Micro Focus is now part of OpenText. Learn more >

You are here

You are here

How to Defend Against DNS fraud

Ihab Shraim CTO, CSC DBS
Untitled photo by Romuald Charpentier on Unsplash

As a collective, well-meaning society, we like to think that challenging times bring out the best in us. Unfortunately, where supply chains have become strained, cybercriminals have seen opportunity in domain vulnerabilities.

The past few years have seen an increase in web-domain-related attacks, targeting Global 2000 brands as well as consumers seeking products or information online in a high-demand market. Most recently, attacks have targeted branded web domains in sectors that have been suffering from pandemic-exacerbated supply-chain crises, such as the baby-formula and semiconductor markets.

The issue is a serious one. Due to the connected nature of domain names and the Domain Name System (DNS), a single compromise of a domain registrar or cloud provider via a phishing attack—or a dormant domain name found via search-engine results—can extend beyond the Internet supply chain and corporate infrastructure. It can lead to the exfiltration of company-sensitive, proprietary data, or the theft of credentials or PII associated with customers and/or employees.

These incidents are now commonplace, as it has become far too easy to register fraudulent domain names to launch phishing, ransomware, keylogging, device hijacking, and other fraud schemes online. According to a report from Neustar Security Services, more than 70% of organizations experienced a DNS attack in 2021; 58% of the attacks had "significant" impact.

When combined with poor security hygiene within the company’s data center, major cloud hosting providers, and domain registrars, it only takes one successful attempt on the part of an adversary to weaponize millions of domains for purposes of phishing (including the spread of ransomware and other malware), online brand counterfeiting, or using botnet and Tor infrastructures. As a result, victim organizations face wide-ranging consequences—including revenue loss, reputation damage, consumer safety issues, and additional cybersecurity compromises. Last year, 83% of organizations experienced a domain-based phishing attack.

Regarding the most recent semiconductor shortage, research by CSC examined domain names registered between January 2021 and May 2022 that either resembled those of the top six semiconductor brands or contained relevant search terms (semiconductorelectric chip, etc.). We found that third parties owned 95% of them, indicating an abundance of potentially fraudulent names. Nearly four out of five semiconductor-related domains use domain privacy services or have WHOIS details redacted; 44% are configured with MX email records, which are often used to send out phishing emails.

Given these developments, organizations must take proactive steps to protect their domain portfolios, including:

Committing to defense-in-depth policies and practices: The surest way to reduce third-party risk is through a comprehensive, layered approach that addresses an organization’s domain security, technology, and processes—while governed by the appropriate auditing and compliance frameworks.

In addition to basic security measures such as multifactor authentication, a rigorous defense-in-depth strategy associated with domain-name portfolios, will include the following critical components:

  • DNS monitoring, to confirm that a domain name is accurately translated to a corresponding IP address.
  • Registry locks, which confirm all requested changes with the domain owner—preventing unauthorized and potentially harmful changes to the domain.
  • Regulated permissions, both normal and elevated—along with an authorized-contact policy—to further prevent unauthorized domain activity.
  • DNS security extensions (DNSSEC), which authenticate communications between DNS servers. Without DNSSEC, adversaries can take control of a browsing session during any part of the DNS-lookup process and redirect users to fraudulent, malware-distribution, and/or otherwise malicious websites.
  • Domain-based message authentication, reporting, and conformance (DMARC), which leverages email-server reports to identify possible authentication issues and malicious activity.
  • DNS-hosting redundancy with full network separation, which mitigates potential downtime and distributed denial-of-service (DDoS) attacks—thus increasing availability, reliability. and resiliency. (As such, this is also an essential part of a global business-continuity plan.)
  • DDoS protection, to defend targeted servers from DDoS attacks. 

Reevaluating your domain registrar: Consider using an enterprise-class domain registrar, and vet your choice of registrar appropriately. Most companies do not use enterprise-class registrars and instead settle for consumer-grade ones, which typically do not offer domain-security or brand- and fraud-protection solutions. Many consumer-grade registrars are known to operate marketplaces that sell domain names to the highest bidder—even if those domain names contain trademarks belonging to someone else.

Continuously monitoring the domain space and key digital channels such as marketplaces, apps, social media, and email: Brand monitoring tools can help companies identify brand abuse, infringements, online counterfeiting, and revenue leakage. Meanwhile, domain security monitoring—which covers newly registered, re-registered, and dropped domains—identifies threat vectors targeting the domain portfolio. These can include dormant websites, phishing, malware payloads, and other malicious websites and activities—along with DNS-spoofing methods, such as homoglyphs (domain names that are confusingly similar to legitimate brand names, a.k.a. intentionally “fuzzy matches”), keyword matches, typos, or key country domains. Cybercriminals and other bad actors rely heavily upon all of these schemes as part of their reconnaissance and attack arsenal.

Launching global enforcement and takedowns: Organizations may pursue a number of technical and legal tactics to limit, block, or take down fake domains, IPs, and fraudulent URLs. Enforcement actions should include marketplace delistings, social-media page suspensions, mobile-app delistings, cease-and-desist letters, fraudulent-content removal, and complete threat-vector mitigation.

Investing in a dedicated training program: Employees and contractors need regular updates about the latest trends in adversaries exploiting domains to conduct phishing attempts that target them.

We cannot change the dark hearts of cybercriminals and other bad actors. That’s why organizations must incorporate proactive and comprehensive domain protection into their overarching cybersecurity strategy. Facing this, fraudsters will no longer be able to easily pull off domain-based scams. Accordingly, leaders of supply chains under stress will be able to focus on resolving inventory shortagesinstead of dealing with the crisis of a brand compromise.

Keep learning

Read more articles about: SecurityData Security