Holistic brand, fraud and cyber protection using domain threat intelligence

Synopsis of a presentation for the CSC Cybersecurity and Brand Forums (Copenhagen and London) 2022

Introduction

As of July 2022, the global number of Internet users was estimated at 5.03 billion (over 63% of the total population)^[1], each spending an average of nearly 7 hours per day online. The Internet is accessible through a range of devices (including mobile phones, which now account for 56% of Internet usage). There are also 4.7 billion users of social media, with the list of most popular platforms topped by Facebook, YouTube and WhatsApp^[2]. Overall, the Internet generates an economy of around 15%^[3] of global GDP - equivalent to around $15 trillion^[4], and a figure which is growing two-and-a-half times faster than GDP itself.

This ubiquitous engagement with the online world means that the Internet is not only used by brand owners and their customers in the execution of their business, but also by infringers looking to abuse trusted brands to their own advantage. The Internet makes it very easy for criminals to gain an online presence, with the ability to create low-cost content in a context where relative anonymity is easily achievable.

Moreover, consumers are increasingly of the opinion that it the responsibility of brand owners to protect them from - and compensate them for - online harms^[5], viewing with distrust those companies which are repeatedly subject to infringement and abuse^[6]. These factors further strengthen the importance of organisations proactively protecting their brands online.

A number of key areas of threat are particularly relevant, as outlined below.

• Cybersecurity - 9.7 million distributed denial-of-service (DDoS) attacks were reported in 2021, a year-on-year drop of 3%, but a 14% increase over 2019^[7], and with H1 2021 seeing a doubling of cases using multiple attack vectors. There was also a 30% year-on-year increase in the size of the largest DDoS attacks, with the largest attacks (to the end of 2021) reaching sizes of 2.4 Tbps and 2.3 Tbps (1 Tbps = 1 Terabit (10¹² bits) per second) (against Microsoft and Amazon, respectively). A trend towards larger numbers of smaller, short attacks was also observed, with Neustar reporting a 76% increase in the number of attacks mitigated between Q1 2020 and Q1 2021^[8]. The emergence of ‘ransom DDoS’ – where payment is demanded, usually after an initial ‘demonstration’ attack, in return for not launching a full DDoS – has also been observed^[9,10]. 88% of organisations were reported as having suffered at least one DNS attack (mostly DNS phishing, DNS-based malware or DDoS) in 2021, with each attack costing the enterprise an average of $942,000^[11]. Other types of attack, including DNS tunnelling and cache poisoning, were also noted in over one-third of cases. 61% of companies experienced multiple attacks within the previous 12 months, with 14% experiencing multiple hours of downtime^[12].

Furthermore, 28% of security incidents were attributed to the use of malware in 2021^[13], with ransomware showing a 69% growth in volume between Q3 and Q4 2020^[14]. 48% of businesses were subject to ransomware attacks in 2021, with an average period of downtime for those affected of 23 days. Overall, phishing is increasingly recognised as the most common attack vector for malware distribution^[15]. 

Finally, a 2021 study showed that 39 million pieces of information had been compromised from FTSE 100 companies, via more than 9,000 separate data breaches resulting from the use of re-used log-in details, weak passwords and data collected using keyloggers^[16]. 

• Phishing - Figures from the Anti-Phishing Working Group show that more than 1 million distinct phishing attacks have been recorded in each of Q1 and Q2 2022, with both quarters experiencing the highest totals ever recorded, and over 600 distinct brands targeted each month^[17,18]. Overall, two-thirds of phishing campaigns are still geared towards credential theft^[19]. Even more concerningly, 82% of phishing sites employ SSL / TLS certificates (allowing use of HTTPS), up from 5% at end of 2016, and with 90% of certificates issued by free providers such as Cpanel and Let’s Encrypt. 69% of phishing sites are registered through just the top ten registrars^[20], and 57% of phishing domains are utilised within 14 days of registration (with more than half of these going active within 48 hours). For a large organisation, annual losses due to phishing activity are estimated at $15 million^[21].

Additionally, 71% of companies experienced a BEC (business e-mail compromise) attack utilising a spoofed e-mail account or website in 2021^[22], with the total loss to businesses (for 2020) estimated at $1.8 billion^[23]. The average amount requested in wire-transfer attacks was $109,000 in Q2 2022, up from $91,000 the previous quarter. 

• Brand threats - Other types of brand-related infringements also continue to pose significant threats. Some of the main areas include: counterfeiting and e-commerce infringements – with a global trade in counterfeit goods valued at $464 billion in 2019 (2.5% of the total global economy)^[24], as part of an overall annual spend on e-commerce of $4 trillion^[25]; and digital piracy – with more than 130 billion visits to piracy websites recorded in 2020 and one-quarter of Internet bandwidth used for the unauthorised sharing of copyrighted content^[26]. 

However, other types of brand-related content can also be of concern. Instances of traffic misdirection, false affiliation, potential brand confusion, activism, and so on can also have significant impacts on corporate revenue, customer experience, and brand value, reputation and trust.

Damaging brand-related content can take a variety of forms, and can be thought of as existing within a spectrum of severity classifications, from lower-threat 'brand abuse' (covering instances where the brand is being used in a way which is perhaps inconsistent with corporate guidelines, or incorporating negative comment or corporate disparagement, but where enforcement action may be neither necessary nor appropriate), through 'brand infringement' (where the content constitutes an contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal in intent, such as phishing or the sale of counterfeit goods) (Figure 1).

Threat type	Typical risks
Phishing	Compromise of customer details; financial losses; reputational damage
Other fraud issues (sites associated   with advance-fee fraud, 'carder'   sites, etc.)	(as above)
Duplicated site content	Fraudulent activity; unauthorised use of branded content; visibility of 'test' sites not intended to be in the public domain
Site framing	Potential for framed site to be non-legitimate; imposition of third-party content around framed site
Employee activity / postings	Leakage of sensitive information; risk of social engineering; undesirable brand association
Traffic diversion / brand 'seeding'	Loss of revenue; undesirable brand association; distribution of malicious content
Activism / negative comment	Brand / reputational damage; 'real-world' threats
Misuse of unofficial logo	False claims of affiliation; unauthorised use of IP; logos made available for potential creation of fake sites
Potential brand confusion	Customer confusion; loss of revenue
Claimed affiliation	Brand damage; loss of revenue; breaches of brand-usage standards

Figure 1: Examples of typical threat types identified through a brand monitoring service (for general Internet content), and the associated risks. (Increasing potential threat level from bottom to top.)

Connectedness of brand, fraud and cybersecurity issues

The areas of brand, fraud and cybersecurity issues are all linked, and this connectedness can manifest itself in a number of different ways. 

Firstly, there is very often a correlation between real-world events and a resulting spike in associated cybersecurity issues and brand infringements. This has been highlighted in a variety of previous CSC studies, including the observations that specific events during the COVID pandemic were followed by peaks in COVID-related domain registration activity^[27], and that supply-chain issues such as those seen with the baby-formula shortage of 2021-2^[28] resulted in the appearance of infringing websites utilising industry-related keywords^[29]. In both of these cases, real-world issues presented an opportunity to the fraudsters to take advantage of, and monetise, the difficulties being experienced by consumers. 

More generally, the intrinsically connected nature of domain names and DNS, and the increasing use by many organisations of extensive networks of suppliers, vendors and customers, provides opportunities to bad actors to launch cyber-attacks targeting the weakest point in the supply chain^[30].

Finally, it is increasingly recognised that the choice by corporations of an appropriate domain registrar with whom to partner for their domain management - and the associated adoption of appropriate domain security policies - comprises a significant input into their overall security posture. Specifically, a study by SecurityScorecard shows that the use of an enterprise-class registrar results in a security rating increase of between 0.5 and 1 grade^[31]. These factors also have significant other consequences, such as impacts on the levels of access to - and cost of - cyberinsurance^[32]. 

The above points highlight the importance of a holistic security programme, consisting of elements of both domain security (as part of a domain-management service) and brand protection (incorporating both monitoring and enforcement) This is illustrated by Figure 2, showing a schematic of how a robust security posture incorporates these multiple elements:

• Domain management is concerned with domains under official ownership (the 'core' domains used in the day-to-day execution of business, such as providing hosting for websites and e-mails; and 'tactical' or defensive registrations, held in order to prevent third-party use and registered for potential future use regarding planned brand or product launches or geographical expansion)

• Brand protection addresses third-party activity external to this corporate technical infrastructure ('outside the firewall') - part of the reason this is necessary is because it is neither sustainable nor cost-effective to register domains containing every possible permutation of brand variants and keywords^[33]. However, a truly effective brand-protection programme needs to consist of holistic monitoring covering a range of content types (such as general Internet content, domain names, social media, e-commerce marketplaces, mobile apps, etc.), as there is increasing inter-connection between these areas, which essentially just comprise different channels in which the same types of infringement can appear.

Figure 2: Schematic of how a robust security posture is composed of elements of domain management and brand protection

In these areas, branded domain names sit in a position of central importance (when considering both official corporate and third-party content). A domain name incorporating a brand name will generally have high visibility (in terms of its search-engine ranking in response to brand-specific search terms), will constitute a more explicit use (or abuse) of IP rights - and thereby yield greater enforcement options, and provides greatest potential for customer confusion or fraudulent use (e.g. in the construction of a convincing phishing site^[34]). Threat analysis and threat remediation for domains is therefore a key element of all cybersecurity initiatives.

Remediation

A range of security products and services can be deployed to address the threats described above. From a domain security point of view, a range of products offered by enterprise-class registrars can help to mediate the risks of an attack (Figure 3).

Domain security measure	Purpose
DNS hosting redundancy	Mediates against downtime and DDoS attacks
DNSSEC (Domain Name   System Security Extensions)	Prevents hackers from taking control of an Internet browsing session with the goal of re-directing users to deceptive websites
SPF (Sender Policy   Framework)	E-mail authentication standards which mitigate spam, spoofing, and phishing
DMARC (Domain-based   Message Authentication,   Reporting and Conformance)
DKIM (Domain Keys   Identified Mail)
MultiLock	Combines registry- and registrar-level locks and a whois lock to prevent unauthorised changes of DNS records and domain hijacking
CAA (Certification Authority   Authorisation) records	Ensures that only authorised certification authorities can issue a certificate
Use of an enterprise-class   registrar	Specialises in working with enterprises that require advanced business practices, capabilities, expertise, and support staff in relation to domain and DNS management as well as security, brand and fraud protection, data governance and cybersecurity

Figure 3: Domain security measures used to mediate attacks

Considering the brand protection component of a security programme, most services will consist of an iterative four-part process, incorporating detection (monitoring), prioritisation of results, investigation and countermeasures, and action and reporting. Of these, enforcement (part of the 'action' stage) – i.e. the removal of infringing content – is of key importance, for a number of reasons:

• It protects brand, revenue, reputation, and customers from the harmful effects of infringements

• It provides a deterrent effect to infringers - essentially, making the brand a 'harder' target

• Enforcement is often a pre-requisite for keeping IP protection in place, or may be a regulatory requirement

• Having a 'toolkit' of enforcement approaches of varying complexity and cost allows the most efficient and cost-effective approach to be taken in any given case, while reserving options for escalation^[35].

The technology offered by enterprise-class brand protection service providers may incorporate clustering technology, allowing insights into links between infringements to be established. This has a number of benefits:

• It enables identification of key or serial infringers, allowing prioritised enforcement action

• It reveals instances of bad-faith activity (e.g. cases where multiple brands are targeted by the same infringer), yielding a more compelling case for enforcement

• It can identify instances of linked infringements, raising the possibility for efficient bulk takedowns (e.g. where multiple sites are registered through the same registrar and can be enforced in a single action)

As part of this security initiative, determining the level of threat associated with a particular domain allows the brand owner to take focused action where most required.

Quantifying threat

A key feature of an effective domain-management programme is the ability to determine which portfolio domains are 'critical' and require the highest level of security protection. More generally, the extent of adoption by corporations of relevant security measures (as listed in Figure 3) for their official domains can provide a good general metric for their security risk exposure. 

For brand protection, quantifying the level of potential threat posed by third-party content (e.g. a new domain registration) is (even) more complex. Numerous elements, such as the presence of a brand name (or variations) or keywords in the domain name, features relating to the content and technical configuration of any associated website, and registrant and registrar characteristics, can all be relevant. However, the ability to quantify threat is important for a number of reasons:

• It provides a methodology to prioritise identified results, allowing determination of:

• Which results should be considered primary targets for further analysis
• Which results should be tracked in order to identify changes in content or configuration
• Which results should be considered priority targets for enforcement

• It provides insights into brand and keyword patterns and TLDs (domain extensions) which should be considered for defensive domain registrations

A number of previous studies have looked at features which may be relevant for determining the overall level of threat posed by a domain. Two examples include:

• A study looking at the TLDs which are most frequently associated with malicious domains (phishing, spam or malware)^[36]. The analysis shows that the highest-threat TLDs tend to be those associated with the Africa, Asia, or Caribbean regions, and new-gTLDs. The TLDs most popular with infringers tend to be those which:

• Offer free or low-cost registration, or have lax registration security policies
• Are associated with regions with poorly defined or low reliability enforcement routes
• Are associated with low-wealth countries, where ISPs may lack technical expertise, leaving the domains more prone to compromise

• A study looking at domains with names similar to any of the top ten most valuable company brands, focusing on 'cousin domains', fuzzy matches (typos), and homoglyph character replacements, and considering the types of content present on these 'typo' domain names^[37]. The analysis is based on the assumption that a confusingly similar domain name is likely to have been registered for fraudulent use, and that the degree of similarity to the official corporate domain name may therefore be a key factor in determining the level of threat. The study identified almost 8,500 unique domain names over the course of one year, almost all of which were registered to third parties, and found that a range of types of infringing content were indeed present on the associated websites. Furthermore, around one-third of the active domains at the time of analysis were configured with active MX records, indicating that they may be being utilised for their e-mail functionality (e.g. in phishing or BEC attacks).

Key take-aways and discussion

The Internet landscape offers multiple opportunities for bad actors to launch cyber- and brand attacks, which can take a number of different forms. These can include direct attacks against domain or corporate infrastructure (such as DDoS, DNS attacks, and domain hijacking), other types of attacks (such as phishing, BEC, and malware attacks) and other brand infringements (including familiar areas such as counterfeiting and piracy). 

Brand, fraud and cybersecurity issues are fundamentally interconnected, providing a push towards the introduction of digital governance teams within organisations, composed of representatives from marketing, IP / legal, security and domain operations, working together to mediate the threats. 

Fundamentally, domain names are central to cybersecurity considerations, with an effective security programme requiring a combination of domain security measures and brand protection (composed of monitoring and enforcement). The ability to quantify threat is central to this endeavour, ensuring that mediating action can be applied where it is most needed. Unfortunately, however, many of the top global companies have significant shortcomings in their security postures, with CSC's Domain Security Reports 2021 and 2022 showing that many of the Global Forbes 2000 exhibit only limited adoption of significant domain security measures^[38,39]. 

References

[1] https://www.statista.com/statistics/617136/digital-population-worldwide/ 

[2] https://datareportal.com/reports/digital-2021-global-overview-report

[3] https://www.worldbank.org/en/topic/digitaldevelopment/overview 

[4] https://data.worldbank.org/indicator/NY.GDP.MKTP.CD

[5] https://www.globalsecuritymag.com/British-consumers-expect-brands-to,20211004,116709.html

[6] https://www.mimecast.com/blog/brand-impersonation-one-cyberattack-is-enough-to-lose-consumer-trust-and-custom/

[7] https://www.netscout.com/threatreport

[8] "Cyber Threats and Trends", Neustar (direct communication to CSC)

[9] https://www.home.neustar/blog/wave-of-ddos-ransom-attacks-target-voip-services

[10] https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip

[11] https://www.efficientip.com/wp-content/uploads/2022/05/IDC-EUR149048522-EfficientIP-infobrief_FINAL.pdf

[12] https://www.helpnetsecurity.com/2021/10/26/organizations-dns-attacks/

[13] https://www.raconteur.net/report/fighting-fraud-2021/

[14] https://www.mcafee.com/enterprise/en-us/lp/threats-reports/apr-2021.html

[15] https://www.cisa.gov/stopransomware/general-information

[16] https://spycloud.com/resource/2021-ftse-100-breach-exposure/

[17] https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf

[18] https://docs.apwg.org/reports/apwg_trends_report_q2_2022.pdf

[19] https://cofense.com/annualreport

[20] https://interisle.net/PhishingLandscape2021.pdf

[21] https://www.proofpoint.com/uk/resources/analyst-reports/ponemon-cost-of-phishing-study

[22] https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf

[23] https://securityboulevard.com/2021/03/64-times-worse-than-ransomware-fbi-statistics-underline-the-horrific-cost-of-business-email-compromise/

[24] https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/documents/reports/2021_EUIPO_OECD_Report_Fakes/2021_EUIPO_OECD_Trate_Fakes_Study_FullR_en.pdf

[25] https://business.adobe.com/resources/digital-economy-index.html

[26] https://www.go-gulf.com/online-piracy/

[27] https://www.cscdbs.com/en/resources-news/impact-of-covid-on-internet-security/

[28] https://www.cnbc.com/2022/08/02/what-you-need-to-know-about-the-us-baby-formula-shortage.html

[29] https://www.cscdbs.com/en/resources-news/supply-chain-report-form/

[30] https://www.csoonline.com/article/3672155/global-companies-say-supply-chain-partners-expose-them-to-ransomware.html

[31] https://securityscorecard.com/resources/the-impact-of-enterprise-class-domain-registrar-utilization-on-overall-security-ratings

[32] https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000

[33] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

[34] https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

[35] https://www.cscdbs.com/blog/four-steps-to-an-effective-brand-protection-program/

[36] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-2/

[37] https://www.cscdbs.com/en/resources-news/threatening-domains-targeting-top-brands/

[38] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[39] https://www.cscdbs.com/en/resources-news/domain-security-report/ (2022)

This article was first published on 17 January 2023 at:

https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

The Highest-Threat TLDs – Part 1

by Justin Hartland and David Barnett

A domain name consists of two main elements: the second-level domain name to the left of the dot - often consisting of a brand name or relevant keywords - and the domain extension or top-level domain (TLD) to the right of the dot. Domain names form the key elements of the readable web addresses allowing users to access pages on the Internet and also allow the construction of e-mail addresses.

There are different types of TLDs, including generic or global (gTLDs), that were originally intended to provide a description of the site type, such as .com for company websites or .org for charitable organisations. There are also country-code TLDs (ccTLDs) for specific countries, e.g. .co.uk for the UK, .fr for France, etc. Finally there are a range of new gTLDs that have launched since 2013^[1], usually relating to specific content types, business areas, interests, or geographic locations (e.g. .shop, .club, .tokyo). Each TLD is overseen by a registry organisation, which manages its infrastructure.

Domain names are associated with the full spectrum of Internet content, from legitimate use by brands or individuals, to infringing or criminal activity. CSC has observed that certain TLDs get used more for egregious content.

There are several possible reasons why particular TLDs are more attractive to infringers, including the cost of domain registration, and difficulties in conducting enforcement (takedown) actions against infringing content. TLDs operated by certain registries, like those offering low- or no-cost domain registrations or those with lax registration security policies, are more likely to be used for infringing activities. Additionally, domain extensions lacking well-defined, reliable enforcement routes like .vn (Vietnam) and .ru (Russia) prove to be especially high risk. Other factors are also significant; for example, a country's wealth affects the levels of technical expertise of Internet service providers (ISPs) and therefore the likelihood of domains being compromised.

In this two-part blog post, we aim to quantify the threat levels associated with specific domain extensions, i.e. the likelihood that a domain on a particular TLD might be registered for fraudulent purposes.

Part 1: Phishing site TLDs

Determining the overall threat frequency for each TLD is useful in several ways:

• Helping to prioritise results identified via a brand protection service. For example, the TLD can be used to identify top targets for future tracking for content changes.
• Identifying TLDs where it is advisable to register domains featuring key brand-related strings defensively to avoid them being registered by third parties with malicious intent.
• Identifying TLDs where it is advantageous for brand protection service providers to offer blocks or alerts when, for example, a third party attempts to register a domain containing a brand-related term.

Analysis and discussion

For this first post, we analysed data from CSC's Fraud Protection services to uncover the TLDs associated with domains used for phishing activity. The analysis covers all sites detected between November 2021 and April 2022 for those TLDs with more than 10 phishing cases and where domain-based phishing cases were recorded (as opposed to subdomain-based). This yielded results for 115 distinct TLDs.

In addition, we also consider the frequency of domain use associated with threatening content across the TLD in question. We do this by expressing the raw numbers as a proportion of the total number of domains registered across the TLD^[2]. We then normalise the data, so the value for the highest-threat TLD is 1, with all other values in that dataset scaled accordingly. It is important to note that this value reflects the proportion of malicious domains across each TLD, rather than absolute numbers. Some other TLDs see high numbers of infringements by virtue of the total numbers of domain registrations across these extensions. Table 1 shows the top 20 TLDs represented in CSC's phishing dataset (by absolute numbers), together with the normalised threat frequencies for these TLDs.

TLD	% of total phishing cases	Total no. of regd. domains across TLD	Normalised threat frequency within dataset
.com	45.7%	221,858,334	0.014
.org	6.9%	15,550,733	0.031
.app	6.2%	1,155,807	0.377
.net	4.8%	19,773,315	0.017
.xyz	2.5%	10,841,304	0.016
.ru	2.5%	10,627,033	0.016
.co	2.1%	4,110,132	0.035
.cn	1.7%	25,147,816	0.005
.me	1.3%	1,669,800	0.054
.dev	1.2%	391,929	0.222
.br	1.2%	5,519,378	0.015
.top	1.2%	8,830,142	0.009
.io	1.1%	923,588	0.085
.in	1.1%	3,271,337	0.023
.page	1.0%	368,474	0.195
.id	0.9%	760,240	0.080
.icu	0.8%	7,956,385	0.007
.info	0.8%	7,852,896	0.007
.de	0.7%	22,881,115	0.002
.ke	0.7%	165,907	0.288

Table 1: Top 20 TLDs represented in CSC's phishing dataset, by absolute numbers

We have observed similar patterns in other analyses of threatening content. Interisle's 'Malware Landscape 2022' study found that the top 10 TLDs associated with malware domains also featured a mix of legacy gTLDs (.com at position one, .net at five, .org at six, and .biz at 10), new gTLDs (.xyz at position two, .club at seven, and .top at nine) and ccTLDs (.br, .in, and .ru at positions three, four and eight, respectively)^[3]. Eight of these 10 extensions feature in the top 14 of CSC's phishing list above. Similarly, the Anti-Phishing Working Group's (APWG's) 'Phishing Activity Trends Report' for Q4 2021 analysed top phishing TLDs, with a top nine including new gTLDs .xyz, .buzz and .vip, and ccTLDs .br and .in, alongside legacy gTLDs.

New gTLDs were more than twice as extensively represented in the dataset as would be expected purely based on the total number of domains registered across these extensions^[4]. A Q1 2022 study by Agari and PhishLabs also showed similar patterns, where the top 10 TLDs abused by phishing (by number of sites) included the new gTLDs .vip, .xyz and .monster, and ccTLDs .br, .ly, and .tk^[5,6].

Table 2 shows the pattern is rather different when looking at the top TLDs by their normalised threat frequency; the list is dominated by a distinct set of ccTLDs, a smaller number of new gTLDs, and excludes many of the more popular TLDs shown previously.

TLD	Normalised threat frequency within dataset	Total no. of regd. domains across TLD	% of total phishing cases
.gd	1.000	3,306	0.05%
.gy	0.910	4,037	0.05%
.ms	0.739	9,440	0.10%
.zm	0.531	4,838	0.04%
.app	0.377	1,155,807	6.21%
.ly	0.356	25,801	0.13%
.ke	0.288	165,907	0.68%
.dev	0.222	391,929	1.24%
.page	0.195	368,474	1.03%
.ug	0.187	10,810	0.03%
.sn	0.187	9,842	0.03%
.do	0.176	30,215	0.08%
.bd	0.127	37,465	0.07%
.sbs	0.120	44,222	0.08%
.np	0.112	57,379	0.09%
.sh	0.110	25,070	0.04%
.ng	0.097	240,668	0.33%
.io	0.085	923,588	1.11%
.id	0.080	760,240	0.86%
.sa	0.079	60,246	0.07%

Table 2: Top 20 TLDs represented in CSC's phishing dataset, by normalised threat frequency

In the second article in this series, we compare these findings with those from additional datasets to produce an overall measure of TLD threat frequency, considering a range of fraudulent uses. We then consider cybersecurity implications, discuss mediation measures, and cover how CSC can help with this process.

References

[1] https://newgtlds.icann.org/en/program-status/delegated-strings

[2] https://domainnamestat.com/statistics/tldtype/all (statistics correct as of 13 June 2022)

[3] https://interisle.net/MalwareLandscape2022.pdf

[4] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf

[5] https://info.phishlabs.com/hubfs/Agari%20PhishLabs_QTTI%20Report%20-%20May%202022.pdf

[6] https://www.tripwire.com/state-of-security/security-data-protection/phishing-threat-trends-intelligence-report/

This article was first published on 20 October 2022 at:

https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

Also published at:

https://circleid.com/posts/20230112-the-highest-threat-tlds-part-1

Online brand abuse is a cybersecurity issue

(Contributed article)

Over the last two years, there has been a huge shift in the way consumers and users engage with businesses, with a significantly heavier emphasis on online Internet-based activities and presence. Businesses are paying attention to these changes, but so are cybercriminals and other malicious actors. In fact, the Internet Crime Complaint Center (IC3) reported a 65% increase in global exposed losses between July 2019 and December 2021, partly due to the increase in virtual business as a result of the pandemic. We see companies with trusted brands have customers that will engage with them for years. Cybercriminals want to take advantage of this, resulting in an understandable increase in Internet-based crimes and infringers looking to abuse trusted brands and their reputations. This can lead to consumers losing confidence in these brands and derailing the interactions meant for the trusted organisations, resulting in lost revenue and business opportunities.

Track online abuse issues

Historically, many companies used a variety of methods to track abuse issues (such as fraud and counterfeiting) and brand sentiment, but the recent increase in online activities necessitates an even stronger emphasis on online brand protection. There also needs to be an evolution in how companies implement their online brand protection programmes, as traditional methodologies cannot keep up with the rate of online brand abuse. In fact, many companies do not understand the depth of the challenges and the growth in the number of channels where this infringing activity takes place.

Organisations spend lots of time and money building a trusted brand - all of which can be stripped away in a short time by the fallout of online crime. The best way for companies to protect their brand is to implement an online brand protection programme that combines online monitoring (to identify infringing content) and enforcement activities (to remove said content). Complementary solutions, like the use of blocking networks - which can incorporate partnerships with browser producers, ISPs and other security information and event management service providers (SIEMs) - to block fraudulent websites from Internet users, can also help to create a more comprehensive approach. Using these methods to track and remediate activity by infringers should also run alongside a programme of secure domain name management, allowing the brand owner to administer and protect their own official domain portfolio.

Some of the key benefits of implementing an online brand protection programme are:

• Identifying online brand-related criminal activity
• A comprehensive brand protection programme can help to identify instances of online fraud (e.g. phishing or the trade in stolen credentials), the sale of counterfeit goods and other intellectual property breaches (e.g. brand name misuse to mislead customers and drive web traffic to third-party content).

• Identifying other online brand references
• Understanding how your brand is being used - and abused - by third parties is both important and valuable in its own right. It can raise awareness of issues like potential brand confusion, brand dilution and brand usage breaches, which could affect the value of your brand.

• Identifying negative customer comments or boycott activity and reputation management
• Frequent negative commentary can impact your trusted brand value or public perception of your brand. This content is tough to remove from the Internet, as it is protected by freedom of speech; however, being aware of the negative comments can prove valuable to brand owners, giving them the opportunity to put out an appropriate counter-message or to change their product strategy as a means of counteracting the negative buzz. The most important thing is to take some action, but without being too heavy-handed and thus running the risk of being labelled a 'brand bully'.

Monitoring solutions for trusted brands

A comprehensive monitoring solution should use a range of approaches. General Internet content can be monitored using a combination of search-engine queries, web crawling, and direct searches of known sites of interest. Branded domain names can be identified through zone-file analysis and other techniques, with the most sophisticated technologies able to detect brand variations - for example, misspellings and other fuzzy matches - and use artificial intelligence (AI) technology to detect trends and build links between infringements.

Strategies and tactics

There are a variety of enforcement strategies and tactics that an organisation can use. The first thing to do is have a checklist / toolkit approach, which includes a standardised, easily scalable list of activities that can be undertaken to address infringements. This approach allows the trusted brand owner to use simple, low-cost approaches as an initial step, while reserving more complicated or costly options as escalation routes if initial takedown attempts are unsuccessful. This process can start with identifying the infringement, verifying its source and then, if appropriate, sending a cease-and-desist letter to the criminal saying "we've uncovered your illegal activity; please stop and take this down".

If there is no response to these initial enforcement tactics, companies should then think about escalation approaches - including notices to registrars or hosting providers - and then ultimately consider dispute resolution or legal options. Platforms like social media sites and e-commerce or mobile app marketplaces may also have their own built-in IP protection programmes that can be leveraged. In other cases, alternative actions like search engine de-listings or payment gateway suspensions may be appropriate. It is best to have a range of approaches available, but always start by taking down the high-impact targets. Companies often do not realise it is not necessary to take everything down - be tactical by starting with the ones that hurt your brand the most and have the largest audience.

As more platforms are created, brand protection and brand insights are more important than ever. Brand leaders should receive reports on a daily, weekly and monthly basis to understand the nature of the activity that can damage your organisation - and, most importantly, what needs to be done to actively protect your trusted brand.

This article was first published on 22 July 2022 at:

https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

Branded domains are the focal point of many phishing attacks

As a long-established online attack strategy, phishing remains a popular tool for fraudsters because of its effectiveness. The Anti-Phishing Working Group reported more than 300,000 distinct phishing attacks in December 2021 - more than three times the number reported in early 2020, and the highest monthly total ever identified^[1].

Classic phishing, where Internet users are driven to fraudulent sites designed to collect log-in credentials or other personal information, is still used extensively to access customer accounts or corporate systems, or to engage in identity theft. One recent study suggested around two thirds of phishing campaigns are geared towards credential theft^[2]. However, other variants, such as business e-mail compromise (BEC) attacks or money-transfer scams, have also emerged over time. A significant proportion of phishing activity is also used to distribute malware (including ransomware), either through malicious e-mail attachments, or the use of infected phishing landing pages - indeed, phishing is now recognised as the primary means of delivering malicious payloads^[3,4].

Central to many phishing attacks is an associated domain name, used either in the construction of a convincingly deceptive e-mail delivery ('from') address, for hosting the phishing site, or both. A key element of a successful attack is making the fraudulent content look like it originates from a trusted brand. One way to do that is by registering a domain name containing the name, or a variation, of the target brand. A 2021 study of the configurable sections of phishing site URLs - which also included consideration of keyword use in the subdomain portion, as well as in the domain names themselves - found that the most frequently used keyword across all analysed phishing sites was 'amazon'^[5].

Phishing domain analysis

This section presents an analysis of approximately 2,000 phishing takedowns carried out by CSC’s Anti-Fraud Team across its customer base during 2021, covering both e-mail address and phishing site deactivations. Enforcements cover both phishing attacks (65.6% of cases) and advance-fee frauds (34.4%) targeting brands in over 20 industry verticals.

For each phishing case, we consider the domain used in the attack to determine whether the name of the targeted brand appears in the phishing domain name (i.e. this excludes consideration of whether the brand name appears in an alternative location in the phishing site URL, such as the subdomain name). The results of this analysis are shown in Figure 1.

Figure 1: Proportion of phishing domain names incorporating the targeted brand name, plus the type of match.

The analysis shows that just over half the cases (50.4%) do not feature the name of the targeted brand in the phishing domain name, either using a brand reference elsewhere in the URL, or using an entirely brand-independent URL, which in some cases could be a compromised site^[6]. The other half (49.6%) make use of a brand-specific domain name to construct a deceptive URL. In most of these cases (41.7% of the total), the exact brand name is used, while the remainder feature a brand variant or misspelling. The types of variations observed are:

• Added character(s) ('Added' in Figure 1) - One or more additional characters are inserted into the brand name. Frequently this comprises the addition of a hyphen between parts of the brand name.
• Abbreviation ('Abbreviation') - The domain uses a truncated form of the brand name or acronym, designed to be recognisable to a human reader.
• Replaced character(s) ('Replaced') - One or more characters in the brand name are replaced by another character (or combination of characters). Often, the character is visually similar to that which it replaces. Some of the most visually convincing replacements observed in the dataset were:
• w  → vv
• m → rn
• g → q
• y → v
• l (lower-case L) → 1 or I (upper-case i)
• i → l (lower-case L)
• Removed character ('Removed') - A single character is removed from the brand name being referenced.
• Transposed elements ('Transposed') - A pair of characters in the brand name or individual components (e.g. words) of the brand name are swapped with each other.
• Other typo variants ('Other typo') - Another type of misspelling or a combination of the above approaches has been used.

Across the dataset, more than 160 distinct domain name extensions are represented, with the top 10 including several new generic top-level domains (new gTLDs) (Figure 2). This is consistent with previous studies that established many of these extensions are frequently associated with untrustworthy sites^[7,8].

Figure 2: Top 10 domain-name extensions (TLDs) represented in the dataset of phishing domains

Case study: domain registration trends associated with phishing activity targeting a banking group

Across Q4 2020 and Q1 2021, CSC identified a large number of domain registrations associated with a sizeable, coordinated phishing campaign targeting a FTSE-100 multi-brand banking group. The primary attack vector was via SMS messaging (a.k.a. smishing), and the campaign used a series of brand-specific domain names that resolved to fake branded websites soliciting customer log-in credentials. CSC determined that the sites were part of a large-scale attack by a single entity, or a group of connected entities, based on similarities in registration dates, keyword permutations and URL structure, plus common use of privacy protection services. At the time of analysis, the domains resolved to a mixture of live and inactive sites, suggesting each phishing site may only have been active for a short period.

The campaign moved from one brand (Brand A), being targeted primarily in October and November 2020, to a second brand (Brand B), with a smaller peak in activity around February 2021. The numbers of domains used in these attacks were sufficiently large that the campaign dominated the overall pattern of total third-party domain registrations for the brands across the period in question (Figure 3).

Figure 3: Daily total numbers of detected domain registrations (and seven-day centred rolling averages) for two brands associated with a FTSE-100 banking group, between September 2020 and June 2021

Proactive monitoring and enforcement as part of a comprehensive security programme can help defend against phishing attacks

The above observations raise significant implications regarding the requirements for an effective phishing detection service. First, a key component is the detection of brand-specific domain names, as shown by the fact that almost half the domains analysed in our initial dataset incorporate a brand reference in the domain name. The simplest domain detection products only attempt to identify names containing exact matches to the brand name concerned, but as our analysis shows, some 16% of the branded phishing domains actually reference a brand variant, rather than the exact brand name. This may be a deliberate decision by the fraudsters to try to circumvent detection efforts, and it highlights the need for a comprehensive solution able to tackle these variations. CSC’s 3D Domain Monitoring service has been designed with these requirements in mind, covering detection of a range of brand variants, including fuzzy matches (incorporating character replacements and use of non-Latin homoglyphs) and Soundex (homophone or metaphone) variations (i.e. domains that are pronounced similarly), across a wide range of domain name extensions.

However, even comprehensive domain detection is only part of the solution. Just over half the phishing attacks in our dataset do not use brand-specific domain names, showing that a truly effective phishing detection product must also incorporate other data sources. CSC’s Fraud Protection service also makes use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs. This information is fed into our machine-learning-driven correlation engine that detects fraudulent sites by analysing URL patterns and comparing site content with known predictors of fraudulent content. A final key element is the inclusion of a 24×7 enforcement capability to ensure rapid takedown of fraudulent content.

References

[1] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf

[2] https://cofense.com/annualreport

[3] https://www.cisa.gov/stopransomware/general-information

[4] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[5] https://www.daj.jp/en/about/release/2021/0922_01/

[6] https://www.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting/

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

This article was first published on 9 May 2022 at:

https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

Phishing scams: how to spot them and stop them

Phishing scams are nothing new in the online security world and show no signs of subsiding. The scam starts when a fraudster sends a communication purporting to originate from a trusted provider and encourages the recipient, often with a conveyed sense of urgency, to click a link. That link leads to a fake site, usually intended to collect confidential log-in credentials or other personal information. In similar scams, the mail may encourage the recipient to open an attachment loaded with malicious content.

The communications are often sent to a large list of recipients whose contact details have usually been 'harvested' from the Internet (databases with this kind of information are tradable commodities in their own right). The fraudsters hope that some of the recipients will be genuine customers of the organisation being impersonated. In other cases, personal details may be obtained via a breach of a company’s customer database, allowing the fraudster to construct a much more tailored attack.

The COVID pandemic has provided many additional opportunities to fraudsters through the increased use of online channels by individuals working from home during lockdown. COVID-related lures encourage users seeking information, reassurance, and assistance to click on links. The Anti Phishing Working Group (APWG) found that in just the second quarter of 2020, almost 147,000 phishing sites were detected, with more than 350 distinct brands targeted each month. These sites crossed a range of industry verticals, topped by Software-as-a-Service and financial services^[1]. Similar trends were also reported for Q4^[2].

As long as phishing attacks generate revenue for criminals, the practice will perpetuate. It continues to evolve by using new 'hooks', communication channels, and increasingly clever ways of creating convincing fake content. This highlights the need for brands to defend their customer base by using monitoring and takedown technology. Nearly 60% of organisations worldwide reported that they had experienced a successful phishing attack during 2020^[3].

A recent phishing example - and identification tips for consumers

Figure 1 shows an example of a phishing communication sent by SMS. Text messaging remains a popular channel for distributing phishing content, with many brands (including numerous examples outside the most-attacked industries) reported as having been targeted in this way during 2021. The UK’s Royal Mail, for example, saw an overall 645% increase in phishing activity for March 2021, compared with the previous month^[4],[5].

Figure 1: Example of an SMS-based phishing attack targeting HSBC customers, received on April 25, 2021

The example shown in Figure 1, targeting HSBC customers, incorporates several elements making it a relatively convincing example of a phishing scam. The link features a cursory similarity to an official link for HSBC UK (whose official domain name is hsbc.co.uk). The link also incorporates the HTTPS prefix, and the communication lacks much of the poor spelling and grammar often present in phishing scams.

There are, however, many tell-tale elements consumers should look out for. The key point is that the URL is not actually hosted on an official HSBC site. The place to look is in the domain name part of the URL, consisting of a top-level domain (TLD) - or extension - such as .com or .co.uk, and (separated by a dot) the second-level domain name which immediately precedes it. In a URL, this occurs immediately before the first slash (/) after the initial protocol definition (in this case, https://), or in cases where there is no slash, at the very end of the URL.

In the HSBC scam here, the domain name is actually 'uk-account.help', a domain name wholly independent of anything owned by HSBC and under the control of a third-party fraudster. The owner of this domain can create whatever subdomain string (the part before the domain name) they wish, and so has constructed the fake site at 'hsbc.co.uk-account.help', which superficially appears very similar to 'hsbc.co.uk/account/help', a URL which would be part of the official hsbc.co.uk site.

In other cases, scammers may register domains that use the actual brand name of the targeted organisation but weren’t included in the brand owner’s domain portfolio (e.g. using a version with additional keywords or a different domain extension). The phony domain could feature a brand variant or misspelling as a way of creating a convincing URL.

Phishing communications that use 'richer' formatting (e.g. HTML e-mails) can construct a message where the visible link may be a URL from the brand owner’s official site, but the destination URL accessed by clicking the link is a distinct and fraudulent address. In these cases, users should hover over the link with a mouse, which usually shows the actual destination URL (see Figure 2).

Figure 2: Example of HTML e-mail showing the actual destination URL (highlighted in red) revealed by ‘mouse-overing’ the link

In addition to the non-legitimate domain name, other factors in the HSBC SMS scam - such as the message originating from a standalone mobile number and the communication text including all of the textbook elements of a phishing scam (e.g. the fact that a legitimate service provider would almost never send an unpersonalised communication of this nature to a customer) - should also raise red flags.

This particular scam also incorporates a couple of additional interesting elements. First, the fraudulent domain is hosted on the .help extension, one of the newer gTLDs launched in 2014^[6]. This may be less immediately recognisable as an extension - and therefore part of the domain name itself - to users more familiar with the traditional extensions such as .com and .co.uk.

Second, the embedded link uses the secure HTTPS protocol, frequently tipped as a point to check when verifying a link’s authenticity. Although it generally indicates that the web traffic is encrypted during transit, it doesn’t guarantee that the destination site is genuine. There are many budget providers of digital certificates (which enable a site to use the HTTPS protocol), that will sell them without any checks on the legitimacy of the site in question. In fact in Q2 2020, 78% of phishing sites were found to be employing digital certificates, up from 5% at the end of 2016^[1].

The final notable element of this scam is that the domain in question (uk-account.help), despite only being registered on April 25 (see Figure 3), had actually been deregistered by the following day (and accordingly no longer resolved to any live site). Although the brand owner (or an associated brand-protection service provider) may have quickly taken the site down, the use of a domain and related phishing site that is so short-lived is typical of fraudsters hoping to generate quick revenue before the brand owner can discover the scam.

Figure 3: Extract of the whois (ownership) record for the fraudulent domain, showing that it was registered on April 25 (the same day on which the SMS was received), and using a privacy-protection service provider

Actions for brand owners: detection and enforcement - and how CSC can help

CSC works with a number of brands to guard against this type of scam using advanced detection capabilities to provide early warning of active campaigns, and a range of enforcement options to ensure rapid takedown. This provides protection for customers and mitigates reputational damage and financial losses for the brand owner.

Fraudulent content can be identified in a number of ways. With a 'classic' brand detection service, fake sites are found through internet metasearching or domain-name monitoring using zone-file analysis. For those organisations where phishing is a particular issue, a dedicated anti-fraud service can make use of a range of additional phishing detection techniques to maximise the likelihood of early detection. This may involve the use of:

• Spam traps and honeypots to intercept a cross section of spam e-mails with a view to identifying phishing e-mails
• Analysis of customers’ webserver logs to identify instances when fake sites draw content from, or re-direct to, official sites
• Accepting feeds from dedicated mailboxes where customers can report scams

All of this content feeds into CSC’s phishing correlation engine, which automatically analyses URL patterns and site content using machine learning to match candidate sites against previously established predictors of fraudulent content.

Having identified that a scam is active, the next step is rapid takedown. CSC can work with registrars and hosting providers - many of whom will accept proof of fraudulent activity as a contravention of their terms and conditions, and thus grounds for takedown - in addition to other industry bodies to ensure that a fake site is suspended. In other cases, it may be appropriate to work with providers to deactivate the source of the communications (i.e. the sender’s e-mail address or originating telephone number), or to have the site blacklisted in online databases.

References

[1] https://docs.apwg.org//reports/apwg_trends_report_q2_2020.pdf

[2] https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/

[3] https://www.statista.com/statistics/1149241/share-organizations-worldwide-phishing-attack/

[4] https://www.itpro.co.uk/security/359176/645-increase-in-royal-mail-related-phishing-scams

[5] https://www.lancs.live/incoming/dangerous-text-scams-bank-smishing-20400193

[6] https://newgtlds.icann.org/en/program-status/delegated-strings

This article was first published on 26 May 2021 at:

https://www.cscdbs.com/blog/phishing-scams-how-to-spot-them/

Also published at:

https://www.circleid.com/posts/20210615-phishing-scams-how-to-spot-them-and-stop-them/

External online threats to your brands

Domain name security and threat intelligence

With nearly 4 billion users and an associated economy of over $4 trillion, the Internet comprises a major ecosystem for businesses today. However, it also provides significant opportunities for criminals to take advantage of trusted brands for their own gain. There are a number of types of possible infringement, including trade in counterfeit goods, online fraud, digital piracy and other kinds of general brand abuse across a range of internet channels, which can have direct impact on the value of brands and the profitability of the associated organisations.

Many types of brand abuse (e.g. domain name infringements, false affiliation claims, unauthorised use of logos or other intellectual property, negative customer comments and brand guideline non-compliance from legitimate affiliates and partners) are familiar to brand representatives responsible for marketing and branding. However, the range of possible infringements extends much further than this, into more sinister areas with significant security implications.

One obvious area of online abuse that can directly affect a company’s bottom line - by way of customer losses and damage to brand reputation - is cybercrime (e.g. phishing). Research indicates that 65% of consumers would change suppliers following an experience of fraud or data breach. Currently 54% of businesses are only 'somewhat confident' in their ability to detect fraudulent activity, although a 2018 study found that 9% of organisations say that their most disruptive case of fraud in the previous two years had caused losses of $5 million or more, causing damage to brand strength, business and regulator relations and employee morale.

Phishing activity, where infringers aim to steal log-in credentials or other types of personal information, is often perpetrated through fake websites. This highlights the need to track the registration of brand-specific third-party domain names and monitor for subsequent changes to website content. However, associated activity can also occur across other channels, including standalone websites, social media and spam e-mails - all of which must be considered if the problem is to be addressed comprehensively. Social media is a common channel for the creation of fake profiles that can be used for executive impersonation and subsequent money-transfer scams.

With regard to domain name abuse, even cases where no live site content is present can be significant, since domains can be used purely for their e-mail functionality - that is, creating a convincing fake e-mail address from which to send phishing e-mails - illustrating the requirement to analyse mail-exchange records and track spam email traffic in order to identify fraudulent communications. In addition, criminals typically take a multi-stage approach to online fraud, with stolen credentials often traded online, frequently via carding websites and forums or on the Dark Web. Monitoring these deeper areas of the Internet can provide early warning of compromised accounts or credit cards, making it possible to deactivate them before significant financial losses take place.

Beyond classic brand infringements, the online appearance of malicious software (malware) can also have significant security implications for brand owners. Types of malware can include keyloggers which steal passwords and other confidential content, and ransomware which locks files and demands payment for their release. Malware is spread through visits to infected websites (e.g. accessed via search engine results or sponsored ads) and opening infected attachments in e-mails. In many cases, the spread of malware involves the use by criminals of brand-related hooks, encouraging users (i.e. customers or employees) to access the infected content. Malware can also open an organisation up to infiltration by hackers, though this can also arise as a result of employee social engineering or lax security policies. Hacking activity can damage an organisation in a number of different ways, including compromisation of sensitive customer records. At least nine high-profile cases, each involving access to more than 50 million sets of credentials, have been reported in the press since 2013. Cases of this nature can have significant direct financial implications, with the average cost to organisations of data breaches in 2018 estimated at over $5 million per incident.

Consequently, the implementation of a holistic brand protection programme should be a crucial requirement for brand owners, ensuring that responsibility for programme ownership - including budget provision - is shared across all relevant stakeholders. Online fraud and cybercrime go hand in hand with other types of infringement; to combat these risks, various departments (e.g. marketing, legal and IT security) need to work together. All might have different objectives, yet their common goal should be to keep their organisation protected, secure and safely operating online at all times.

This article was first published on 28 November 2019 at:
https://www.worldtrademarkreview.com/index.php/external-online-threats-your-brands