As many as ninety-six percent of organisations worldwide have observed the presence of multiple fraudulent domains on the Internet that spoof their legitimate domains and use security certificates, new TLDs, and email communications to appear legitimate to customers.
The threat posed by fraudulent domains across the world is not only endangering established brands across the globe but also tarnishing their reputation as threat actors are using such domains to carry out wire transfer fraud, the theft of personal and financial information of customers, and are also using them to inject malware into millions of devices.
During the Black Friday shopping fest prior to Christmas last year, the NCSC issued an advisory to citizens, urging them to carefully analyse web links before clicking on them, type a shop’s website address manually into the address bar to shop safely, and only shop on e-commerce websites that they know and trust to stop fraudsters from obtaining their personal and financial data or to inject malware into their devices.
“Staying safe online doesn’t require deep technical knowledge, and we want the whole country to know that the NCSC speaks the same language as them. With so many of the UK shopping online, we want to see these tips shared from classrooms and scout groups to family dinner tables and old people’s homes,” said Ian Levy, technical director at the NCSC to BBC.
Retail brands have over 200 duplicate domains on average
The NCSC’s concern was recently echoed by security firm Proofpoint which, in its latest Domain Fraud Report, revealed that more than 85 percent of top retail brands found fraudulent domains selling counterfeit versions of their products and 96 percent of them found exact matches of their brand-owned domains.
A vast number of fraudulent domains that spoof legitimate domains of established brands use a different TLD such as .net, .app, .icu or .com and many of them use security certificates to prevent browsers from identifying them as risky websites.
Proofpoint also observed that threat actors are extensively sending emails to customers by posing as their brand and providing them links to fraudulent domains and this tactic has impacted as many as 94 percent of organisations worldwide.
“Similar to many of today’s top attack methods, domain fraud targets individuals rather than infrastructure by using social engineering to trick users into believing the domains they are accessing are legitimate,” said Ali Mesdaq, director of Digital Risk Engineering for Proofpoint.
“Due to the relatively low barrier to entry of domain registrations and ease of execution, it is critical that organisations remain vigilant of suspicious and infringing domains that might pose a risk to their brand and customers,” he added. According to Proofpoint, an average retail brand’s domain has more than two hundred spoofed versions which indicate the immense threat posed by domain spoofing to organisations.
How can the use of fraudulent domains be curbed?
Earlier this year, Google announced that it was testing a new feature in Chrome browser that will flag malicious URLs that are being used by cyber criminals to carry out domain-spoofing of URLs of websites owned by well-known brands, universities, organisations, and personalities.
According to ZDNet, the new feature is called “Navigation suggestions for lookalike URLs” and can be accessed by users of Chrome Canary 70 by visiting the URL chrome://flags/#enable-lookalike-url-navigation-suggestions. Once activated, the feature will show a drop-down bar under the address field and this bar will suggest the matching legitimate URL to the user.
Last year, we learned that WhatsApp was also planning to launch a new feature named ‘Suspicious Link Detection’ to detect fraudulent links or domain-spoofing links and alert users about them.
According to WABetainfo, a news website dedicated to updates rolled out by WhatsApp, the new feature ensures that everytime a user receives a suspicious link on the platform, the user will also see a red-coloured alert from WhatsApp stating that the link is suspicious.
The feature will also apply to domain-spoofing websites, that are basically fake websites that mimic popular domains trusted by the public. If a user clicks a domain-spoofing link, the user will then see a pop-up stating “This link contains unusual characters. It may be trying to appear as another site.” The pop-up will also ask the user to either open the link or to go back.