Domain name abuse is one of the most dangerous and under-regulated issues in digital business security today. Many of the largest companies in the world still lack basic domain security protocols, making them prime targets for bad actors. An attack on a domain can lead to the redirection of a company’s website, domain spoofing, domain and domain name system (DNS) hijacking attacks, phishing attacks, network breaches, and business email compromise (BEC).
Yet today, there are still some large brands using consumer-grade registrars that cater to individuals, entrepreneurs, start-ups, and very small businesses and organizations. Why? As mentioned by my colleague Vin D’Angelo in Infosecurity Magazine, the question brand owners need to ask themselves this year is—is their domain registrar a friend or foe?
Consumer-grade domain registrars offer very transactional relationships with their clients, and don’t go through the thorough review process an enterprise-class provider does. They don’t offer solutions to mitigate all the digital risks of domain spoofing, domain/DNS hijacking attacks, sub-domain takeovers, and phishing attacks. In addition to the lack of security, the hard truth is that consumer-grade domain registrars have been proliferating typosquatting, domain name auctioning services—often infringing upon other brand names—and name spinning services. These registrars monetize the goodwill brand owners have worked hard to establish, creating a revenue stream for themselves rather than protecting their clients.
On the other hand, enterprise-class domain registrars put the security of the companies’ digital assets first and foremost; they understand the threats that exist within the complex domain ecosystem, because they’re managing the domains of some of the largest brands in the world. A good enterprise-class domain registrar should provide their large, global, corporate clients with value-added services, including various levels of security solutions to help mitigate the risk of attacks. In addition to domain security, their mission should be to understand the needs of their corporate clients and protect brands from online IP infringements, brand abuse, and fraud. They should have dedicated staff supporting their clients 24x7x365 with office locations around the world.
Three business practices to examine with consumer-grade registrars
Making headlines because of COVID-19 online fraud, top global brand owners are continually targeted with dangerous domain spoofing tactics that are facilitated and monetized by the largest consumer-grade domain registrars. Fraudsters and cybersquatters buy and use domains containing brand names that legitimize their activity, especially for business email compromise and phishing attacks. In September 2020, Palo Alto Research called out how domain squatters prefer profitable targets, such as mainstream search engines and social media domains, financial, shopping, and banking websites. When visiting these sites, users are often prepared to share sensitive information, opening them up to phishing and other scams that aim to steal credentials or money if the consumer can be deceived into visiting a squatting domain that masquerades as a legitimate brand.
How is this happening? There are three business practices to look out for:
- Operating domain marketplaces that “drop catch,” auction, and sell branded and trademarked domain names to the highest bidder
- Domain name spinning and advocating for the registration of trademarked domains
- Monetizing trademarked domains with pay-per-click sites
Expired domain names have a secondary market on the internet where they are auctioned to the highest bidder. Those that buy from these auctions can indeed be legitimate domain investors, yet can also be cybersquatters seeking to profit off branded trademark rights.
While companies buy up domain variations and misspellings to protect their own brands, consumer-grade registrars facilitate the sale of variations of branded domain names; this is called name spinning. They sell to the same fraudsters brand owners are trying to protect themselves from with brand monitoring and takedown services. It serves as another stream of revenue for consumer-grade registrars, and they don’t worry about online brand infringement.
Example: GoDaddy® name spinning engine
Consumer-grade registrars also permit domain parking, which allows them to profit off additional pay-per-click advertising. They point brand sponsored ads to cybersquatted domains, violating trademark rights and monetizing them at the expense of brand owners who then get fewer clicks. This can have a real impact on brand owners’ paid search budgets.
The unfortunate reality is that compromised domains and countless domain registrar breaches, DNS attacks, and business email compromises will continue, because for consumer-grade registrars, the focus remains on profit instead of safety. With all of the investment spent to build brands, companies must hold their registrars accountable, and even consider signing on with an enterprise-class registrar.