Why the Industry Needs to Step Up Action on Malicious Domains

The registration of new, fake domains, designed by cyber-criminals to trade off the good names of reputable organizations, has reached industrial levels in recent weeks.

While businesses and brands are doing their best to combat the threat of fraudsters targeting their customers and contacts, it is the web hosting companies that have the power to do more to take down these malicious domains.

This has become especially pressing following the huge growth in registrations as scammers exploit the COVID-19 crisis. There are examples of organizations trying to reduce the impact of these domains.

The NCSC has recently set up a tool for members of the public to report email scams and phishing sites which is a positive initiative that will help in the drive to get these sites shut down. Major search engines, like Google, are prioritizing content from verified and trusted sources to funnel concerned surfers away from the scams, fake content and potential malware such domains bring.

However, web hosting businesses also need to take a stronger stance with proactive measures that can be put in place to protect business and consumers from this rising tide of typo squatting, scams and fake sites. Whilst some are clearly taking on their responsibilities to remove malicious sites, it’s not enough against the current threat levels.

By putting in place additional checks and creating a thorough audit process for determining if a domain is malicious, to stop these sites at their source, they, too, can play a vital role in the efforts to protect consumers and businesses.  

The rise in fake coronavirus domains

According to DomainTools more than 150,000 new, high risk COVID-19-themed domains have been registered since December 2019. This represents domains with a “risk score” of 70+ highlighting domains that most likely have been set up to serve malware, phishing pages, or to scam visitors. This cannot be allowed to continue: not only is this damaging to businesses and their brand, but consumers also stand to lose money as a direct consequence of the criminal’s activities.

Scammers will exploit the concerns of people reaching out for health advice or financial support or those that simply want to help good causes. The New York Post recently reported that scammers used COVID-19 registered domain names to solicit donations to the American Red Cross. Others have pretended to be government sites offering advice but were, in fact, no more than fronts for phishing campaigns.

Preying on vulnerability

Cyber-criminals are opportunists and it should be no surprise that they are using COVID-19 to their advantage. However, this is a recurring issue for security teams and certainly not confined to the current crisis.

Any time there is a major disaster it is inevitable that scammers will be circling looking to capitalize on significant world events and incidents. Take, for instance, the collapse of the travel agent Thomas Cook in September last year. We detected the registration of 53 new website domains with names relating to the company in just seven days after it announced its liquidation. Many of these would have been set up to help former customers and employees who were affected by the collapse. Yet, a significant number were also set up to exploit those looking for compensation or advice.

Finding a fake

It’s usually down to each individual business to identify fraudulent domains mimicking their own corporate sites. Yet to do this effectively they will need automated monitoring in place that will alert them of suspicious domains. In the event of a business discovering a malicious domain, they can report it to the hosting company, which has to investigate and take appropriate action.

Hosting businesses should be more proactive in protecting their customers and the reputations of businesses. They can do this by auditing domain names and checking them against similar existing ones. If there is a clear similarity, yet the registration details are different, they should check with the existing registered holder that they are aware of, or are comfortable with, the new domain. If not, the registration should be paused while the case is investigated further.

In fact, some do make applicants wait 48 hours before they can use a domain or email account. This can, in itself, put off many fraudsters as bad domains are typically put into action within 48 hours of registration.

Other steps they could take include reducing payment options, and verifying details match, to thwart stolen card use, verification using a company email if the domain is related, and requiring photographic ID.

While many hosting companies continue to do good work in combatting scammers exploiting trusted brands, taking these extra steps will make life much harder for these criminals, particularly as most are opportunists seeking the path of least resistance for their attack.

By making domain impersonation a time-consuming and difficult task, they can drastically reduce the volume of scams targeting both individuals and businesses.

What’s Hot on Infosecurity Magazine?