Mitigating Risks: Layered Strategies to Combat Phishing, Brand Abuse, and Domain Hijacking

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "Mitigating Risks: Layered Strategies to Combat Phishing, Brand Abuse, and Domain Hijacking." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Quinn Taggart. Quinn is a product coach for the Digital Brand Services and assists clients in the areas of online brand protection and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of experience and knowledge is appreciated by brand owners as he helps them to better understand their evolving digital asset portfolio and minimizes their risk. And with that, let's welcome Quinn.

Quinn: Thanks, Christy. For those that have been with this series since the beginning, I appreciate your patience to us getting to a point where there's some actual meat to the whole process. Certainly the first couple of webinars in our series have been a little bit more anchored towards foundational items.

And in a lot of cases, folks that are tasked with managing domain inventories, it's not their only job. We did an informal survey one time and found that a lot of our client contacts that are responsible for the domain inventories are only handling domains many were between 5%, 7%, most 10% of their day. And so with that amount of time being spent on domains, it really is challenging in order to be able to accumulate the foundational knowledge necessary to be able to kind of expand beyond the usual round of buy, renew, keep renewing, and so on.

So when we look at the domain name life cycle, we're going to cover a couple of key pieces just to bring us all up to speed in case some of the folks that are on the call haven't had the opportunity to join us through the first two. The domain life cycle is pretty straightforward. And you'll notice a lot of the best practice items that we're going to show you are circular, and that's because things do go in a circle.

So domains are available, you pick them up, you renew them. You're going to cycle back and forth in this teal section for quite some time. And then once you're done with the domains and you decide to let them go out of your portfolio is where you're going to start to kind of peel through the rest of it. So a lot of people end up cycling through this one piece of the pie before they end up having to deal with the rest of it. And then they think, well, once it's gone, it's gone. And that could be part of the challenge that a lot of brand holders have when it comes to purging non-necessary domains out of their inventory is that sometimes they can come back to bite you later on. And that's part of what we're going to discuss a little bit when it comes to overarching strategy.

A lot of our processes will kind of anchor around this defense-in-depth approach, which we encourage our clients to kind of familiarize yourself with and applying into your own sort of scenario when it comes to your domain inventory. And it doesn't matter whether your domain inventory is small, medium, large. This sort of approach will help you compartmentalize your inventory and your thought process along the way.

So taking some proactive monitoring, it's always important to kind of keep an eye on what's going on. Some folks are at one end of the scale, where their idea of monitoring is word of mouth, waiting for somebody to tell them that something has gone sideways with one of their brands online. And then others, on the opposite end of the scale, are heavy into monitoring and enforcement activities, making sure that the bad actors realize that don't mess with this brand. We're going to take some action, and we're going to be really aggressive in making sure people are not messing around with our brands.

And one of the key pieces of this slide, of course, is partnering with an enterprise-class provider. And we've covered that multiple times across the last couple of webinars. Nothing really replaces having that expertise available to you and your team. Again, if you're only managing domains 5%, 10% of your day, having an enterprise-class provider as a partner and part of your team will put you in a much better position to be able to go and aggressively handle any kind of branding and strategic guidance approaches that are going to be necessary for protecting your brands online. And that's really one of the key pieces.

Now, of course, some of the other areas that crawl into this as well, of course, are a lot of the advanced domain security features, and a lot of these have come to light in the last little while in a variety of different attack methodologies that have been employed. So things like registry lock, we call it MultiLock at CSC, DNSSEC, DMARC, and a variety of other elements that you can activate on a domain-by-domain basis or across the entire portfolio of domains are really going to set you up for success in being able to keep things rolling along.

One of the other really important items is being able to involve the other stakeholders, and we'll get to that in a second. But being able to assess and optimize your current portfolio. Again, back to the circle, it's a cyclical kind of approach. We've numbered these, but you don't necessarily have to go 1, 2, 3, 4. Depending on the day, depending on the situation, you might go and 3, 1, 2, 4 or whichever. But the idea is register your domains, utilize blocks as and where they're available for you, secure your inventory as best you can, and then, of course, monitoring and enforcement is always at anchor on the other side of it. And again, a cyclical approach, but you can kind of cross-hatch your way around it in order to make sure that you're covering yourself appropriately.

When we look at the threat vectors that are available right now and the bad guys are finding new ways to come at brand holders right now, there are a lot of different things. I'm not going to read through all of these. You can kind of do that on your own. But one of the big things to look towards, malware delivery, of course phishing attacks, and spoofing and the like. But they all center around domains, and they're using domains to trigger a lot of these attacks.

Now they may come through social channels. They may come through online posts and other things. And they may come through false websites and all kinds of things. But they're all going to trigger back through that global domain portfolio. And if they're registering domains that contain your brands, that's where things are going to trigger up. How do you combat that? Monitoring. I'll anchor that a few times as we go through this.

Now there are some real line-by-line combative elements that you can use to come back at that kind of stuff. DNS redundancy, registry lock, we talked about that a second ago, DNSSEC, DMARC, and so on. Again, I'm not going to read through all of these. But a couple of the real key pieces, of course, goes right back to what we were talking about before, using an enterprise-level registrar. They're going to give you the guidance and support and point you in the right direction towards those security features that you should be putting onto your portfolio. A lot of the consumer-grade registrars, they are anchored in automation. Therefore, you don't have an account manager. You don't have the guidance, and you don't have the support. You have to sort of figure all that out for yourself.

And the other anchor, of course, is on the monitoring and enforcement services on the right-hand side. So CSC has a 3D monitoring solution that allows us to take a really holistic approach towards keeping an eye on your brands online. And then, of course, we have a wide range of enforcement activities that you can tap into as well.

I kind of jumped ahead earlier when we were talking about the optimization plan, and I kind of roped in on stakeholders. But this is the key slide for that part of it as well is really you need to involve all the major stakeholders within your organization in the decision-making process when it comes to domains. It may not come out of their budget. It may not impact them directly, so they think, but really it does.

So when you're dealing with the IT team, the legal team, the infosec team, and the marketing team, those are the four key teams. Now there are probably some sub-teams. So I mean really the number could be a lot larger than four. But these core teams are ultimately going to be impacted by any domain name decisions that are made.

Now not knowing in your organization where exactly things kind of fall right now when it comes to domain management, typically, we've seen it in one of two places. Generally, on the legal side because they're ultimately responsible for the brand protection aspect of the intellectual property to begin with, or on the IT side because technically they're handling the technology. They're making sure the sites are up. They're making sure email is working. So it makes sense that the domains could fall into one of those two main areas.

But marketing is focused on SEO. They're focused on traffic. Infosec, of course, as of late, we've seen a lot of bad actors heading towards that infosec side of things with fraud, phishing, smishing, all kinds of other areas where they're utilizing the domain inventory or spoofing on the domain inventory in order to be able to get their job done, and we don't want them to get their job done.

So reach out internally. If you're not talking or not involving the other stakeholders in your domain process right now, I encourage you to set up a bit of a committee or call it a domains council. It sounds really formal, but it could be as informal as a group chat or the like in order to be able to make sure that everybody is on the same page.

Looking at domain strategy overall, there are a couple of I call them hard and soft components. You could say tactical and strategic. Anything that really works well as far as wording goes. But essentially, when we look at the domains themselves, what we want to focus in on is where. Where are you doing business? What are your core markets?

Now when I say "markets," it doesn't necessarily mean industry-wise. Markets in this aspect means countries. Are you domestic? Are you dealing only in the U.S. or Canada where I am? Are you dealing in North America, which would be Canada, U.S., and Mexico? Are you dealing overseas? Where overseas? You got 200 plus countries around the world. People talk about being global, in a global market and utilizing online e-commerce. Absolutely global.

But to register your brand in all of the extensions that are available is a huge undertaking. You're not necessarily going to qualify for all of those. Some countries need local trademarks. Some countries need local companies to be there in order for you to be able to qualify for the domain. So you're not going to get them all. And even if you could, I think the last time I priced it out, it's probably in the neighborhood of half a million dollars to register one brand across everything that's out there. It's not feasible for what you're doing.

So you want to just sit and think for a second. Where are we doing business? How does that relate back to the trademarks? Typically, a lot of companies will try to protect their brands by utilizing the trademark system, and that's great. But it also gives us a sense of the jurisdictions or the countries that those particular brands are going to be relevant for. However, also with trademarks, because the time it takes for trademarks to be registered is long, usually a couple years or more, it's usually more planned out ahead of when actual activity might happen. So you might be thinking: All right, we're going to go into the United Kingdom, not tomorrow, but soon. So I'm going to file a trademark for the UK because I know it's going to take a little bit before it's settled up and registered for us.

But that's not the time to wait when it comes to domains. Trademarks have to be published for opposition. People can challenge them. That's just the nature of how trademarks work. Whereas domains are first come, first serve. Like I say, in some places you do have to have a trademark or local presence in order to be able to qualify for the domains. But in a lot of cases, you don't. Don't wait. Don't wait for the trademarks to settle before you go and look for the domains. Probably by that time they're done. Somebody has already picked them up.

A lot of things can trigger into what industry vertical you might be in as well. So the domains are kind of broken down into two main categories. You've got the global domains, which are the normal ones — .com, .net, .org, .info, .biz, .ca for Canada, .uk for the United Kingdom, and so on. And then you have what we call the new gTLD market. Now these started up about 2012. We're going to touch a little bit more on that in a bit. But these represent a lot of different keyword style and industry style domains. So you got .shop, .store, .online. Those types of extensions are critical in certain activities that you might have. So we'll look towards domains that might support that kind of activity.

Are your domains going to be offensive or defensive? If they're defensive, we're going to look towards things like keywords, typos, what we call IDNs. Now some domains can be in natural characters. You can have Chinese, Japanese, Korean, Russian. Those ones are easy to spot because of different character types for their alphabets. But you may have something like French or German, where it might just be an accent that you'll see on the characters as well. Those are legitimate domain names. Now it's a very narrow focused piece, but it's a defensive aspect as well, depending on how your brand is positioned in the market. Not all brands translate well into things like Chinese and Japanese and the like, but sometimes they do. It's an area for us to look at.

Of course, I've got a question mark by monitoring. It's something that if you're doing it, great. If you're not doing it, time to consider it. And then, of course, registry lock is another key component as well.

And then, on the right-hand side, we've got some technical pieces that are going to be important in your process as you go through. How are you going to handle DNS? Zone hygiene, DNSSEC, and redundancy, they're all key components for you to consider, especially zone hygiene. Nowadays, a lot of people will create the records, and they'll kind of forget about it. But those records could be really dangerous for you later on. We'll touch on that in a little bit.

SSLs, certificates are another hot button topic right now because they're moving towards reducing the amount of time you can have an SSL active to like 47 days. Now that's a few years down the road. But they've made some changes in the way that SSLs are validated. CAA records are an option that's helpful for an organization, especially a larger organization where multiple hands are in the cookie jar, as it were, to make sure that you're dealing with preferred vendors.

Are you going to use any of these domains for email? That really ups the profile for these particular domains. If you're using them for email, that makes them critical. If they're critical, you need to be looking at some of the security features, like registry lock.

What kind of content are you going to put online? Who's going to generate that content for you? And then how is that going to be delivered? And then with that in mind, what cascades from that? If you're gathering information, you need SSLs. If you're just informational, you still might need an SSL or enhanced security because you're going to put a contact us email on it. There are a lot of things that kind of cascade off of just this one slide.

So the next thing to kind of consider, okay, fine, we're going to be, let's say, primarily domestic. So we're going to be the U.S. or Canadian based. But there are other extensions out there that are what we call vanity extensions. So these ones, although they relate to specific countries, have taken on additional meaning and value in the marketplace. AI hot button right now, artificial intelligence. I'm sure the people on Anguilla are happy as happy can be that people are buying the hell out of this domain name.

One of the earliest legacy vanity URLs was, of course, .tv for Tuvalu in the South Pacific. It's an island chain. Google it. It's there. I didn't know where it was when I first started. Bu t that's part of the process. But that's been highly marketed as television, and of course it is TV. But that is a country code registration, as are all the other ones that are on this list. But you can see the different meanings for them as you go through, especially for the typos for .com. .co for Colombia, heavy, heavy, heavy marketing as a typo for .com. Made it extremely popular in a defensive posture. And again, this is where defensive versus offensive come into play.

On the right-hand side are ones that have been notable as being used for malicious purposes, whether it's phishing or whether it's counterfeit goods or spoofed content or the like. There's a variety of different country codes as well as other gTLDs that are part of this process. Now there are some very reputable ones that are in this list as well, .fr, .de. Not ones that you would normally assume or even clue into being a little bit more malicious oriented, but they have a lot of different domains in those spaces that are being used that way. So it's to be cautious.

The bad actors are out there. Again, I'm not going to go through all these statistics. But suffice to say that one of the key things and takeaways from the bad actor scenarios, as far as scams go, is that a very small percentage of them are actually reported. So any numbers that you see, they're underreported. It's generally anywhere between 5 and 20 times the numbers that you're going to see.

Now we talked a little bit about the new gTLD program. So back in 2012, this is where we had Round 1. Round 2 is now coming up. But as you can see, the split on Round 1 put us into a scenario where a lot of the larger pieces of this pie relate to banking, technology, and retail. Definitely areas that I would have expected to see with this kind of scenario.

Now that also puts you into a position where maybe you want to own your own piece of the gTLD pie or the .BRAND landscape. And that's important to consider. It's a hefty investment, but it's yours. It's your piece of the internet. You control it. It helps with security. It helps with recognition. All going to come back to marketing of course, which isn't included in these costs and certainly something to consider as well. But we had a lot of folks that did want to go down that road. .canon comes to mind, as well as .honda and so on, where they're making good use of their area of the internet.

The last little bits of this pretty quickly because we're really tight on time. But that being said, it really isn't in-depth kind of pieces. These are some other considerations to kind of look at. Subdomain monitoring is going to keep an eye on your domain zone hygiene, and that's important. You put records in, and then you yank something offline and you never go back and clean it up. Hey, we've all got that closet in our house where all the stuff gets thrown and you never ever, ever get back to it. Well, this is one of those scenarios where, yeah, you can do that, but sometimes it will come back to bite you. So subdomain monitoring is important to kind of keep in mind if you think that things that might have gotten out of hand and you want to cycle through things.

Why is it so difficult to detect? Well, a lot of it really comes down to the fact that the bad actors don't have to have access to your system in order to hijack your subdomains. They're just going to redirect the traffic. You've got the records. You've done the work for them by pointing that record in a certain direction. They're just going to take advantage of that situation.

Now I mentioned about SSL landscape. That's changed. We can't do the WHOIS is validation email anymore. Of course, with new changes on WHOIS details, a lot of that has gone away. Web tokens, it's not a preferred methodology, especially because of the way in which they're issued and managed. So certainly the preferred method is going to be a DNS record. But in order to be able to do that, you've really got to take charge of where you're getting your SSLs from and the validation method associated with that.

Watch your lapses. This is a real key component. So you've got an inventory of domains. It didn't get that way overnight. It's taken years to get to that point. So you're going, "All right, well, let's just get rid of this junk. Here's an old brand. We haven't done anything with this brand for a while. Let's dump that." Well, the power of association still ends up being there.

Now this particular article, and you can highlight on the Dark Reading article and read through it. It's a very interesting read. A lot of the bad actors are just looking for domains that are whitelisted, that they're not a threat. They haven't been blacklisted online. They're reputable. And then they're leveraging that reputation to be able to deliver their phishing attacks and other associated online attacks because they're not going to get triggered fast enough in order for it to be able to be recognized as being bad.

A lot of the research that we've done internally has shown anywhere between 10% and 13% of domains are re-registered after you let them go. And that can come back to trigger a bad time later on. And that's important to keep in mind as you go through and purge things out of your portfolio.

So a quick case study in accidents happen, Dallas Cowboys. Now this was a few years back. But they accidentally let dallascowboys.com expire. Took things offline. It was a bit of a mess. Happened over a weekend, which made it even worse. But what it comes down to is this is where the enterprise-level registrars make a big difference. This one was at Network Solutions. So because it's a retail-based registrar, you're only as good as your credit card. And for whatever reason, the renewal failed, and they had to sort that out. And that's not the way business is done with an enterprise-class registrar. We bill, everything is on auto renew. There's no threat that way.

So where do we end up? And we're a little over time, and I appreciate people's patience and hanging around. Anybody can go out and buy a domain name. That's good and that's bad. Certainly, that's where the strategy comes into play and making sure you've got the right names in the right places at the right time.

One domain can lead to another and another. That's true. You can get into the cycle of, all right, we're going to protect ourselves here. Oh, we should do it over here, and we should do it here. That's why you need a plan. And you want to use these plans for defensive and offensive registration. So a lot of people will focus on the offensive. Oh, I need this domain name. I've got to put a website up and everything else. And they kind of lose sight of the fact that you might want a few buffers in there as well, just to make sure that you've got yourself protected. And then, of course, you want to take full advantage of any enforcement activity in a toolbox. Monitoring is key.