The COVID-19 pandemic has substantially increased reliance on the internet, and many businesses that previously had little or no digital presence have been forced to shift to the online space to survive. This has unsurprisingly led to a large increase in new domain registrations since March, many of which have been related to organizations trading online for the first time as well as ‘side hustles’ involving individuals launching their own new businesses.
Within this surge of new domains, however, are numerous malicious websites which are constantly seeking to trick users into giving away their personal data or to launch malware on their devices. This is something well understood by Nominet, the official registry for the .uk domain name, which is directly responsible for managing registrations under .uk as well as many second level domains such as co.uk and org.uk. These include critical national domains such as nhs.uk and gov.uk. Russell Haworth, chief executive officer at Nominet, told Infosecurity that there had been a more than 30% year-on-year rise in new domain registrations this year.
In particular, he has found that cyber-criminals have sought to leverage the pandemic in the development of malicious sites, linking them to current trends related to the topic in order to lure unsuspecting users. “There’s a number of areas that are attracting more criminal activity than others and certainly COVID-related names is one that seems to be a hot-bed for potentially suspicious activity,” explained Haworth. “We’re doing the analysis now on vaccine-related names and I’m sure that will be similar.”
Haworth also expects to see a spike in new malicious domain names linked to consumer goods and retailers as we enter the final few weeks of the Christmas shopping period, with e-commerce playing a bigger role than ever before due to ongoing social distancing restrictions.
The growth of malicious domain names has led to Nominet introducing new measures to keep the internet safer for users. This has included closer collaboration with law enforcement agencies to identify and highlight suspicious websites to users. In November, for instance, in conjunction with the City of London’s Police Intellectual Property Crime Unit (PIPCU), Nominet introduced law enforcement landing pages for domains suspended due to criminal activity. This redirects users attempting to access those domains to a secure site that offers customer advice and education for potential victims of sales of counterfeit branded goods.
Haworth explained that Nominet aims to be highly vigilant and fast acting upon any suspicious domain before too much damage can be caused, noting that “we’re seeing an increased number of agencies willing to work with us.”
“A feature of .uk is we don’t wait until there’s a court order before we take down a site – we work with the law enforcement agencies and take them down at their behest”
He added: “A feature of .uk is we don’t wait until there’s a court order before we take down a site – we work with the law enforcement agencies and take them down at their behest. That’s not to say we don’t validate through our own ways first but we have a good relationship with a large number of law enforcement agencies and trust they are giving us the right information.”
Nominet has also increasingly made use of automation and machine learning to quickly identify suspicious domains. A major component of this is its initiative called Domain Watch, which identifies and suspends newly-registered domains that are obvious phishing attempts. This revolves around a mixture of manual and automated checking, and Haworth revealed that during the period of November 2019 to October 2020, around 5000 domains were put on hold by Domain Watch, with just 10% deemed safe following investigation.
“The attackers are always looking to increase their attack surface and we’re trying to counterbalance that through our machine learning tools like Domain Watch to identify and spot activity,” he outlined. “Once they’re launched and out in the wild then we have to rely on law enforcement as the independent arbiter to say ‘that’s bad, take it down.’”
Nominet has the task of managing some of the UK’s critical national websites, and continuing to invest in and develop sophisticated technological capabilities is essential to protect these going forward. Haworth described the challenge of staying ahead of cyber-criminals as an “arms race” and highlighted that the organization is actively recruiting for a number of roles, particularly relating to IT skills.
It has also recently launched a cyber-innovation lab, which is looking into areas such as digital roaming and improving threat intelligence leads, and offers an “opportunity to look at all the challenges that are happening in cybersecurity and innovate to address those in 12-18 months with new products and services.”
Above all though, the number one lesson Haworth has taken in recent years (and in particular since COVID-19) in regard to improving security has been the importance of constant collaboration between all stakeholders, and that is something he is keen for Nominet to continue pursuing. “Everybody playing their part and working collaboratively means you can increase the ability to take domains down and we need to make sure we continue to look at how we can engage with law enforcement agencies,” he said.