunds.

Overall, 708 domain activity events, representing 674 unique domain names, were identified during the monitoring period, including a general spike in overall registration activity around the 11-day period in which the incident took place (Figure 12).

Figure 12: Daily numbers of new registrations ('N'), re-registrations ('R') and dropped ('D') domains with names containing 'southwest' (or variants)

Since the term 'southwest' is relatively generic, I then focused on the subset of ('high-relevance') domains which appear relate specifically to Southwest Airlines and the associated events of the story. This was done by considering those domain names which also feature relevant keywords (such as 'air' (but excluding false positives such as 'repairs', 'fairs', etc.), 'aviation', 'aerospace', 'bookings', 'claim' or 'classaction'), or where the domain name itself is a misspelling of Southwest's official website (southwest.com). This yielded a dataset of 46 domain activity events, comprising 43 unique domain names. Within this reduced dataset, the spike in activity around the time of interest can be seen to be much more pronounced (Figure 13).

Figure 13: Daily numbers of new registrations ('N') and re-registrations ('R') combined, and drops ('D'), for high-relevance domains with names containing 'southwest' (or variants)

Of the 36 registration or re-registration events within the dataset of high-relevance domains, 30 (83%) occurred in the four-day period between 27-Dec and 31-Dec.

Of the 43 unique high-relevance domain names in total, 10 were inactive as of the date of analysis (12-Jan-2023). Of the remainder, 27 (68% of the total) resolved to parking pages featuring pay-per-click (PPC) links, indicating an effort by the site owners to monetise the traffic received by the sites. One domain resolved to a site which may be associated with a recruitment scam (Figure 14), one re-directed to the website of a legal-service provider (apparently abusing the Southwest brand name in order to attempt to take advantage of the potential customer desire to take legal action against the company), and one generated a browser warning indicating that dangerous content was formerly present, in addition to other content types.

Figure 14: Example of a website associated with a possible recruitment scam, hosted on a high-relevance, brand-specific domain name

Four (9%) of the high-relevance domain names are configured with MX records, indicating the ability to send and receive e-mails, and suggesting that the domains may be associated with phishing or brand-impersonation activity.

Within the dataset, two instances of domain 'tasting'^[15] were identified, comprising domains (with SLDs of southwest-air-line and southwest-bookings) being registered and then dropped the following day, and possibly indicating efforts by the owners to determine the levels of traffic received by the sites, or to launch short-lived (and thereby difficult to detect) phishing attacks.

31 of the high-relevance domains had registration (whois) information available, all of which used privacy-protection providers or had redacted contact information, possibly indicating efforts by the owners to maintain anonymity and potentially nefarious intentions.

Additionally, several individual 'clusters' of domains, potentially representing coordinated registration campaigns by specific entities, were identified. These included:

• One group of 12 domains all registered on 28-Dec-2022, comprising misspellings of 'southwest.com' and hosted on a group of four consecutive IP addresses
• One group of five domains all registered on 30-Dec or 31-Dec and all hosted at the same IP address, with names comprising references to 'southwestairlinesclassaction' (or variants)
• One group of eight domains all registered on 29-Dec or 30-Dec and all hosted at the same IP address

All of the above domains resolved to parking pages featuring PPC links at the time of analysis.

Conclusion

The above news stories or events are all of different types, including examples which are regional or global in scope, and those which may be relevant mainly to specific corporations or industry areas. However, in all cases, resulting spikes in associated domain registration activity were observed. In general, this activity incorporates a mixture of both legitimate and non-legitimate (potentially threatening) registrations, comprising responses both by the official organisations concerned, and by nefarious bad actors.

The findings highlight that, in addition to the construction and maintenance of official domain portfolios by brand owners - and the protection of critical domains using appropriate domain security measures^[16,17] - monitoring for third-party activity remains of crucial importance. Particular additional focus must be taken when external events drive increased public interest in associated content, which can result from industry-relevant events, news stories, marketing activity or product releases, corporate changes, and a range of other factors. Accordingly, the monitoring strategy needs to be flexible enough to evolve in response to emerging issues as they develop. Also key to the protection of the brand is a robust enforcement programme incorporating a wide range of approaches, to ensure the swift takedown of damaging infringing content.

It is also striking that so much of the observed activity is carried out so far in advance of the date of the events themselves, showing the significance of proactivity and timeliness in brand protection initiatives, combined with a robust strategy of defensive registrations, to obtain required domains in advance of their registration by wily third parties.

References

[1] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/ 

[2] https://www.cscdbs.com/blog/how-to-manage-the-online-effects-of-the-ukraine-war/

[3] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[4] https://www.cscdbs.com/blog/euro-2020-part-3-domains-revisited-and-other-channels/

[5] https://www.cscdbs.com/blog/holiday-shopping-events-part-2/

[6] 'The GameStop saga - how online activity and news stories can create feedback loops', Brand Journal, issue no. 21 (April 2021) (internal CSC publication)

[7] https://www.euronews.com/2022/10/14/truss-timeline-key-events-in-three-months-of-political-chaos-in-british-politics

[8] https://www.cnn.com/uk/live-news/uk-prime-minister-announcement-monday-gbr-intl/index.html

[9] https://www.ox.ac.uk/news/2021-01-13-social-media-manipulation-political-actors-industrial-scale-problem-oxford-report

[10] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

[11] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[12] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[13] https://interbrand.com/best-global-brands-2022-download-form/

[14] https://www.cnn.com/travel/article/southwest-airlines-dot-complaints/index.html

[15] https://www.cscdbs.com/blog/patterns-and-trends-in-domain-tasting-of-the-top-10-global-brands/

[16] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[17] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 31 January 2023 at:

https://www.linkedin.com/pulse/four-new-case-studies-domain-registration-activity-spikes-barnett/

Holistic brand, fraud and cyber protection using domain threat intelligence

Synopsis of a presentation for the CSC Cybersecurity and Brand Forums (Copenhagen and London) 2022

Introduction

As of July 2022, the global number of Internet users was estimated at 5.03 billion (over 63% of the total population)^[1], each spending an average of nearly 7 hours per day online. The Internet is accessible through a range of devices (including mobile phones, which now account for 56% of Internet usage). There are also 4.7 billion users of social media, with the list of most popular platforms topped by Facebook, YouTube and WhatsApp^[2]. Overall, the Internet generates an economy of around 15%^[3] of global GDP - equivalent to around $15 trillion^[4], and a figure which is growing two-and-a-half times faster than GDP itself.

This ubiquitous engagement with the online world means that the Internet is not only used by brand owners and their customers in the execution of their business, but also by infringers looking to abuse trusted brands to their own advantage. The Internet makes it very easy for criminals to gain an online presence, with the ability to create low-cost content in a context where relative anonymity is easily achievable.

Moreover, consumers are increasingly of the opinion that it the responsibility of brand owners to protect them from - and compensate them for - online harms^[5], viewing with distrust those companies which are repeatedly subject to infringement and abuse^[6]. These factors further strengthen the importance of organisations proactively protecting their brands online.

A number of key areas of threat are particularly relevant, as outlined below.

• Cybersecurity - 9.7 million distributed denial-of-service (DDoS) attacks were reported in 2021, a year-on-year drop of 3%, but a 14% increase over 2019^[7], and with H1 2021 seeing a doubling of cases using multiple attack vectors. There was also a 30% year-on-year increase in the size of the largest DDoS attacks, with the largest attacks (to the end of 2021) reaching sizes of 2.4 Tbps and 2.3 Tbps (1 Tbps = 1 Terabit (10¹² bits) per second) (against Microsoft and Amazon, respectively). A trend towards larger numbers of smaller, short attacks was also observed, with Neustar reporting a 76% increase in the number of attacks mitigated between Q1 2020 and Q1 2021^[8]. The emergence of ‘ransom DDoS’ – where payment is demanded, usually after an initial ‘demonstration’ attack, in return for not launching a full DDoS – has also been observed^[9,10]. 88% of organisations were reported as having suffered at least one DNS attack (mostly DNS phishing, DNS-based malware or DDoS) in 2021, with each attack costing the enterprise an average of $942,000^[11]. Other types of attack, including DNS tunnelling and cache poisoning, were also noted in over one-third of cases. 61% of companies experienced multiple attacks within the previous 12 months, with 14% experiencing multiple hours of downtime^[12].

Furthermore, 28% of security incidents were attributed to the use of malware in 2021^[13], with ransomware showing a 69% growth in volume between Q3 and Q4 2020^[14]. 48% of businesses were subject to ransomware attacks in 2021, with an average period of downtime for those affected of 23 days. Overall, phishing is increasingly recognised as the most common attack vector for malware distribution^[15]. 

Finally, a 2021 study showed that 39 million pieces of information had been compromised from FTSE 100 companies, via more than 9,000 separate data breaches resulting from the use of re-used log-in details, weak passwords and data collected using keyloggers^[16]. 

• Phishing - Figures from the Anti-Phishing Working Group show that more than 1 million distinct phishing attacks have been recorded in each of Q1 and Q2 2022, with both quarters experiencing the highest totals ever recorded, and over 600 distinct brands targeted each month^[17,18]. Overall, two-thirds of phishing campaigns are still geared towards credential theft^[19]. Even more concerningly, 82% of phishing sites employ SSL / TLS certificates (allowing use of HTTPS), up from 5% at end of 2016, and with 90% of certificates issued by free providers such as Cpanel and Let’s Encrypt. 69% of phishing sites are registered through just the top ten registrars^[20], and 57% of phishing domains are utilised within 14 days of registration (with more than half of these going active within 48 hours). For a large organisation, annual losses due to phishing activity are estimated at $15 million^[21].

Additionally, 71% of companies experienced a BEC (business e-mail compromise) attack utilising a spoofed e-mail account or website in 2021^[22], with the total loss to businesses (for 2020) estimated at $1.8 billion^[23]. The average amount requested in wire-transfer attacks was $109,000 in Q2 2022, up from $91,000 the previous quarter. 

• Brand threats - Other types of brand-related infringements also continue to pose significant threats. Some of the main areas include: counterfeiting and e-commerce infringements – with a global trade in counterfeit goods valued at $464 billion in 2019 (2.5% of the total global economy)^[24], as part of an overall annual spend on e-commerce of $4 trillion^[25]; and digital piracy – with more than 130 billion visits to piracy websites recorded in 2020 and one-quarter of Internet bandwidth used for the unauthorised sharing of copyrighted content^[26]. 

However, other types of brand-related content can also be of concern. Instances of traffic misdirection, false affiliation, potential brand confusion, activism, and so on can also have significant impacts on corporate revenue, customer experience, and brand value, reputation and trust.

Damaging brand-related content can take a variety of forms, and can be thought of as existing within a spectrum of severity classifications, from lower-threat 'brand abuse' (covering instances where the brand is being used in a way which is perhaps inconsistent with corporate guidelines, or incorporating negative comment or corporate disparagement, but where enforcement action may be neither necessary nor appropriate), through 'brand infringement' (where the content constitutes an contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal in intent, such as phishing or the sale of counterfeit goods) (Figure 1).

Threat type	Typical risks
Phishing	Compromise of customer details; financial losses; reputational damage
Other fraud issues (sites associated   with advance-fee fraud, 'carder'   sites, etc.)	(as above)
Duplicated site content	Fraudulent activity; unauthorised use of branded content; visibility of 'test' sites not intended to be in the public domain
Site framing	Potential for framed site to be non-legitimate; imposition of third-party content around framed site
Employee activity / postings	Leakage of sensitive information; risk of social engineering; undesirable brand association
Traffic diversion / brand 'seeding'	Loss of revenue; undesirable brand association; distribution of malicious content
Activism / negative comment	Brand / reputational damage; 'real-world' threats
Misuse of unofficial logo	False claims of affiliation; unauthorised use of IP; logos made available for potential creation of fake sites
Potential brand confusion	Customer confusion; loss of revenue
Claimed affiliation	Brand damage; loss of revenue; breaches of brand-usage standards

Figure 1: Examples of typical threat types identified through a brand monitoring service (for general Internet content), and the associated risks. (Increasing potential threat level from bottom to top.)

Connectedness of brand, fraud and cybersecurity issues

The areas of brand, fraud and cybersecurity issues are all linked, and this connectedness can manifest itself in a number of different ways. 

Firstly, there is very often a correlation between real-world events and a resulting spike in associated cybersecurity issues and brand infringements. This has been highlighted in a variety of previous CSC studies, including the observations that specific events during the COVID pandemic were followed by peaks in COVID-related domain registration activity^[27], and that supply-chain issues such as those seen with the baby-formula shortage of 2021-2^[28] resulted in the appearance of infringing websites utilising industry-related keywords^[29]. In both of these cases, real-world issues presented an opportunity to the fraudsters to take advantage of, and monetise, the difficulties being experienced by consumers. 

More generally, the intrinsically connected nature of domain names and DNS, and the increasing use by many organisations of extensive networks of suppliers, vendors and customers, provides opportunities to bad actors to launch cyber-attacks targeting the weakest point in the supply chain^[30].

Finally, it is increasingly recognised that the choice by corporations of an appropriate domain registrar with whom to partner for their domain management - and the associated adoption of appropriate domain security policies - comprises a significant input into their overall security posture. Specifically, a study by SecurityScorecard shows that the use of an enterprise-class registrar results in a security rating increase of between 0.5 and 1 grade^[31]. These factors also have significant other consequences, such as impacts on the levels of access to - and cost of - cyberinsurance^[32]. 

The above points highlight the importance of a holistic security programme, consisting of elements of both domain security (as part of a domain-management service) and brand protection (incorporating both monitoring and enforcement) This is illustrated by Figure 2, showing a schematic of how a robust security posture incorporates these multiple elements:

• Domain management is concerned with domains under official ownership (the 'core' domains used in the day-to-day execution of business, such as providing hosting for websites and e-mails; and 'tactical' or defensive registrations, held in order to prevent third-party use and registered for potential future use regarding planned brand or product launches or geographical expansion)

• Brand protection addresses third-party activity external to this corporate technical infrastructure ('outside the firewall') - part of the reason this is necessary is because it is neither sustainable nor cost-effective to register domains containing every possible permutation of brand variants and keywords^[33]. However, a truly effective brand-protection programme needs to consist of holistic monitoring covering a range of content types (such as general Internet content, domain names, social media, e-commerce marketplaces, mobile apps, etc.), as there is increasing inter-connection between these areas, which essentially just comprise different channels in which the same types of infringement can appear.

Figure 2: Schematic of how a robust security posture is composed of elements of domain management and brand protection

In these areas, branded domain names sit in a position of central importance (when considering both official corporate and third-party content). A domain name incorporating a brand name will generally have high visibility (in terms of its search-engine ranking in response to brand-specific search terms), will constitute a more explicit use (or abuse) of IP rights - and thereby yield greater enforcement options, and provides greatest potential for customer confusion or fraudulent use (e.g. in the construction of a convincing phishing site^[34]). Threat analysis and threat remediation for domains is therefore a key element of all cybersecurity initiatives.

Remediation

A range of security products and services can be deployed to address the threats described above. From a domain security point of view, a range of products offered by enterprise-class registrars can help to mediate the risks of an attack (Figure 3).

Domain security measure	Purpose
DNS hosting redundancy	Mediates against downtime and DDoS attacks
DNSSEC (Domain Name   System Security Extensions)	Prevents hackers from taking control of an Internet browsing session with the goal of re-directing users to deceptive websites
SPF (Sender Policy   Framework)	E-mail authentication standards which mitigate spam, spoofing, and phishing
DMARC (Domain-based   Message Authentication,   Reporting and Conformance)
DKIM (Domain Keys   Identified Mail)
MultiLock	Combines registry- and registrar-level locks and a whois lock to prevent unauthorised changes of DNS records and domain hijacking
CAA (Certification Authority   Authorisation) records	Ensures that only authorised certification authorities can issue a certificate
Use of an enterprise-class   registrar	Specialises in working with enterprises that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance and cybersecurity

Figure 3: Domain security measures used to mediate attacks

Considering the brand protection component of a security programme, most services will consist of an iterative four-part process, incorporating detection (monitoring), prioritisation of results, investigation and countermeasures, and action and reporting. Of these, enforcement (part of the 'action' stage) – i.e. the removal of infringing content – is of key importance, for a number of reasons:

• It protects brand, revenue, reputation, and customers from the harmful effects of infringements

• It provides a deterrent effect to infringers - essentially, making the brand a 'harder' target

• Enforcement is often a pre-requisite for keeping IP protection in place, or may be a regulatory requirement

• Having a 'toolkit' of enforcement approaches of varying complexity and cost allows the most efficient and cost-effective approach to be taken in any given case, while reserving options for escalation^[35].

The technology offered by enterprise-class brand protection service providers may incorporate clustering technology, allowing insights into links between infringements to be established. This has a number of benefits:

• It enables identification of key or serial infringers, allowing prioritised enforcement action

• It reveals instances of bad-faith activity (e.g. cases where multiple brands are targeted by the same infringer), yielding a more compelling case for enforcement

• It can identify instances of linked infringements, raising the possibility for efficient bulk takedowns (e.g. where multiple sites are registered through the same registrar and can be enforced in a single action)

As part of this security initiative, determining the level of threat associated with a particular domain allows the brand owner to take focused action where most required.

Quantifying threat

A key feature of an effective domain-management programme is the ability to determine which portfolio domains are 'critical' and require the highest level of security protection. More generally, the extent of adoption by corporations of relevant security measures (as listed in Figure 3) for their official domains can provide a good general metric for their security risk exposure. 

For brand protection, quantifying the level of potential threat posed by third-party content (e.g. a new domain registration) is (even) more complex. Numerous elements, such as the presence of a brand name (or variations) or keywords in the domain name, features relating to the content and technical configuration of any associated website, and registrant and registrar characteristics, can all be relevant. However, the ability to quantify threat is important for a number of reasons:

• It provides a methodology to prioritise identified results, allowing determination of:

• Which results should be considered primary targets for further analysis
• Which results should be tracked in order to identify changes in content or configuration
• Which results should be considered priority targets for enforcement

• It provides insights into brand and keyword patterns and TLDs (domain extensions) which should be considered for defensive domain registrations

A number of previous studies have looked at features which may be relevant for determining the overall level of threat posed by a domain. Two examples include:

• A study looking at the TLDs which are most frequently associated with malicious domains (phishing, spam or malware)^[36]. The analysis shows that the highest-threat TLDs tend to be those associated with the Africa, Asia, or Caribbean regions, and new-gTLDs. The TLDs most popular with infringers tend to be those which:

• Offer free or low-cost registration, or have lax registration security policies
• Are associated with regions with poorly defined or low reliability enforcement routes
• Are associated with low-wealth countries, where ISPs may lack technical expertise, leaving the domains more prone to compromise

• A study looking at domains with names similar to any of the top ten most valuable company brands, focusing on 'cousin domains', fuzzy matches (typos), and homoglyph character replacements, and considering the types of content present on these 'typo' domain names^[37]. The analysis is based on the assumption that a confusingly similar domain name is likely to have been registered for fraudulent use, and that the degree of similarity to the official corporate domain name may therefore be a key factor in determining the level of threat. The study identified almost 8,500 unique domain names over the course of one year, almost all of which were registered to third parties, and found that a range of types of infringing content were indeed present on the associated websites. Furthermore, around one-third of the active domains at the time of analysis were configured with active MX records, indicating that they may be being utilised for their e-mail functionality (e.g. in phishing or BEC attacks).

Key take-aways and discussion

The Internet landscape offers multiple opportunities for bad actors to launch cyber- and brand attacks, which can take a number of different forms. These can include direct attacks against domain or corporate infrastructure (such as DDoS, DNS attacks, and domain hijacking), other types of attacks (such as phishing, BEC, and malware attacks) and other brand infringements (including familiar areas such as counterfeiting and piracy). 

Brand, fraud and cybersecurity issues are fundamentally interconnected, providing a push towards the introduction of digital governance teams within organisations, composed of representatives from marketing, IP / legal, security and domain operations, working together to mediate the threats. 

Fundamentally, domain names are central to cybersecurity considerations, with an effective security programme requiring a combination of domain security measures and brand protection (composed of monitoring and enforcement). The ability to quantify threat is central to this endeavour, ensuring that mediating action can be applied where it is most needed. Unfortunately, however, many of the top global companies have significant shortcomings in their security postures, with CSC's Domain Security Reports 2021 and 2022 showing that many of the Global Forbes 2000 exhibit only limited adoption of significant domain security measures^[38,39]. 

References

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/ 

[2] https://datareportal.com/reports/digital-2021-global-overview-report

[3] https://www.worldbank.org/en/topic/digitaldevelopment/overview 

[4] https://data.worldbank.org/indicator/NY.GDP.MKTP.CD

[5] https://www.globalsecuritymag.com/British-consumers-expect-brands-to,20211004,116709.html

[6] https://www.mimecast.com/blog/brand-impersonation-one-cyberattack-is-enough-to-lose-consumer-trust-and-custom/

[7] https://www.netscout.com/threatreport

[8] "Cyber Threats and Trends", Neustar (direct communication to CSC)

[9] https://www.home.neustar/blog/wave-of-ddos-ransom-attacks-target-voip-services

[10] https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip

[11] https://www.efficientip.com/wp-content/uploads/2022/05/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf

[12] https://www.helpnetsecurity.com/2021/10/26/organizations-dns-attacks/

[13] https://www.raconteur.net/report/fighting-fraud-2021/

[14] https://www.mcafee.com/enterprise/en-us/lp/threats-reports/apr-2021.html

[15] https://www.cisa.gov/stopransomware/general-information

[16] https://spycloud.com/resource/2021-ftse-100-breach-exposure/

[17] https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf

[18] https://docs.apwg.org/reports/apwg_trends_report_q2_2022.pdf

[19] https://cofense.com/annualreport

[20] https://interisle.net/PhishingLandscape2021.pdf

[21] https://www.proofpoint.com/uk/resources/analyst-reports/ponemon-cost-of-phishing-study

[22] https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf

[23] https://securityboulevard.com/2021/03/64-times-worse-than-ransomware-fbi-statistics-underline-the-horrific-cost-of-business-email-compromise/

[24] https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/documents/reports/2021_EUIPO_OECD_Report_Fakes/2021_EUIPO_OECD_Trate_Fakes_Study_FullR_en.pdf

[25] https://business.adobe.com/resources/digital-economy-index.html

[26] https://www.go-gulf.com/online-piracy/

[27] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[28] https://www.cnbc.com/2022/08/02/what-you-need-to-know-about-the-us-baby-formula-shortage.html

[29] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[30] https://www.csoonline.com/article/3672155/global-companies-say-supply-chain-partners-expose-them-to-ransomware.html

[31] https://securityscorecard.com/resources/the-impact-of-enterprise-class-domain-registrar-utilization-on-overall-security-ratings

[32] https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000

[33] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[34] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[35] https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

[36] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[37] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[38] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[39] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 17 January 2023 at:

https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/