Deception has always been the lynchpin of cybercrime. Many attacks focus on tricking victims into clicking malicious links or opening files they believe to be safe and genuine. One of the most effective ways to convince a victim that they are dealing with a trusted brand or individual is to create a false, malicious web domain.
This is known as “typosquatting”. The domain looks extremely close to the real thing, but with letters, punctuation or words altered. Criminals rely on their targets’ eyes skimming over the differences.
Malicious domains can be used to lure in victims via ads on other sites or search engines. Which? reports that a series of malicious fake Google ads of online bank Revolut have cost at least eight victims more than £67,000. Owning a domain also enables the threat actor to use it to send phishing emails, adding an additional layer of deception to common spoofing practices such as sender name changes.
Malicious domains impersonate trusted brands such as banks and retailers, or organizations like HMRC, and this tactic has become more popular during the pandemic as criminals try to exploit fear and uncertainty around Covid. Interpol reports that more than 48,000 malicious URLs relating to Covid were registered between January and March 2020 alone.
Why are malicious domains on the rise?
A reason why malicious domains are such a problem is that registering a new domain has never been easier or cheaper. Advancing technology means that hosting companies can now offer them for as little as £5 a year, and registration can often be completed in less than 24 hours. While this is great for individuals and businesses wanting to get online, it also means it is easy for criminals to register lookalike domains in bulk and swiftly use them for attacks.
There are ways that registrars could curb this exploitation, such as requiring proof of identity and use of transparent payment method. However, the low average price point per domain and the cost involved in investigating means that it is not economically feasible to scrutinize every request, nor is it reasonable for them to be expected to police the issue.
Similarly, having a malicious domain taken down can be a slow process for individuals and businesses, as registrars have little incentive to terminate the service. Further, in the time it takes to have a fake site taken down, the perpetrators can easily move on and set up shop with another low-cost host, enabling them to continue exploiting the brand.
Ironically, the task of identifying scammers creating malicious sites was made more difficult with the introduction of GDPR. The regulation’s strict controls about how personal data is used and shared has been a major blow to security researchers and services such as WHOIS which had previously made it possible to identify domain name holders. Unfortunately, the GDPR’s ironclad right to anonymity applies just as firmly to would-be criminals as it does to law-abiding individuals, so fraudsters are fully entitled to mask their identities.
The need for legislative support
The Online Safety Bill announced by the UK government on 12th May stops short of protecting consumers from this kind of fraud with a focus on scams arising from in-app content. This leaves consumers having to get help from organizations such as Which, who are now providing alerts on scams.
Considering the growing scale of the threat, governments and other public bodies should be doing more to support identifying and taking down domain scammers to prevent these scams from happening in the first place. This is particularly important considering how often fraudsters use the trusted identities of public bodies. The FBI for example recently warned of a slew of fake sites using its identity, while in the UK HMRC reported a 73 percent increase in phishing scams due to Covid. One great example of this is the NCSC Takedown Service, which protects government brands in the UK. It would be great to see this service extended to all UK organizations.
Attempts have been made to legislate domain registrations in the past. In the UK, the wide-reaching Digital Economy Act 2010 included several points to prevent malicious domain abuse and other exploits such as cybersquatting, where a domain is registered to deprive a brand of its use. However, the online world has changed enormously in the last decade as technology and the economy have evolved, and fresh legislation is required to stay relevant.
How can domain registrars fight fraudsters?
While many registrars have implemented at least some strategies to combat scammers, there are straightforward steps that should be universal. For example, a cooling-off period for each new domain could be an effective deterrent as it prevents criminals from creating multiple sites in bulk. A mandatory waiting period before the domain goes live also increases the chances of a malicious fake being spotted before it can be used, resulting in the attacker wasting time and resources.
In addition, registrars should make it easy for businesses and consumers to report suspected malicious domains. Registrars then also need to ensure they can react quickly when a domain takedown request is issued.
Businesses must defend their own identities
Businesses should also take a more proactive approach to protecting their trusted brand online. One of the most effective approaches is to employ tools that can monitor for domain registrations that appear to mimic the company’s identity. There are many such tools available, often at a price point that smaller businesses can afford. One of the most useful is DN Pedia, which detects brand registrations that incorporate a specified brand name, enabling the business to find both its own name and likely typosquatting variants. Another tool, dnstwister, specifically identifies domains that appear to be using typosquatting methods.
It’s important to note that a malicious domain is not always used to create an actual website, and the fraudster may simply be using it to launch phishing emails. With this in mind, organizations should consider tools that can enable the company to give its customers a heads up that a phishing campaign using the domain is likely making the rounds.
Smishing is also on the increase, with spammers sending SMS messages with links to fake URL’s, another area that falls outside the Online Safety Bill. In addition to monitoring for typosquatting, businesses should have a clear policy covering contact by SMS – some banks have stopped sending links in text messages and HSBC are running an in-app campaign to increase awareness.
While more legislative support, as well as direct action from bodies such as the NCSC, would help registrars keep up with fast-moving scammers, in the meantime businesses themselves can do more to mitigate the threat. Criminals have fully embraced the speed and flexibility afforded by the latest online tools, and legitimate businesses need to do the same, adopting a more automated approach to identifying and taking down scammers before they can exploit trusted identities for attacks.
Jeremy Hendy, CEO, Skurio