With cyber crime on the rise, companies in 2021 have experienced increased ransomware attacks, business email compromise (BEC), phishing attacks, supply chain attacks, and online brand and trademark abuse. While domain cyber risk is rising, the level of action being taken by Forbes Global 2000 companies to improve their domain security posture has remained unchanged, leaving these companies exposed to even more risk.
The risk of not addressing your domain security can be catastrophic. Domains that are not being protected pose a significant threat to your cyber security posture, data protection, consumer safety, intellectual property, supply chains, revenue, and reputation.
70% of third-party owned domains target the Forbes Global 2000 with suspicious or malicious activity
The intent of malicious domain registrations is to leverage the consumer trust placed on the targeted brand to launch phishing attacks or other forms of digital brand abuse or IP infringement that leads to revenue loss, traffic diversion, and a diminished brand reputation. There are endless domain-spoofing tactics and permutations that can be used by phishers and malicious third parties.
We identified and analyzed domains containing the brand names with more than six characters from the Global 2000 companies that were not owned by the brands themselves. Based on frequent observation of use in phishing domains, our analysis included common Latin-character substitutions, for example, using C0rnpanyNarne.com to look like CompanyName.com.
Out of the third-party owned domains, how are these third-party domains currently being used?
From the analysis of these domains owned by third parties, many have a high propensity to be used as malicious domains for cyber attacks. The registrants typically hide behind privacy services or redacted WHOIS to mask their identities, register domains that look confusingly similar to known brands, and use tactics to look legitimate to entice an end user to click on a link, or trust a site that is infringing on a brand.
We recommend that companies establish a robust domain, web, and phishing monitoring program coupled with takedown capabilities. They should also establish a secure 360-degree domain management strategy to register exact matches, protect against a variety of domain spoofing tactics such as homoglyphs, fuzzy matches, cousin domains, as well as register across new generic top-level domains (gTLDs) and country code domain extensions associated with countries of operations and sales, in addition to other high-risk countries and extensions.