David Barnett's Brand Protection Articles

Friday, 22 July 2022

Online brand abuse is a cybersecurity issue

(Contributed article)

Over the last two years, there has been a huge shift in the way consumers and users engage with businesses, with a significantly heavier emphasis on online Internet-based activities and presence. Businesses are paying attention to these changes, but so are cybercriminals and other malicious actors. In fact, the Internet Crime Complaint Center (IC3) reported a 65% increase in global exposed losses between July 2019 and December 2021, partly due to the increase in virtual business as a result of the pandemic. We see companies with trusted brands have customers that will engage with them for years. Cybercriminals want to take advantage of this, resulting in an understandable increase in Internet-based crimes and infringers looking to abuse trusted brands and their reputations. This can lead to consumers losing confidence in these brands and derailing the interactions meant for the trusted organisations, resulting in lost revenue and business opportunities.

Track online abuse issues

Historically, many companies used a variety of methods to track abuse issues (such as fraud and counterfeiting) and brand sentiment, but the recent increase in online activities necessitates an even stronger emphasis on online brand protection. There also needs to be an evolution in how companies implement their online brand protection programmes, as traditional methodologies cannot keep up with the rate of online brand abuse. In fact, many companies do not understand the depth of the challenges and the growth in the number of channels where this infringing activity takes place.

Organisations spend lots of time and money building a trusted brand - all of which can be stripped away in a short time by the fallout of online crime. The best way for companies to protect their brand is to implement an online brand protection programme that combines online monitoring (to identify infringing content) and enforcement activities (to remove said content). Complementary solutions, like the use of blocking networks - which can incorporate partnerships with browser producers, ISPs and other security information and event management service providers (SIEMs) - to block fraudulent websites from Internet users, can also help to create a more comprehensive approach. Using these methods to track and remediate activity by infringers should also run alongside a programme of secure domain name management, allowing the brand owner to administer and protect their own official domain portfolio.

Some of the key benefits of implementing an online brand protection programme are:

Identifying online brand-related criminal activity

A comprehensive brand protection programme can help to identify instances of online fraud (e.g. phishing or the trade in stolen credentials), the sale of counterfeit goods and other intellectual property breaches (e.g. brand name misuse to mislead customers and drive web traffic to third-party content).

Identifying other online brand references

Understanding how your brand is being used - and abused - by third parties is both important and valuable in its own right. It can raise awareness of issues like potential brand confusion, brand dilution and brand usage breaches, which could affect the value of your brand.

Identifying negative customer comments or boycott activity and reputation management

Frequent negative commentary can impact your trusted brand value or public perception of your brand. This content is tough to remove from the Internet, as it is protected by freedom of speech; however, being aware of the negative comments can prove valuable to brand owners, giving them the opportunity to put out an appropriate counter-message or to change their product strategy as a means of counteracting the negative buzz. The most important thing is to take some action, but without being too heavy-handed and thus running the risk of being labelled a 'brand bully'.

Monitoring solutions for trusted brands

A comprehensive monitoring solution should use a range of approaches. General Internet content can be monitored using a combination of search-engine queries, web crawling, and direct searches of known sites of interest. Branded domain names can be identified through zone-file analysis and other techniques, with the most sophisticated technologies able to detect brand variations - for example, misspellings and other fuzzy matches - and use artificial intelligence (AI) technology to detect trends and build links between infringements.

Strategies and tactics

There are a variety of enforcement strategies and tactics that an organisation can use. The first thing to do is have a checklist / toolkit approach, which includes a standardised, easily scalable list of activities that can be undertaken to address infringements. This approach allows the trusted brand owner to use simple, low-cost approaches as an initial step, while reserving more complicated or costly options as escalation routes if initial takedown attempts are unsuccessful. This process can start with identifying the infringement, verifying its source and then, if appropriate, sending a cease-and-desist letter to the criminal saying "we've uncovered your illegal activity; please stop and take this down".

If there is no response to these initial enforcement tactics, companies should then think about escalation approaches - including notices to registrars or hosting providers - and then ultimately consider dispute resolution or legal options. Platforms like social media sites and e-commerce or mobile app marketplaces may also have their own built-in IP protection programmes that can be leveraged. In other cases, alternative actions like search engine de-listings or payment gateway suspensions may be appropriate. It is best to have a range of approaches available, but always start by taking down the high-impact targets. Companies often do not realise it is not necessary to take everything down - be tactical by starting with the ones that hurt your brand the most and have the largest audience.

As more platforms are created, brand protection and brand insights are more important than ever. Brand leaders should receive reports on a daily, weekly and monthly basis to understand the nature of the activity that can damage your organisation - and, most importantly, what needs to be done to actively protect your trusted brand.

This article was first published on 22 July 2022 at:

https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

Tuesday, 24 May 2022

"Do you see what I see?" - Geotargeting in brand infringements

by Lan Huang and David Barnett

Geotargeting is a well-established online technique for delivering tailored web content based on a user's geographic location. From an Internet technology point of view, this is usually based on the user's IP address, which is converted to a physical location through a standard look-up process performed by network infrastructure.

Geotargeting is commonly used by websites for several legitimate reasons, including providing users with relevant advertising and other content, or restricting the distribution of content to particular countries or regions in compliance with IP rights restrictions. However, geotargeting (or geoblocking) is increasingly being used by bad actors with their infringing websites. The sites may be configured so the infringing content (e.g. counterfeit goods sales) is only accessible in certain countries. Similarly, sites may be configured such that the content is visible only at certain times, on certain days, or can vary dependent on the web browser used.

Outside those locations (or times), sites may resolve to unrelated content, like gambling-related or adult material, or websites for third-party companies. In some cases, affiliate links on these pages can be sources of additional revenue for their owners beyond their core purpose, i.e. the distribution of the infringing content. Generally, the main purpose of the geotargeting technique is to circumvent detection by the real brand owner, their brand protection service provider, or to frustrate enforcement efforts.

Common geotargeting implementation methods

There are several ways to implement geotargeting, the most common of which include:

Use of a .htaccess configuration file on the webserver of the site in question to restrict access to the content by certain IP addresses
Use of Javascript in the website source code specifying that access from certain countries should be restricted

In this case, the geoblocking takes place on the client side (in the web browser); this type of blocking can be implemented using a suitable plug-in when the site is constructed without requiring any specific technical knowledge

Most often these tools are used for legitimate purposes, including security (e.g. blocking traffic from suspected automated bots), search-engine optimisation (e.g. customisation of site content by location), or compliance (e.g. where content may be illegal in certain jurisdictions). However, as discussed previously, use of these techniques has become increasingly popular with fraudsters who use them to avoid detection and thereby increase the uptime for their infringing content.

Enforcement implications

Enforcement action against geotargeted content can be difficult because the Internet service providers (ISPs) through which the takedowns are made may not be able to see the offending content. A successful takedown is generally reliant on the brand owner being able to provide the ISP with information relating to the IP address(es) or geographic regions from which the infringing content is accessible and the screenshot of the said content.

At times, it may be not possible for users who first accessed the infringing content to provide the required information - such as the IP address(es) mentioned above, or the screenshot of the infringing site. This is not uncommon, and there are investigation tools that can be used to support evidence preservation for takedown as described below.

Investigation of geotargeted content: A case study of an infringing website

Investigating a site using geotargeted content requires the investigator to bypass the geoblocking, which is generally most easily achieved using tools to mask their location (i.e. their IP address, or the location from where their web queries are originating). This can be done by using a virtual private network (VPN), a proxy server, or SmartDNS (domain name system).

However, if it is possible to establish that the geoblocking or content re-direction has been implemented using Javascript - which can be confirmed using any of a range of free, third-party tools - the geoblocking can usually at least partially be circumvented by disabling Javascript in the browser.

To illustrate, the following example shows a geotargeted counterfeit site identified by CSC as infringing against a luxury goods brand. The website - [brand]-store.org - appears to be tailored to the Japanese market, and the Google abstract for the site shows what appears to be the intended content, with Japanese text translated as 'Fall / Winter New Down Women's / Men's Cheap Mail Order' (Figure 1).

Figure 1: Google abstract for the geotargeted counterfeit site

Conversely, when the site is viewed from the UK, the user is instead re-directed to a restricted access page on a third-party domain (Figure 2).

Figure 2: Re-direction destination page for the geotargeted counterfeit site when viewed from the UK

However, if Javascript is disabled in the browser, the re-direction no longer takes effect. In this case, the blocking of Javascript meant that the website content did not display properly; however, by viewing the webpage source code, we were able to verify the presence of the counterfeit site content. An extract is shown in Figure 3, where the Japanese page title translates as '[Brand] Outlet Store Official Site - 2021 New Fall / Winter Down Women's / Men’s Cheap Online Store - [Brand] Outlet Store Official Site'.

Figure 3: Extract of the HTML source code of the geotargeted counterfeit site

Completing the investigation, the content of the site can be viewed by modifying the HTML to remove the Javascript command causing the re-direct and opening the resulting document in a browser (Figure 4).

Figure 4: Content of the geotargeted counterfeit site shown by rendering the edited HTML source code directly in a browser

This article was first published on 24 May 2022 at:

https://www.cscdbs.com/blog/do-you-see-what-i-see-geotargeting-in-brand-infringements/

Also published at:

https://circleid.com/posts/20220531-do-you-see-what-i-see-geotargeting-in-brand-infringements

Monday, 9 May 2022

Branded domains are the focal point of many phishing attacks

As a long-established online attack strategy, phishing remains a popular tool for fraudsters because of its effectiveness. The Anti-Phishing Working Group reported more than 300,000 distinct phishing attacks in December 2021 - more than three times the number reported in early 2020, and the highest monthly total ever identified^[1].

Classic phishing, where Internet users are driven to fraudulent sites designed to collect log-in credentials or other personal information, is still used extensively to access customer accounts or corporate systems, or to engage in identity theft. One recent study suggested around two thirds of phishing campaigns are geared towards credential theft^[2]. However, other variants, such as business e-mail compromise (BEC) attacks or money-transfer scams, have also emerged over time. A significant proportion of phishing activity is also used to distribute malware (including ransomware), either through malicious e-mail attachments, or the use of infected phishing landing pages - indeed, phishing is now recognised as the primary means of delivering malicious payloads^[3,4].

Central to many phishing attacks is an associated domain name, used either in the construction of a convincingly deceptive e-mail delivery ('from') address, for hosting the phishing site, or both. A key element of a successful attack is making the fraudulent content look like it originates from a trusted brand. One way to do that is by registering a domain name containing the name, or a variation, of the target brand. A 2021 study of the configurable sections of phishing site URLs - which also included consideration of keyword use in the subdomain portion, as well as in the domain names themselves - found that the most frequently used keyword across all analysed phishing sites was 'amazon'^[5].

Phishing domain analysis

This section presents an analysis of approximately 2,000 phishing takedowns carried out by CSC’s Anti-Fraud Team across its customer base during 2021, covering both e-mail address and phishing site deactivations. Enforcements cover both phishing attacks (65.6% of cases) and advance-fee frauds (34.4%) targeting brands in over 20 industry verticals.

For each phishing case, we consider the domain used in the attack to determine whether the name of the targeted brand appears in the phishing domain name (i.e. this excludes consideration of whether the brand name appears in an alternative location in the phishing site URL, such as the subdomain name). The results of this analysis are shown in Figure 1.

Figure 1: Proportion of phishing domain names incorporating the targeted brand name, plus the type of match.

The analysis shows that just over half the cases (50.4%) do not feature the name of the targeted brand in the phishing domain name, either using a brand reference elsewhere in the URL, or using an entirely brand-independent URL, which in some cases could be a compromised site^[6]. The other half (49.6%) make use of a brand-specific domain name to construct a deceptive URL. In most of these cases (41.7% of the total), the exact brand name is used, while the remainder feature a brand variant or misspelling. The types of variations observed are:

Added character(s) ('Added' in Figure 1) - One or more additional characters are inserted into the brand name. Frequently this comprises the addition of a hyphen between parts of the brand name.
Abbreviation ('Abbreviation') - The domain uses a truncated form of the brand name or acronym, designed to be recognisable to a human reader.
Replaced character(s) ('Replaced') - One or more characters in the brand name are replaced by another character (or combination of characters). Often, the character is visually similar to that which it replaces. Some of the most visually convincing replacements observed in the dataset were:

w → vv
m → rn
g → q
y → v
l (lower-case L) → 1 or I (upper-case i)
i → l (lower-case L)

Removed character ('Removed') - A single character is removed from the brand name being referenced.
Transposed elements ('Transposed') - A pair of characters in the brand name or individual components (e.g. words) of the brand name are swapped with each other.
Other typo variants ('Other typo') - Another type of misspelling or a combination of the above approaches has been used.

Across the dataset, more than 160 distinct domain name extensions are represented, with the top 10 including several new generic top-level domains (new gTLDs) (Figure 2). This is consistent with previous studies that established many of these extensions are frequently associated with untrustworthy sites^[7,8].

Figure 2: Top 10 domain-name extensions (TLDs) represented in the dataset of phishing domains

Case study: domain registration trends associated with phishing activity targeting a banking group

Across Q4 2020 and Q1 2021, CSC identified a large number of domain registrations associated with a sizeable, coordinated phishing campaign targeting a FTSE-100 multi-brand banking group. The primary attack vector was via SMS messaging (a.k.a. smishing), and the campaign used a series of brand-specific domain names that resolved to fake branded websites soliciting customer log-in credentials. CSC determined that the sites were part of a large-scale attack by a single entity, or a group of connected entities, based on similarities in registration dates, keyword permutations and URL structure, plus common use of privacy protection services. At the time of analysis, the domains resolved to a mixture of live and inactive sites, suggesting each phishing site may only have been active for a short period.

The campaign moved from one brand (Brand A), being targeted primarily in October and November 2020, to a second brand (Brand B), with a smaller peak in activity around February 2021. The numbers of domains used in these attacks were sufficiently large that the campaign dominated the overall pattern of total third-party domain registrations for the brands across the period in question (Figure 3).

Figure 3: Daily total numbers of detected domain registrations (and seven-day centred rolling averages) for two brands associated with a FTSE-100 banking group, between September 2020 and June 2021

Proactive monitoring and enforcement as part of a comprehensive security programme can help defend against phishing attacks

The above observations raise significant implications regarding the requirements for an effective phishing detection service. First, a key component is the detection of brand-specific domain names, as shown by the fact that almost half the domains analysed in our initial dataset incorporate a brand reference in the domain name. The simplest domain detection products only attempt to identify names containing exact matches to the brand name concerned, but as our analysis shows, some 16% of the branded phishing domains actually reference a brand variant, rather than the exact brand name. This may be a deliberate decision by the fraudsters to try to circumvent detection efforts, and it highlights the need for a comprehensive solution able to tackle these variations. CSC’s 3D Domain Monitoring service has been designed with these requirements in mind, covering detection of a range of brand variants, including fuzzy matches (incorporating character replacements and use of non-Latin homoglyphs) and Soundex (homophone or metaphone) variations (i.e. domains that are pronounced similarly), across a wide range of domain name extensions.

However, even comprehensive domain detection is only part of the solution. Just over half the phishing attacks in our dataset do not use brand-specific domain names, showing that a truly effective phishing detection product must also incorporate other data sources. CSC’s Fraud Protection service also makes use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs. This information is fed into our machine-learning-driven correlation engine that detects fraudulent sites by analysing URL patterns and comparing site content with known predictors of fraudulent content. A final key element is the inclusion of a 24×7 enforcement capability to ensure rapid takedown of fraudulent content.

References

[1] https://docs.apwg.org/reports/apwg_trends_report_q4_2021.pdf

[2] https://cofense.com/annualreport

[3] https://www.cisa.gov/stopransomware/general-information

[4] https://www.cscdbs.com/assets/pdfs/Domain_Security_Report_2021.pdf

[5] https://www.daj.jp/en/about/release/2021/0922_01/

[6] https://www.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting/

[7] https://circleid.com/posts/20210908-credential-hinting-domain-names-a-phishing-lure

[8] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

This article was first published on 9 May 2022 at:

https://www.cscdbs.com/blog/branded-domains-are-the-focal-point-of-many-phishing-attacks/

Monday, 25 April 2022

Breaking the rules on counterfeit sales: the use of hidden links

Counterfeiting is big business. A 2021 study by the Organisation for Economic Cooperation and Development (OECD) estimated that the international trade in counterfeit and pirated products was worth up to $464 billion in 2019, or around 2.5% of all world trade^[1]. A significant proportion of this trade occurs via digital channels, where global annual expenditure on e-commerce is more than $4 trillion^[2]. A 2018 study by the US Government Accountability Office found that two in five branded products purchased online are counterfeits^[3]. Europol’s 2017 Situation Report on Counterfeiting and Piracy noted that counterfeit goods are increasingly distributed via online marketplaces, with many of the items originating from manufacturing centres in China and the Far East^[4]. Its updated 2022 study found that other online channels, including social media and instant messaging services, are also becoming more significant^[5]. Similar trends have also been noted by other recent studies^[6,7], with the COVID-19 pandemic having further driven an increased online trade in counterfeits^[8,9].

In response to the increasing size of this problem, several pieces of legislation have been developed or proposed to drive increased online safety. The US Shop Safe Act aims to place increased pressure on marketplaces to prevent infringing listings, by including requirements to ensure verified seller identities, proactive screening of items for counterfeit indicators, and the suspension of repeat infringers. Furthermore, the INFORM Consumers Act (an extension of the SANTA Act) requires regular marketplace verification and disclosure of details (where available) for high-volume sellers^[10]. This change in landscape is pushing many online marketplaces to develop more proactive programs to identify and remove listings offering infringing products.

Despite the safety and quality implications associated with counterfeit items, there remains a consumer appetite for replica products, particularly where the original branded products sell at a high price point. This demand has resulted in the emerging tactic of using hidden links to sell infringing items.

What are hidden links?

Hidden links are used to circumvent marketplace restrictions on the sale of counterfeit products. They involve an online seller creating an external listing for a counterfeit item (e.g. on a standalone e-commerce site) that links to a decoy marketplace listing. The item displayed on the marketplace is usually an unrelated generic product, and the referring site incorporates instructions for buying the counterfeit item via the marketplace listing. This may involve the buyer selecting a particular colour and size combination (Figure 1).

Figure 1: Example of a marketplace listing using a hidden link, that is in fact associated with the sale of counterfeit luxury watches

From a brand protection point of view, it is difficult to explicitly monitor for and detect hidden-link listings in isolation, since the only visible characteristics are a standalone e-commerce listing for a branded product, linking to a marketplace listing for an unrelated product. It is not even always straightforward just to search for the presence of an embedded link to the marketplace site in the referring listing, because the links often proceed via affiliate redirection URLs - meaning there may be no reference to the marketplace domain name in the HTML of the referring page.

That said, the counterfeiters often construct sites explicitly to promote the hidden links and give instructions on their use (Figure 2). In some cases, the referring sites may also infringe on the names of the brands or marketplaces being abused, by using official brand terms in the domain name or official branding on the page. Therefore, detection is usually based on a combination of monitoring for brand terms in conjunction with keywords relating to hidden links and other keywords, such as 'replica' (Figure 3). Similar content is typically also found on other channels like social media (Figure 4).

Figure 2: Example set of instructions on a site promoting hidden links

Figure 3: Examples of websites featuring hidden-link listings

Figure 4: Examples of a social media group and profile promoting hidden links

Insights for businesses

As a brand owner, monitoring for content relating to hidden links can form part of an online brand protection strategy that deals with counterfeit activity. It can help brands reveal instances where the sale of infringing items on the marketplaces themselves is not apparent from the content of these listings, and therefore may sit outside the platforms’ IP protection programmes.

From an enforcement perspective, taking down the marketplace listing is typically reliant on having the appropriate IP protection in place, and on proof of infringement. The exact requirements vary between marketplace platforms, but generally involve test purchases to verify the actual nature of the goods being shipped. An alternative option might be to carry out enforcement against the referring site, dependent on the presence of any IP infringements, since removal of the hidden-link instructions can essentially render the marketplace listing unusable.

References

[1] https://www.oecd.org/gov/global-trade-in-fakes-74c81154-en.htm

[2] https://business.adobe.com/resources/digital-economy-index.html

[3] https://www.gao.gov/products/gao-18-216

[4] https://www.europol.europa.eu/media-press/newsroom/news/europol-%e2%80%93-euipo-2017-situation-report-counterfeiting-and-piracy-in-eu

[5] https://www.europol.europa.eu/media-press/newsroom/news/counterfeit-and-pirated-goods-get-boost-pandemic-new-report-confirms

[6] https://ustr.gov/sites/default/files/IssueAreas/IP/2021%20Notorious%20Markets%20List.pdf

[7] https://www.retaildetail.eu/en/news/general/meta-platforms-centres-counterfeit-trade

[8] https://euipo.europa.eu/ohimportal/en/news/-/action/view/9231590

[9] https://www.infosecurity-magazine.com/news/counterfeit-pirated-imports-surge/

[10] https://www.buysafeamerica.org/informed-consumers-act

This article was first published on 25 April 2022 at:

https://www.cscdbs.com/blog/breaking-the-rules-on-counterfeit-sales-the-use-of-hidden-links/

Also published at:

https://circleid.com/posts/20220510-breaking-the-rules-on-counterfeit-sales-the-use-of-hidden-links

Tuesday, 19 April 2022

Creating a cost-effective domain name watching programme

Introduction

The management and monitoring of domain names are central components of the business administration and brand protection activities of any organisation with an online presence. Companies typically maintain a portfolio of official domains, which include:

core domains used in the day-to-day execution of their business, such as those used to host the official company websites and email infrastructure; and
a wider group of tactical domains, including defensive registrations (i.e. those held to avoid them being used by third parties) and others intended for potential future use, such as those relating to planned brand or product launches.

Careful management of these official domains - ideally using an enterprise-class service provider - is key to keeping them secure, maintaining business continuity and circumventing the threat vectors that can lead to phishing, and DNS (domain name system) or DDoS (distributed denial of service) attacks, among other things. A range of industry solutions can provide protection, including registry lock; DNSSEC (domain name system security extensions); enterprise-grade DNS hosting; and DMARC (domain-based message authentication, reporting and conformance).

However, no organisation can defensively register domains that contain every possible permutation of its brand name and associated keywords that could potentially be used by an infringer; it is neither sustainable nor cost-effective to do so. Accordingly, a brand protection programme - incorporating domain name monitoring - that tracks third-party activity outside the firewall (i.e. on the open Internet) is essential for any organisation looking to defend its brand online.

Third-party brand-related activity can comprise several threat types:

lower threat brand abuse categories, such as negative comments or non-compliance with brand guidelines;
instances of brand infringement, comprising contravention of IP protection; and
actively criminal brand fraud activity, such as phishing or counterfeit sales.

A brand protection programme identifies these threats via Internet monitoring and, where possible or appropriate, takes down infringements using a toolkit of enforcement approaches. This not only directly defends revenue and reputation but also makes the brand less attractive for potential infringers to target.

All brand threats can occur across a range of online channels, although arguably the most significant are those occurring on websites hosted on brand-specific domain names. This is true for several reasons:

branded domains typically rank higher in search engines, creating greater visibility to potential customers; and
branded domains comprise more explicit abuse of IP rights, although this means more enforcement options are available.

Consequently, a domain monitoring component is vital to any comprehensive brand protection solution. There is a wide universe of domain names to consider. Verisign's Domain Name Industry Brief^[1] reported that, as of the end of Q3 2021, there were a total of 364.6 million registered domains.

Domain monitoring and brand protection

Domain name monitoring identifies the registration of third-party domains containing a brand name of interest (or variations) in as close to real time as possible. This allows content to be analysed and tracked, and - where found to be infringing - for enforcement actions, such as website or content takedowns, or domain disputes to be launched to minimise brand damage and revenue loss.

Domain detection can be key even when the domain has no active website content. In some cases, domains are registered purely for their e-mail functionality. This allows bad actors to construct e-mail addresses that appear confusingly similar to that of the official organisation being targeted.

The presence of an active mail exchanger (MX) record indicates that the domain is configured to send and/or receive e-mails. This can be an early indicator that the domain is intended for use in phishing or business e-mail compromise (BEC) scams. In other cases, pay-per-click links may be included on a domain parking page, which can be a source of revenue for the domain owner - hijacking web traffic that is arguably intended for the brand owner's organisation.

Domains containing a range of brand variants or keyword variations are often registered for short periods to determine which attract the greatest number of visitors, either through search engine queries or mistyped browser requests.

Methodology

A primary data source for domain name monitoring is the set of zone files, published by registry organisations on a regular, often daily, basis. These include lists of all registered domains across a particular domain name extension, or top-level domain (TLD). A wildcard search will identify all domains containing a brand term of interest. Comparing each version of a zone file with that from the previous day makes it possible to identify both new registrations and lapsed domains.

Zone files are typically available across a range of TLDs, particularly global or generic TLDs (gTLDs), such as .com and .net, and the range of new gTLDs^[2] launched since 2012. They are less readily available, and may be less comprehensive, across other extensions such as country-specific TLDs.

For this reason, an effective domain monitoring solution usually requires additional data sources to identify as many relevant domains as possible; however, completely comprehensive coverage is never possible. The additional techniques include:

Parallel look-ups - this method involves performing queries based on the domains identified via zone file analysis to determine whether equivalently named domains (i.e. those with the same second-level domain name (the part of the domain name before the TLD)) exist across other extensions.
Exact-match/direct queries - this approach is used when one or more search strings of high relevance exist (e.g. the brand name in isolation). It involves querying every possible domain name comprising just the string itself and any TLD to check whether the domain is registered.
Internet meta-searching - this is the same method used to find general Internet content in a basic brand monitoring service. It involves submitting brand-related queries to search engines and, optionally, further crawling of relevant links on the pages identified.

A recent study^[3] by CSC highlighted that, following the launch of a new TLD, the registration of new domains by potential infringers is usually extremely rapid. This highlights the importance of having a brand monitoring programme that can cover new extensions as soon as they launch.

Furthermore, the most effective domain monitoring services cover not just the brand name itself but variations, such as misspellings. Infringers use domain names incorporating brand variants in numerous ways. These include constructing web addresses (URLs) or e-mail addresses that appear deceptively similar to those used by the genuine brand and the misdirection of web traffic through mistyped addresses or corrupted DNS requests (eg, bit-squatted domains^[4]). The domain name variants typically covered by a sophisticated monitoring programme might include:

instances where any character in the monitored string (i.e. the brand name) is missing or has been replaced by another;
instances where an additional character has been inserted; and
other types of fuzzy match, such as Soundex (homophonic or metaphonic) variations.

The most effective monitoring solutions also cover domains featuring non-Latin characters (internationalised domain names), which might include the use of homoglyphs (a non-Latin character visually similar to a Latin one). These can be highly convincing in creating a deceptive domain name.

Similarly, the replacement of one standard Latin or other ASCII character with another (or a combination thereof) is frequently used to construct lookalike domain names.

The table below shows the most common character substitutions observed in phishing domains, as identified by CSC's 2021 Domain Security Report^[5].

The use of homoglyphs by infringers is a well-established and widely used technique. CSC's 2021 study found that 70% of homoglyph variants of official corporate domain names are owned by third parties, with 43% having active MX records and 6% actively resolving to impersonation sites or sites distributing malicious content.

Even covering all the above approaches, there may still be instances of threatening domains that cannot be detected easily. Examples might include phishing sites hosted on TLDs without zone file coverage, or with obscure or no brand variants in the domain name, and where most of the traffic is driven to the site via associated spam e-mails.

For this reason, it may be appropriate to augment the domain monitoring techniques discussed thus far with additional data sources specifically designed to detect fraudulent activity. This includes the use of spam traps and honeypots, as well as information derived from the brand owner's web server logs to detect instances of phishing sites drawing content from, or re-directing to, official corporate websites.

Creating a cost-effective solution

Detecting potentially infringing domain names is only part of the process of creating an effective brand protection solution. An enforcement programme for infringing domain names is also necessary to defend the brand and protect revenue.

Some enforcement approaches, particularly those involving domain disputes or acquisitions, can be time consuming and costly. They may also only be appropriate when the organisation or brand owner wishes to reclaim the domain for its own use.

It is therefore important to have a toolkit of enforcement approaches, including cease-and-desist notices, host-level content removal, registrar- or registry-level suspensions, etc., that allows the most effective approach to be selected in any given case while reserving other options for escalation.

The use of appropriate technology can help to automate the analysis and enforcement processes, making them more efficient. Technology-based analysis of site content, as offered by several brand protection service providers, can be an important element of the brand protection process for the following reasons:

Detailed content analysis and automated categorisation of results by infringement type and severity can help identify the findings that require prioritised follow-up action. This is particularly important for brands where large numbers of results have been identified.
A domain name of potential concern may not feature any significant content at the point of detection but have the potential for more egregious use in the future. In those cases, the enforcement options are limited, except where there is proof of fraudulent use. It may therefore be more appropriate to monitor the site on an ongoing basis, with a view to detecting the potential appearance of infringing content. Sophisticated brand monitoring tools include 'revisitor' technology to determine and quantify the extent of the change to the site content between successive visits. It can also monitor explicitly for the appearance of specific content types.

Clustering technology and artificial intelligence (AI) can establish links between otherwise apparently unrelated infringements, based on shared characteristics such as registrant contact details and hosting information. This can help build compelling cases of bad faith (e.g. where a domain owner can be determined to be a serial infringer) and can also provide the potential for bulk takedown actions, where several linked infringements can be taken down via a single action, increasing the efficiency of the enforcement process.

Quantifying the value of a brand protection programme that comprises both monitoring and enforcement can be the final part of the picture. There are a range of ways to calculate return on investment^[6], which may incorporate some or all of the following ideas:

Calculating the value of a domain that has been reclaimed by an organisation or brand owner into its official portfolio via a dispute process. This is determined using the amount of web traffic (number of visitors) to the site and is based on the principle that any traffic from the reclaimed site can be redirected to the organisation or brand owner's main corporate transactional website.
Calculating the value of goods sold through an infringing site featuring e-commerce content and determining the proportion of the revenue that is reclaimable. This calculation assumes that, following enforcement, a certain proportion of the users who would have bought an infringing item will instead buy a legitimate item from an approved source.
Determining the amount of reclaimable revenue following the removal of infringing content that previously resulted in traffic misdirection. This calculation is based on factors such as the traffic received by the infringing site and the mix of different brands or content types featured on the site.

It may also be appropriate to consider other less defined concepts, such as the impact of pre-existing infringements^[7] on brand equity and value.

Conclusion

Consideration of domain names should be a core activity for any brand owner. As part of their business-as-usual activities, organisations typically own and operate a portfolio of domains that should be protected by a range of security products and services, defending them against threat vectors and protecting business operations and corporate revenue and reputation.

However, third-party branded domain names can be associated with a range of brand infringements and other threats. A domain name monitoring programme - generally as part of a wider brand protection initiative - is key to detecting infringements outside the firewall and enabling enforcement actions to take down damaging content.

For this programme to be efficient, comprehensive and cost-effective, the following points are relevant:

Using an automated monitoring technology product yields numerous benefits:

it encompasses a range of data sources and monitoring techniques to allow the monitoring coverage, across both brand name variants and TLDs, to be as comprehensive as possible;
it can enable automatic analysis and prioritisation of concerning domains according to site content, resulting in more efficient and timely identification of the most threatening examples for enforcement action;
a product incorporating AI and clustering technology can establish links between infringements, resulting in the determination of bad-faith activity by serial infringers and the ability for bulk takedowns; and
use of revisitor technology can be used to monitor domains that do not currently feature significant live content to identify infringing content in the future.

Infringements should be tackled with a timely enforcement process. This should incorporate a toolkit of possible approaches so that the most appropriate methodology can be selected for each individual case. This helps to avoid the unnecessary use of highly complex, costly techniques while retaining options for escalation if an initial enforcement action is unsuccessful.
Automated technology should be complemented by a team of expert analysts, who can both prioritise the raw data, identifying the key targets for follow-up action, and establish and implement the most appropriate takedown routes.

The above ideas highlight the importance for organisations to partner with an enterprise-class service provider that can provide both the necessary products and services and the analyst insight to ensure the smooth running of domain management and brand protection services. Enterprise-class providers can also work with the brand owner to establish the most appropriate methodologies for quantifying the return on investment of these programmes and carry out the associated analysis.

References

[1] https://www.verisign.com/en_US/domain-names/dnib/index.xhtml

[2] https://newgtlds.icann.org/en/about/program

[3] https://www.cscdbs.com/blog/domain-registrations-associated-with-new-tld-launches/

[4] https://www.bleepingcomputer.com/news/security/hijacking-traffic-to-microsoft-s-windowscom-with-bitflipping/

[5] https://www.cscdbs.com/en/resources-news/domain-security-report/

[6] https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2021/article/return-investment-proving-protection-pays

[7] https://www.cscdbs.com/blog/brand-abuse-and-ip-infringements/

This article was first published on 15 April 2022 at:

https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022/article/creating-cost-effective-domain-name-watching-programme

as part of the 'Anti-counterfeiting and Online Brand Enforcement: Global Guide 2022':

https://www.worldtrademarkreview.com/global-guide/anti-counterfeiting-and-online-brand-enforcement/2022

Also published at:

https://www.lexology.com/library/detail.aspx?g=be587323-dc0f-4bff-a16a-043015d4db03

Thursday, 14 April 2022

The world of the subdomain

A web domain name is the foundational piece of Internet property allowing its owner (registrant) to construct and host an associated website. On a domain, the owner is also able to construct whatever subdomains they wish - a process that is technically achieved via the configuration of records on the authoritative DNS (domain name system) server. A subdomain name is the part of the URL before the domain name, and separated by a dot (e.g. 'blog' in the URL https://blog.cscglobal.com/). Subdomains can be used in the construction of web addresses for a number of different purposes, such as the creation of individual microsites for sub-brands or campaigns, or the production of region- or subject-specific subsites. Some Internet service providers (ISPs), known as private subdomain registries, also offer the sale of specific commoditised subdomains of their site, allowing users to create their own sites (e.g. 'second-level' domains such as blogspot.com, which allows users to register URLs in the form username.blogspot.com, for the creation of a personalised blog in this case).

Subdomain name abuse in general Internet content

From a brand monitoring point of view, the appearance of a brand name or other relevant keyword(s) in the subdomain name of a third-party URL can be associated with a variety of brand infringement types. Some areas of potential concern include:

As a means of driving traffic to third-party content via misdirected search-engine queries
Creating sites featuring claims of affiliation with the brand in question
Reputation issues - e.g. creating sites containing information, customer comments, or activism-related material pertaining to a particular brand
As a means of creating a URL appearing deceptively similar to that of an official brand site (e.g. for fraudulent activity, phishing, or the distribution of malware)

Brand-specific subdomains can be a source of confusion for Internet users - and thus an effective threat vector - because of their similarity to familiar, legitimate URLs. For example, the hypothetical and unofficial domain cscglobal.blog.com could be used to create a convincing fake version of the official blog.cscglobal.com.

In recent months, a number of (often SMS-based) phishing attacks have been observed to make use of a brand name in the subdomain name to create a highly convincing, deceptive URL in a particular way^[1,2], as shown in the example in Figure 1.

Figure 1: Example of a 2021 SMS-based phishing attack targeting HSBC customers

In this example, targeting UK customers of the bank, the phishing URL makes use of a reference to HSBC in the subdomain name, together with a domain name beginning with 'uk-' (uk-account[.]help), as a means of producing a URL that appears visually very similar to the real 'hsbc[.]co[.]uk/account-help'. The phishing site link also uses the HTTPS protocol, historically an indicator of trust, but now a characteristic shared by over 80% of phishing sites^[3] in response to the easy availability of SSL (secure sockets layer) certificates from free providers. This approach is particularly effective for a number of reasons, including the fact that it uses a new generic top-level domain (gTLD) extension that may be unfamiliar to some users, and the tendency for the displays in mobile devices to insert line-breaks after hyphens. Zone file analysis shows there are at least several hundred registered new gTLD domains with names of a similar format that have the potential to be used fraudulently. Identified examples include uk-authorization-online[.]support, uk-gov[.]tax, uk-insurance[.]claims, uk-border[.]agency, and uk-lottery[.]win.

Other recent identified examples of branded subdomains in phishing scams include hermes[.]online-parcel-reschedule[.]com (for logistics company Hermes); and o2[.]billing9k7j[.]com (for telecommunications organisation O2). This type of attack circumvents the requirement for the fraudster to register a brand-specific domain name (which is potentially easier to detect by a brand owner employing a basic domain monitoring service). In many cases, the whois records for the parent domains are anonymised, making it difficult to establish links between cases. These domains are also often registered immediately prior to the attack and are used for a short period, in an effort to circumvent detection and takedown efforts.

In general, brand-related subdomains on third-party sites are more difficult to detect than domain names themselves, which can much more easily be identified through wildcard searches of registry zone files. The most straightforward method for identifying subdomains is through search engine metasearching, providing the subdomains in question are linked from other sites and have been indexed by the search engines. Beyond this, the issue can partially be addressed through the use of other techniques, such as a detailed analysis of domain-name zone configuration information (e.g. passive DNS analysis), certificate transparency (CT) analysis, or via the use of explicit queries on particular domains for the existence of specific subdomain names.

Other issues include private subdomain registries being problematic because they are not necessarily regulated by ICANN (the Internet Corporation of Assigned Names and Numbers), and thus may lack dispute resolution procedures, abuse reporting processes, or records of any sort of whois information.

When considering enforcement against infringing subdomains, options can be relatively limited - particularly in comparison with the range of approaches available for domain names. It is sometimes possible to achieve engagement with the registry, registrar, hosting provider or DNS provider, but they may not be obligated to comply. Furthermore, many established dispute processes, such as UDRP (the Uniform Domain-Name Dispute-Resolution Policy), do not necessarily apply to subdomains. However, exceptions do exist in some cases, such as certain new gTLDs, instances where the host domain name corresponds to a country code (e.g. jp.com), or other limited circumstances (e.g. those covered by the Dispute Resolution Service (DRS) for .nz). Failing this, court litigation is often a last resort^[4].

Finally, the use of fraudulent domains in conjunction with wildcard MX records (which allow the domain owner to receive emails sent to any subdomain on the domain name) can also be a highly efficient way for criminals to intercept mail intended for trusted organisations, and thereby harvest sensitive information. This can be successful in cases where the recipient e-mail address has been mistyped (i.e. with an extra '.' inserted). If the domain name is carefully selected, it can enable attacks against a range of different organisations (e.g. *.bank.[tld] can be used to harvest mis-addressed e-mails intended for any organisation with an official domain name of the form [brand]bank.[tld]).

Subdomains of official domains within the brand owner’s own portfolio

Considering the domain security landscape, an area of primary concern for a brand owner is the existence of subdomains on domains under their own ownership.

Subdomain hijacking

Brand owners may use subdomains of official sites for a number of different purposes, as discussed previously. However, when they register a lot of subdomains - IBM has around 60,000 and Microsoft over 120,000 - subdomain management can become a significant endeavour. The associated risks make it possible for bad actors to take over the subdomains through exploitation of expired hosting services (an issue known as 'dangling DNS records'), DNS misconfigurations, or untrustworthy legitimate users. Compromise can also be achieved using pharming (DNS poisoning) attacks, where subdomain records are modified to re-direct traffic to a fraudulent IP address. This can give fraudsters the ability to create fake sites, upload content, monitor traffic, or hack official corporate systems^[5]. A 2021 study identified over 1,500 vulnerable subdomains across 50,000 of the world’s most important websites^[6].

A number of news stories have emerged in recent years of corporations being attacked in this way, including instances of official corporate subdomains being hijacked to re-direct to content including malware, pornography, and gambling-related material. Subdomains of the Xerox website, for example, were used in 2020 to drive traffic to sites selling fake goods, taking advantage of the trusted reputation of the official corporate domain to boost the search-engine ranking of the malicious content^[7]. In another case in 2019, GoDaddy shut down 15,000 abused subdomains that drove a massive spam campaign geared towards the sale of counterfeits^[8].

Brand owners can mediate these threats by analysing their own domain portfolio and being mindful of any subdomains pointing to external IP addresses.

Domain shadowing

Another risk is the possibility for criminals to create new, unofficial subdomains of official sites via DNS compromise through a method such as phishing or dictionary attacks - a practice known as 'domain shadowing'. This approach can also be used to drive users to threatening content, while taking advantage of the protections associated with being hosted on a trusted website (e.g. to circumvent site block-listing). In one reported example of this practice, a number of domains (primarily registered through GoDaddy) were compromised to create over 40,000 subdomains pointing to Russian IP addresses hosting a range of malware variants^[9,10].

This type of attack can be difficult to detect, both because it avoids the requirement to make changes on the official corporate webserver, and because the infringing content is typically hosted externally. The damage may only become apparent following complaints by users, or in response to the official domain being added to a block-list due to the malicious activity. Rigorous security measures are the primary preventative approach, including the use of strong passwords and two-factor authentication^[11].

A related attack vector is the use of wildcard DNS records, which can result in any arbitrary subdomain name being set to re-direct to a malicious external IP address. Bad actors can use randomised, changing subdomains to circumvent hostname-based block-listing (e.g. in coordinated phishing campaigns). This type of attack can be applied both to official (compromised) or third-party (standalone) domains^[12].

Overall, to mitigate these threats, brand owners should employ a robust domain security posture combined with a comprehensive programme of brand monitoring and enforcement.

References

[1] https://www.cscdbs.com/blog/phishing-scams-how-to-spot-them/

[2] https://thewebisround.xyz/2021/06/28/the-reality-behind-the-smishers/

[3] https://docs.apwg.org/reports/apwg_trends_report_q2_2021.pdf

[4] https://www.worldtrademarkreview.com/enforcement-and-litigation/subdomains-and-online-brand-protection-what-you-need-know-long-read

[5] https://www.networkworld.com/article/3623949/don-t-let-subdomains-sink-your-security.html

[6] https://www.eurekalert.org/news-releases/698257

[7] https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/

[8] https://www.techradar.com/news/godaddy-shuts-down-15k-subdomains-used-in-massive-spam-campaign

[9] https://www.domaintools.com/resources/blog/domaintools-101-dns-shadow-hack-attacked

[10] https://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/126072/

[11] https://encyclopedia.kaspersky.com/glossary/domain-shadowing/

[12] https://www.phishlabs.com/blog/phishing-with-wildcard-dns-attacks-and-pharming/

This article was first published on 14 April 2022 at:

https://www.cscdbs.com/blog/the-world-of-the-subdomain/

Also published at:

https://circleid.com/posts/20220504-the-world-of-the-subdomain

Friday, 25 March 2022

The online effects of the Ukraine war

As the war in Ukraine continues to unfold, government-led cybersecurity organisations are advising companies to strengthen their security posture, as an increase in cyber threats such as distributed denial of service (DDoS) attacks, phishing, website defacements, ransomware, and malware is likely to follow.

Observations from CSC have also shown that the general online effects of this war need to be watched as well, as some of the tactics used by fraudsters - particularly with malicious domain names and website spoofing - are magnified during a major world event. The observations below outline some of the emerging trends across a range of key online content areas and are followed by recommendations to protect against the associated threats.

Surge in domain registrations

As seen in past CSC studies, significant world events often trigger spikes in domain registrations. With the Ukraine war, we analysed the landscape based on a snapshot of all domains containing the keyword 'ukraine' that had been registered by the end of the month of the initial Russian invasion (Figure 1).

Figure 1: Daily total numbers of Ukraine-related domain registrations during February 2022 (date of the initial invasion shown as a dotted line)

This event shows a similar pattern of activity to others that CSC has monitored, with the start of the war immediately followed by a spike in activity. Entities registering these domains - whether legitimate or with criminal intent - do so to take advantage of public interest in the emerging situation and to attract the increased web traffic.

More than 700 new Ukraine-related domains were registered in the five-day period beginning February 24. These feature a range of associated keywords and content, the most potentially concerning of which are shown in Figure 2.

Figure 2: Numbers of domains registered in the five-day period beginning February 24 with names featuring keywords of particular concern

A significant proportion of the sites are directly soliciting for donations, using either traditional payment methods or cryptocurrency (Figure 3). While several may be genuine resources for supporting victims of the war, any that are not legitimate are an obvious cause for concern. They may be associated with fraudulent activity, attempting to take advantage of well-meaning people wishing to help those in need.

Figure 3: Examples of Ukraine-related domain names resolving to donation sites

Many other researchers have also noted this emergence of fake donation sites, stressing the importance of contributing via legitimate agencies like the International Red Cross, Save the Children, Doctors without Borders, or UNICEF^[1,2,3].

Fraudulent solicitations for donations - particularly using cryptocurrency - have also been reported as circulating via numerous other routes, including phishing emails and forum posts^[4]. These follow a legitimate call for donations from the Ukrainian government, posted through its official Twitter account^[5].

Interestingly, amongst the (de-duplicated) set of 170 domains featuring keywords of concern, many are registered through consumer-grade domain registrars, a trend commonly seen with non-legitimate sites.

Some of the other domains within the dataset were also found to include references to trusted charities or other key organisations, as a way of misleading Internet users and adding credibility to the site content. Examples included domains with the keyword strings 'redcrossukraine' (resolving to a site soliciting for cryptocurrency donations) and 'nato4ukraine' (resolving to a parking page with pay-per-click links at the time of analysis).

Spread of misinformation

As with any major world event, there has been an increase in misinformation appearing online following the start of the war, which has taken several different forms.

1. Recycled, out-of-context, and modified imagery - Various photos and videos purporting to show events occurring in the war in Ukraine have been circulating, particularly on social media. In many cases, these have been found to be images from unrelated events, which may have occurred many years earlier^[6,7], or are material that has been modified^[8] or falsified altogether^[9]. In many cases, these posts have gone viral, with some examples attracting hundreds of thousands of views.

From a brand protection perspective, in some instances, the original sources of the material can be identified through open-source investigation techniques (e.g. reverse-image searches). Similar approaches may be possible using screen grabs taken from video content. Furthermore, geolocation techniques can sometimes be used to verify the geographical origin of imagery^[10].

General advice for Internet users is to be mindful of the origins of information, and only to share content from trusted sources.

2. Pro-Russian content and propaganda - We found significant amounts of online content showing support for Russia. While some of this will presumably be legitimate, a significant amount (particularly on social media) appears to have been posted by Russian state-sponsored profiles or automated accounts (bots). Recent creation dates, low numbers of followers, and high numbers of likes for postings are characteristics that demonstrate profiles may fall into this latter category. Social media is a popular channel for spreading propaganda and generating political support due to the ease of creating content, combined with its wide potential reach and speed of spread (Figure 4). Many of the identified postings make use of popular hashtags (e.g. #istandwithrussia or #istandwithputin), or associate their content with other emotive issues (e.g. Israeli / Palestinian content). One study^[11] found that a significant subset of these postings were intended simply to attract traffic, in some cases driving readers to e-commerce listings or websites for other service providers.

Another significant observation is that even some mainstream Russian-based news accounts have been suspended from social media platforms in response to their pro-Russian stance and justification of military action based on reasoning unsupported by the known facts^[12,13]. Meta (the organisation behind Facebook, Instagram, and WhatsApp) announced its refusal to cease fact-checking content posted by Russian state-owned media^[14], as demanded by Russian authorities. Furthermore, on March 6, TikTok announced that it was suspending the creation of new videos in Russia. This was due to uncertainty around the safety of content creators following the introduction of Russia’s fake news law, which can impose up to 15 years’ imprisonment on those found publicly calling for sanctions, or spreading what Russia perceives to be false information about its military^[15].

Figure 4: Example of a pro-Russian viral image circulating on social media

3. Conspiracy theories and other fake information - One of the common themes identified in online commentary, particularly on social media, are claims that the war is fake^[16]. In some cases, this has been accompanied with claims that real imagery has been staged^[17]. These claims have been made by a range of entities, typically promoting pro-Russian or conspiracy theorist agendas.

An additional concerning observation is the use of fake accounts to post fake messages, such as the case of a Telegram account purporting to be that of Ukrainian President Volodymyr Zelenskyy^[18]. Several outlets claiming to offer breaking news stories have been circulating fake news, with the content on these untrustworthy channels frequently unaccompanied by sources or any other evidence^[19].

Among the other conspiracy theories circulating online are claims that the conflict is a campaign against bioweapons facilities^[20,21], and suggestions that the war with is linked with the establishment of a 'new world order'^[22]. This references a long-running conspiracy theory around the creation of a totalitarian world government. Some fake stories are less harsh in tone, such as the claim that Ukrainians are selling second-hand tanks on eBay^[23,24].

Direct effects on online businesses and organisations

The war in Ukraine has had a range of effects on corporations, from the Russian authorities blocking Internet access to several key western websites and platforms (particularly social media), to organisations withdrawing business operations in Russia. Conversely, there has also been a rise in activism against corporations who have failed to pull out of Russia, with hashtags such as #boycottcocacola and #boycottmcdonalds trending on social media in the first two weeks following the invasion.

A particularly significant effect from a brand protection point of view is the direct repercussions for both Ukrainian and Russian online organisations resulting from the business interruptions, sanctions, and economic damage that have arisen during the war. One example is the closure of a series of Ukraine-based websites and marketplaces. One affected organisation is EVO (evo.company), the Ukrainian IT company behind a range of e-commerce platforms in the region, including Prom.ua, Tiu.ru, Bigl.ua, Deal.by, and Satu.kz, among others. At the start of March, the Tiu.ru website suspended its operations in response to the war (Figure 5). This website was tailored to the Russian market but had been hosted on Ukrainian servers^[25].

These changes will have a knock-on effect on the e-commerce landscape in the region, the balance of available legitimate and counterfeit products, and may ultimately lead to the emergence of new marketplace sites to take their place.

Figure 5: Message displayed on the Tiu.ru website at the start of March 2022

Conclusion and recommendations

The Ukraine war increases the possibility of cyberattacks against Western websites and Internet infrastructure. Employing a robust domain security posture is critical. In times of global uncertainty, companies should not only have advanced security measures^[26] in place to safely mitigate threats, but should also employ a holistic online monitoring program to ensure rapid detection and allow for quick and effective takedown of any IP abuse, such as fake sites, fraudulent campaigns, or other false content or misinformation.

CSC recommends taking the following steps.

1. Confirm that your domain registrar’s business practices are not contributing to fraud and brand abuse. The following issues are often common with consumer-grade domain registrars:

Operating domain marketplaces that drop catch, auction, and sell domain names containing trademarks to the highest bidder
Domain name spinning and advocating the registration of domain names containing trademarks
Monetising domain names containing trademarks with pay-per-click sites
Experiencing frequently occurring breaches resulting in DNS attacks, phishing, and business e-mail compromise

2. Identify trademark and copyright abuse in web content, and on online marketplaces, social media, and mobile app stores via an online monitoring service.

3. Leverage global enforcement, including takedowns and advanced techniques in Internet blocking.

4. Employ phishing monitoring and a fraud-blocking network of browsers, partners, Internet service providers (ISPs), and security information and event management (SIEM) systems.

References

[1] https://domaingang.com/domain-news/new-help-ukraine-domains-are-most-likely-not-legit/

[2] https://www.welivesecurity.com/2022/02/27/beware-charity-scams-exploiting-war-ukraine/

[3] https://twitter.com/ESETresearch/status/1497194165561659394

[4] https://www.bleepingcomputer.com/news/security/help-ukraine-crypto-scams-emerge-as-ukraine-raises-over-37-million/

[5] https://twitter.com/Ukraine/status/1497594592438497282

[6] https://www.bbc.com/news/60554910

[7] https://bbc-monitoring.co.uk/campaign/RwbbAiso/aab564822c8140a6c46681ea/b680b576f310643c916458a491cf5d77

[8] https://twitter.com/Shayan86/status/1496944075378855942

[9] https://www.cnn.com/2022/03/05/politics/fact-check-fake-cnn-ukraine/index.html

[10] https://www.youtube.com/watch?v=KtOaC0emsxY

[11] https://twitter.com/marcowenjones/status/1499312091727020032