Industry Updates: Holiday Shopping and eCommerce Digital Threats

Pascal: Thank you, Stephanie, for the introduction and, yeah, also welcome from my side. The November is a busy and really special time when it comes to holiday shopping across the globe. There are many celebrations going on in the month of November and December, including Singles Day, Diwali, and Thanksgiving, Hanukkah, and Christmas, which see an increase in online activity, especially around the special discount days that have been created. In APAC, Chinese Singles Day, or 11.11 as it's better known, it's on the 11th of November each year, and Black Friday and Cyber Monday are happening at the end of November as you can see on the slide.

During this time of the year, cybercriminals are ready to take advantage of any times where there is a surge in online activity. This year is no exception of course. But with the global health crisis that we are experiencing at the moment with COVID-19, restrictions on people's movement and many areas have lockdowns with only essential shops open, this year more than any other is going to see an even bigger increase in online shopping. And as you will see, the cybercriminals are prepared.

Here at CSC, we monitor domain registrations, and in this class, we've picked out all of those registrations that include the terms 11.11, Black Friday, or Cyber Monday, and have plotted them against stats that we took from 2019 represented here by the dotted lines. Now, this is quite an eyeful to take. So let's take a look at Singles Day and Black Friday individually.

Okay. So here, we are looking just at Singles Day, which falls on the 11th of November each year. So what we can see here is a distinct spike in registrations firstly a few days before the day itself, around the 9th of November, and then another huge spike on the actual day of course. Interestingly, this year compared with 2019 stats show a much more significant drop of registrations after the day itself.

Now, let's have a look at moving on to Black Friday. We can see from the graph here that overall, and perhaps surprisingly, there has been an overall lower level of domain registrations, including Black Friday this year as there were last year. With the peak happening again a few days before and around 24th to 25th of November.

So looking at the number of domain registrations, it's interesting to see the level of activity going on. But looking at the registrations themselves gives us a further indication of what they are being used for. So 17% of the domains registered for Chinese Singles Day and 21% of those registered for Black Friday included keywords relating to shopping, for example, shop, buy, sale, etc.

Now, this indicates that these domains could be used either to sell counterfeit goods or to receive details from unsuspecting consumers trying to get a good deal on these shopping days. Also, of course, a proportion of them may be legitimate.

The other thing to look at is the fact that, across all three shopping days, a percentage of the domains contain the names of recognized brands. This is a worry for brand owners as it's likely that those domain registrations were not undertaken by a member of staff from the likes of Amazon or Walmart or Taobao. That's not only a brand infringement but also could mean that the domain is being used as a gateway for any number of criminal activities, from selling counterfeits to phishing, spreading malware and more.

Because of that risk to brand owners, we took a closer look at the domain security posture of the top 500 global ecommerce and shopping domains and assessed whether those web properties were being targeted for domain spoofing. And here's what we found.

Firstly, we found that more than 70% of the domains registered with titles of those top 500 brands appeared to be owned by third parties, indication one of criminal intent. When we look at those owned by third parties, we found that just less than half were configured with MX records. These are what you need in order to send emails via a domain. We also found that 40% were using domain privacy services. Cybercriminals use all sorts of means to disguise their identity, and this is just one such way of doing so. A similar number of those domains also pointed to advertising-related or a pay-per-click content, which is a classic cybercriminal tactic to extort money from consumers.

So the picture doesn't look great here. But what does that mean in terms of threat and risks? Let's take a look at this chart here. First up, those 48% of domains that were configured with an MX record means that whoever owned that domain was wanting to send emails via their domain. It's a strong indication of intent to undertake a phishing attack. For the consumer, there could be financial losses or the unwanted sharing of personal data. Phishing attempts can also spread malware. Malware is also a strong possibility when the domain points to that advertising or PPC content or malicious content with the same outcome for consumers of course.

If the domain points to shopping-related content, a bogus ecommerce platform, then your consumers get poor quality products, some of which can pose health and safety risks. There were reports of exploding NutriBullets and smartphones a few years ago, which clearly puts the safety of the consumer at risk. In other industries, we've seen examples where counterfeit alcohol has been bought but has actually been topped up with non-consumables, like antifreeze. These domains pointing to shopping-related content could also be platforms where no goods are received at all and the cybercriminals just take people's money.

All of these things have the same effects on the brand. Reputational damage is a big thing. Research shows that once a brand has been targeted by phishers, its consumers are 40% less likely to do business with you in the future. Even though that phishing attack didn't come from you, it makes the consumer less trusting of your brand as a whole. And of course, if people are less likely to do business, that's going to affect the revenue that you make.

With those sites that point to advertising or shopping-related content, that's simply taking away revenue that could or should have been yours, meaning another financial hit to your bottom line. Well, now I will hand it over to Dhaivat.

Dhaivat:Thanks, Pascal. So in the next part of our research, we looked at the adoption of security measures by the top 500 ecommerce and shopping domains. On this table, you can see what we consider to be the top security protocols or measures that should be in place in order to make an organization the most secure it can be outside of its firewall of course. There are some pretty low adoption rates for registry lock, secondary DNS, DNSSEC, and CAA records. Although in pretty much every area or category, these top 500 ecommerce domains had higher adoption rates than those in the Forbes Global 2000, which is another piece of research we conducted recently.

That said, there's still a lot of brands here leaving themselves open to the risk associated with not having those protocols in place. So let's take a look at these in order.

First up, registry lock. Registry lock is an important security protocol because it prevents unauthorized DNS changes at the registry level. If you're not deploying registry lock, like 82% of the top ecommerce domains that we assessed, you're leaving yourself open to potential social engineering tactics that could lead to domain and/or DNS hijacking.

Secondly, secondary DNS. What secondary DNS does is it effectively splits your traffic between two different sets of DNS servers, meaning that you're not just relying on one DNS infrastructure to support your whole online presence. So you're in a much better position to deal with any cyber attacks that may occur. If you're not using secondary DNS, then you could be vulnerable to DDoS attacks resulting in potential downtime and loss in revenue.

Next, let's look at enterprise-class providers. What is an enterprise-class provider? Well, a retail provider might be the likes of GoDaddy or 123 Reg. They offer domains and minimal security support but not much else. CSC is an enterprise-class provider. But, essentially, what that means is that we invest heavily in technology and the security of our systems and services. We are an accredited registrar with relevant bodies, such as ICANN. But it also is a full-service offering with dedicated support, not just covering domains or brand protection or fraud protection but all three. It's a much more holistic service tailored towards corporates. If you're using a retail grade provider, then threats to your business will include security vulnerabilities that could leave your vital digital assets at risk of hijack, including domain shadowing, and/or more generally downtime resulting from cyber attacks.

DMARC which stands for Domain-based Message Authentication, Reporting and Conformance is an email authentication protocol, which used alongside SPF, or Sender Policy Framework, and DKIM, DomainKey Identified Mail, makes sure that emails that come into your company are from who they say they're from. This is especially important to avoid things like business email compromise attacks, where the fraudsters use social engineering techniques to target staff in your own company to extort money. They start off with a domain that has a minor typo in it, and they impersonate senior members of staff. With DMARC, this will help to filter out emails from the bad actors, because once it reaches a member of staff, it's often very difficult to recognize that it's a phishing attack.

Fifty nine percent of the ecommerce firms that we assessed deployed DMARC. But there's still a way to go for those 41% who leave themselves vulnerable to the likes of CEO fraud or business email compromise as it's known, email spoofing, and potential loss of revenue, or worse yet, infiltration of systems by malicious attacks where malware may be included.

Okay. Last two before we move on to some recommendations. DNSSEC is basically a protocol that authenticates DNS flow. Using DNSSEC essentially puts a golden handshake in place to ensure DNS traffic is legitimate and has not been compromised along the way. So if you're not using DNSSEC, you're opening yourself up to all sorts of problems at the most fundamental level of your online ecosystem. For example, man in the middle attacks or DNS cache poisoning, where a bad actor could misdirect your consumer to a website under their control rather than your site being served as part of the DNS lookup process.

Finally, CAA records. CAA or Certificate Authority Authentication authenticate a particular certificate authority to issue certificates for your domains. That means that if someone attacks your domain, they can't put an additional certificate on it to make it look more legitimate from just any old CA. It must be one held in the zone file. So basically, this means unauthorized certificate issuance on your domains from a CAA not within your approved list and domain shadowing, where a compromised DNS could allow hijackers to create a subdomain on your legitimate domain without your knowledge and give a sense of legitimacy by installing a digital certificate, can't be conducted if you have a CAA record in place.

So on top of adopting all of the security protocol that we've just covered, we have three overarching recommendations for brands to combat the issues that we've talked about in today's session. Firstly, establish a DNS or domain security council comprising of at least stakeholders from marketing, legal, IT, and security. Consider running a gap analysis of your existing portfolio and registering defensive domains in key country markets, including keywords and misspellings. Additionally, the council should champion defense-in-depth recommendations for security to securely manage your domain and DNS, including registry lock, reliance on enterprise-class domain registrars, DMARC, DNSSEC, and DNS redundancy.

Secondly, continuously monitor the domain space. Having a robust monitoring service that you'll be able to spot any anomalies before they turn into anything bigger and put your brand at risk is a key consideration.

And of course, tied into that, having a global brand enforcement service means that you can be on top of these anomalies and deal with them effectively and proactively. Providing that a company has sufficient protection of IP, like trademarks registered in the appropriate jurisdictions, there is typically a range of enforcement options available for removal of infringing content. By doing this, companies will actually be able to revert some of the lost revenue incurred by copycat websites or fake branded websites selling counterfeit goods and protect their consumers from the risks of fraud or substandard, non-legitimate goods that, as we mentioned earlier, may put their safety at risk.

Speaking of keeping your consumers safe, we've also created some tips for consumers as well to avoid falling victim to cybercrime, which may be useful to you personally or to share with your customers in your own communication. Our first recommendation is to avoid phishing risk. Never click on links received through unsolicited emails, texts, or apps. There are some classic phishing indicators to look out for, like spelling and grammar errors, sensational subject lines that basically will say that they need you to act immediately to avoid losing your account or to change your password. It's also a good idea to check the details of the email address in the line as well. Phishers have figured out how to make the text look like it's genuinely from the brand they are impersonating. But when you look at the actual email address, it could be a quite obscure address.We also recommend to hover over links rather than clicking them straightaway. If the link looks in any way suspicious, do not click it.

Secondly, avoid fraudulent transactions. So this sounds very broad, but as well as being vigilant and wary of sites that offer massive discounts on what would ordinarily be expensive goods, you can also verify that the domain you're visiting is owned by the legitimate brand you're intending to visit. You can check this using CSC's public whois shown here on screen.

Thirdly, verify digital security. This is one of the easier ones to spot. You can confirm the URL in the address box contains https. And it's that "s" that you're looking for, which indicates that the site is secure because it has a digital certificate in place and this basically stops people from scraping your personal details from web pages you're paying goods for.

Looking to the left of the web address on a, for example, Google Chrome browser will show one of those messages here. Connection is secure. Well, this is when what it says on the tin. Basically, you're okay to proceed. If it says view site information, not secure, or dangerous, that means you should not continue on that site. It's not safe to do so.

And finally, we suggest to verify the product's authenticity by using reputable retailers especially around the holidays. There are so many sites set up, as we've seen, by bad actors. Our advice is to always, if it seems too good to be true, it probably is. Some brands list authenticity markers on their website and may include standard pricing practices, logo placement, fabrics used, and so forth to help consumers determine genuine product from fake. So do a quick read of research on the genuine brand and make your decision from there.

That concludes the content of this webinar. Stay safe and happy holidays and thank you for listening. I'll hand it back to you now, Steph.

Stephanie:Thanks, Dhaivat, and thanks to both of you for that informative session. So I just want to draw your attention to our upcoming activities. Our next monthly roundup newsletter will be sent later this month, on the 16th of December, and this is our last webinar for 2020. But our first webinar of the new year will be on the 14th of January, and it will feature our special guest speaker Robin Schouten of ABN AMRO, who will share his experiences on how his company mitigates the risks of online fraud.

But that's all the time we have for today. Thank you to everyone who joined us and we hope to see you next time.