The State of Domain Abuse in Australia

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video. Thank you.

Christy: Hello, everyone, and welcome to today's webinar, "The State of Domain Abuse in Australia." My name is Christy DeMaio Ziegler, and I will be your moderator.

Joining us today is Justin Hartland and Peter Scott. Justin is CSC's Global Director of Marketing for the Digital Brand Services Division based out of London. Justin has spent more than 25 years in the domain name and brand protection industry and brings his wealth of knowledge to CSC clients. Peter is a global brand advisor for CSC's Digital Brand Services based in Australia. Through insights, data, and analysis, he helps to advise on how to best protect and secure brands online. He supports clients globally with domain name management analysis, security insights, and dot brand trends.

And with that, let's welcome Justin and Peter.

Justin: Thank you, Christy. Okay, so I am going to start today.

Peter: Thanks, Christy.

Justin: Hey, Peter. So what we're going to do today is I'm actually going to go through some global statistics, and then Peter is going to look in particular at how it compares to Australia. And every year CSC runs a report called our Domain Security Report, where we look at Forbes Global 2000 list. And in that list, we look at various domain security aspects, and we compare it against countries, against regions, against various types of different analysis.

So what we start with is we look at companies that have an enterprise-class registrar, which is like CSC, and a retail registrar or a consumer-grade registrar. And what we found with our research is that companies that use an enterprise registrar are more likely to have these different domain security protocols put in place. So as you can see on this chart, registry lock, which is a way of locking down your domain name so that people can't hijack the DNS, significantly higher if a company is using an enterprise-class registrar compared to a consumer-grade.

Again, in all categories, it's significantly higher, DMARC, DNSSEC, CAA records, and DNS redundancy. So I'm going to touch on this later on anyway. but usually companies that are using a company, such as CSC, will have more of these protocols put in place to protect their brands.

We've been running this report for around about five years now. And if you look at this chart, you'll see probably the one area that companies have really adopted in that five-year period is DMARC. So it's almost doubled in that period. So it's gone from almost 39% up to just over 70% in the 5-year period. Doesn't surprise me. If you look at all of the email fraud going on, companies are taking this really seriously. They're adopting it. They're implementing this across their entire portfolio. Whereas all of the other sort of areas, such as registry lock, CAA records, DNSSEC, there's been a slight increase over the years, but nothing significant that we've seen with DMARC.

DNS redundancy is the one area that has gone down. I don't know if we might see a reversal of this in the future, and I'll touch on that in a little bit on one of the later slides.

But yeah, if you look at this, generally companies are making small gains on this, but apart from DMARC, everything has stayed fairly static for the last five years.

Then when we look at it based on region, so APAC trails behind other regions, with EMEA showing the largest growth in this domain security adoption. So if you look at examples such as MultiLock, which is registry lock, APAC is significantly down on North America or the Americas and EMEA. Again, same with DMARC. Not so much with DNSSEC, but then CAA records and DNS redundancy are also significantly down.

I think at this point I'm actually just going to give a quick explanation because not everybody might know what all of those five different areas are. So registry lock, I just mentioned DMARC, is a way of authenticating email. DNSSEC again it's an authentication through the DNS, which can be put on your DNS records. CAA records is where you can implement this into your DNS. And if you choose to register digital certificates, for example, with CSC, then you would just put us in the record. So if anybody within your organization tried to register a digital certificate with another provider, then it would not be allowed by that provider because they would see that actually the CAA record says you can only use CSC.

And then DNS redundancy, what we're talking about here is secondary DNS, so where there's multiple DNS server sets. And again, this is an area where there has been change because quite a few companies have also started moving to cloud providers, where it's a dynamic, changing environment, but there are pros and cons to that. And what we believe is the future is looking at making sure that you've got redundancy because there's a lot of regulation coming in across the globe, which is going to require that, and it's whether those cloud providers and other providers can keep up with that.

And then the final piece, just looking at this Forbes 2000, is we give a domain security score to each of the companies, and what we found was 68% of the Global 2000 have less than half of the recommended security measures in place. So there's still an awful lot of work to be done there. And actually, 5% had a domain security score of zero. So even though these are the biggest companies in the world, there is still a lot of work to be done on domain security and ensuring the companies are bringing in all of these various things to add these layers of security to protect their domains. And at the end of the day, it's about protecting your customers.

So hopefully, that's given you an idea of what's happening on a global scale. I'm actually going to now pass over to Peter, who's going to start talking through some specific statistics and background on what's happening in the Australian market. Over to you, Peter.

Peter: Thanks, Justin. Hi, everyone. Hope you're all doing well. So yeah, as Justin said, I'm going to take a bit of a look into some updates and trends in Australia around domain abuse.

So we'll start with what's sort of happening across Australia. So we're seeing an enhanced threat visibility take shape across Australia now. And this is really seeing the advancing of the regulatory framework. So we've seen the introduction of the Cyber Security Act last year. We've seen the introduction of the Scams Prevention Framework Bill well. So the Cyber Security Act, they're looking to improve ransomware reporting, especially around critical infrastructure. And the Scams Prevention Bill is sort of aiming to target improved reporting again, but also obligations around what happens when there are scams.

Obviously, globally, we're seeing the increase in the use of AI, and we're also seeing it within Australia too. So auDA has reported 56% of consumers in Australia are using AI, and 64% of small businesses are also using it. So more use of AI than not, essentially.

And I've seen an increase in multifactor authentication. So that's up around nearly 20% over 2025. So that's really important to see. Also, .au is still one of the most secure domains out there, seen some of the lowest levels of DNS abuse globally, and also has some of the most robust licensing rules around who can register.

Users are also reporting that they're more aware of scams, a little bit more confident as to how to act when they see them. And also, having said that, you're looking at still nearly 250,000 scams reported in 2024. So this is data from Scamwatch. And yeah, so these particular numbers are user-reported numbers. So I'm pretty sure these would be a lot higher in terms of what they are.

So taking a look at some further trends and sort of drilling down into some of that Scamwatch data, looking at around $318 million lost to scams, and these are slight increase coming into 2025. These are coming from the sort of investment scams, also the romance scams that we've seen, and they're sort of the high-dollar value ones. In terms of where we're seeing the most impact, though, it's around phishing. So phishing stands at around 40% of reported scams are related to or have some sort of phishing had taken place. In terms of contact methods, you're looking at email and text, they're sort of the most common types of contact we're seeing. And then you're going to see domains within links and URLs, and these are going to be the transport method where you're going to see malware and ransomware sent through. So overall, some data from Aon, who have cyber incident frequencies up around 29% year over year and 134% over 5 years. So trends in scams and cyber instances are definitely increasing.

Some other trends around scams is the increase in use of AI for scams, and this is pretty big. They're making these scams more sophisticated. You're looking at scraping social media to make them more personal, more convincing sort of fake messages with the near-perfect grammar, and the ability to be able to impersonate some voices. You're seeing deepfake audio and video being used. And AI is also helping to automate the scale. So it's really hard to keep up with.

At the core of many of these scams is the use of, again, domains. You find these within links and URLs. You can have lookalike domains, hyphens, keywords, even used within subdomains and subdirectories. So it's pretty tricky for brand owners and just for users to be able to see to determine the difference between real ones and these fake URLs. AI is essentially expanding that attack surface. It's a real driving force. We're seeing a 53% increase in social engineering incidents year over year, and social engineering and fraud claims have also increased about 233%.

So jump to the next slide. I'm going to take a quick look here at recent cyberattacks. Especially across Australia, we've all heard of the Medibank and Optus and the Qantas attacks. We're also seen attacks, though, on government and universities globally. We've seen cyberattacks across some big brands, like Facebook, Toyota, Marriott. We've also seen U.S. and UK infrastructure and government services impacted as well.

So what's common with these cyberattacks is they're using ransomware and spyware. Ransomware seems to be sort of the main one there, and it's closely linked to phishing. So phishing is generally, as we sort of mentioned before, that transport method. We're seeing it used pre-cyberattack, and it's really taking place also post-cyberattack. So I'll drill into it a bit further.

So looking at things like brand launches, so this is a big one. So owners regularly updating brands, introducing new ones or renaming them. And we saw with myGov last year, the ATO cautioned a lot of Australians to be aware after that brand change, and they had a ton of influx of scams reported. And this was from the change from myGovID over to myID. So pretty close-looking brand name. So they saw a bunch of scams coming through off the back of that.

And you've got the take action and the password resets. So we see the password reset scams come through a lot. But post-cyberattack, when users are caught off guard, we've seen that sort of increase in use of phishing, and this is around update your password quickly, take action to secure your account, that sort of thing. So that's catching users off guard.

We're seeing rewards programs affected. We're seeing fraudsters attempting to deceive customers through redeeming rewards points and clicking on payment details from branded domains.

We've also seen prompts to call. Common in the banking sector. Many banks are reporting this currently with prompts to call via email, and you've also got the suspicious links within those emails.

We're seeing gift card abuse as well. We saw one with Woolies with a fake branded domain and also phone requests to pay for fines via gift cards.

And natural disasters, we had the Victorian bushfires. We saw a number of fake donation pages set up. So these are on branded-looking domains. And we also saw something similar around Cyclone Alfred this year.

So as a result of these trends, we're seeing brand owners start to set up dedicated warning sites. So they've got education information warning about current scams and also just trying to educate users about what to look for. You see these branded-looking domains. So it's just making users second-guess when they do see them. And you see a lot of these come through in their monthly updates.

So let's take a look at the extension abuse landscape. So I've got a couple of tables here. So I've got the top-ranking domain extensions here firstly. So I've filtered these to the APAC region so we can see which ones are the most popular. So obviously com.au and com are at the top there. And this data is based on registration popularity and some popularity from tranco.com.

In terms of the risk, we see it in terms of the high extensions. So this data comes from Spamhaus. This basically shows a list of the malicious uses across these gTLDs and ccTLDs. And this is based on phishing, malware, and spam. And it's just the total observed uses over time as opposed to a particular period. So no sort of surprise we see .com sitting at the top there and a bunch of new gTLDs within the gTLD space. And in the ccTLD space, we've got .cn at the top and .jp. And we also see .au, just surprised there, in that sort of top 14.

So what I did is actually cross-checked these two datasets. So you can see in those top popular APAC domains, you can see a lot of those actually also listing across within the high-risk extensions. So really important to look out for these types of things within your portfolio. And these extensions are definitely ones to look out for across Australia.

Some other trends to look out for, the rise of the Web 3.0. So this is the movement from around blockchains and token-based economies. So that's a shift from large corporations to individual users. And part of this rise, we've seen the .crypto and the .blockchain domains. They're used for complex cryptocurrency addresses just to replace those. But along with that we're seeing this sort of abuse of traditional domains also. So you see .coms and .orgs. We're seeing this as a sort of mix of the branded domain with the keyword domain. And a couple of UDRP cases I found here. So just to confirm, so UDRP, this is the sort of legal way to acquire these domains back. And I saw instagramnft.org get back. We saw tesla-bitcoin.com and legometaverse.top. So these types of domains are being targeted and used for phishing scams as well. So again, it's important to consider these across your brand variations within your portfolio.

Another update, this one is from Google. So this one's around they had a policy update back in 2024. They did some updates to it again in '25. It's around expired domain abuse. So they did an update, including this section, aimed to sort of give Google the ability to filter out specific domains from search results, and sort of this is based on repurposed spammy domains. And so what they found is expired domains that basically lapsed, they've essentially got these ones with high backlink counts. These ones have been utilized by spammers and then used within search results. So they're going to try and start to try and filter these out. So really important here, I think, for brands owners to be just wary when lapsing domains, especially those with higher backlinks, that these aren't re-registered and used for spam abuse or even phishing, especially if domains, they're recognizable by users already.

So I'm going to pass . . . Yeah, Justin.

Justin: Sorry. I was just going to add on to that. So one of the things, we obviously look at the domain names we manage and the domain names we lapse. And over the last few years, it's been fairly consistent. It's roughly about 11% to 13% of the names we lapse for our customers, they ask us to and we lapse, they get re-registered by third parties. So not only is this that companies are watching you and watching your domain lists, and they are picking those names up when they see them. And it might be that you think, "Well, that's a redundant brand or something," but actually they can reuse it for the various reasons Peter went through. So yeah, I think lapsing names is something that you really need to look at very carefully and not just try and do a job in a spreadsheet. You need to think carefully about the domains you do lapse.

Peter: Yep, totally agree, Justin. No worries. So I'm just going to jump onto some more data here, and we'll just go through a bit more security data.

So how does Australia compare? So I'll just start sort of at the top here. We've got nearly 4.2 million domains over the .au space. And this is compared to UK around 24 million. But on the other hand, you've got 7 million from .fr. So just as a comparison, but yeah, we saw a sharp increase over the last couple of years with that release of .au. So that's really driven up registrations.

In terms of dispute cases globally, we've got Australia sits at around seventh in terms of those. .com.au, specifically, 11th globally in terms of dispute cases as well. And on the security side, DNSSEC adoption is around 6%. So slightly below the global average of the brands that we surveyed for this. And we see about half of the Australian top brands that use an enterprise registrar compared to 56% in the U.S. and 75% in the UK. So slightly behind there in terms of Australia.

Let's drill down into this security a little bit further. So this just looks across the regions and the security comparison. This is the top Global 2000 brands. And so we see registry lock there in terms of Australia compared to the U.S. and the UK. So slightly up on the other regions. DNSSEC is slightly behind the other regions. Hosting redundancy sits slightly behind the UK and U.S. also. And a low percentage of Aussie brands using their own DNS when compared to the UK and the U.S. And the U.S. is more inclined to use their own DNS.

In terms of critical industries, a lot more in those top brands throughout Australia. So it was important those critical industries are utilities, banks, telecommunications. It could explain that higher uptick in terms of the registry lock, and we may see that increase even more with those government changes that are coming through, that I mentioned earlier around the Cyber Security Act and Scams Prevention Bill. So we may see more of an emphasis there on securing and locking down some of the core domains.

Justin: Peter, sorry. I just want to jump in again.

Peter: Yeah.

Justin: People may not be aware of this because it's a European Union directive, but there was something released last year called the NIS2 Directive, and it started in October last year. The best way of looking at it is it's GDPR for security. And they've released this across the European Union, and each country will be adopting it into law. And not everybody has just yet.

But one of the things that we think, and that's why I kind of alluded to it earlier when I was saying second DNS redundancy was going down and whether it might pop back up is things like DNS redundancy are areas that they are asking companies in those critical industries to make sure that they have that backup as well as a number of these other security protocols. And if I look at those numbers, sort of 60%, 70%, it's roughly the same across other European nations or in their top companies. So Australia is actually quite high. But they are bringing this in to ensure that critical infrastructure is not abused through the DNS.

So sorry, I just wanted to add that extra point about what's going on in the EU. But it sounds like Australia is also moving in the same direction as well.

Peter: Yeah, it's a good point, Justin. Yeah, it looks like governments are jumping in to push along that security front. So yeah, definitely going to see more regions take on this type of action.

All right. We'll jump to the next slide just to touch on domain launches. So Australia is pretty good in terms of covering the .au space when the launch of .au came out. So 83% coverage there from top Aussie brands when you compare that to sort of an existing extension. Justin, I don't know if you had any comments there around the UK in terms of launches also.

Justin: So yeah, we ran some sort of similar stats across Europe, and we looked at .uk in particular, and yeah, it was very high in comparison to .au for Australian companies.

Peter: Yeah.

Justin: Where we're seeing similarities between the two markets is so if you look here on .ai, now .ai wasn't really a brand launch. It kind of almost relaunched once ChatGPT launched. And the very low brand ownership is across all regions. So the cybersquatters either got in very early and thought, "Hey, this brand name .ai sounds cool, and this AI thing might become a big thing," or as soon as the whole ChatGPT sort of AI explosion happened, which is what mostly happened, people got in there quickly. And I know you'll sort of touch on this later, but when domains are easy to register and where we see volume, that's where you've got your biggest risk. And so this comparison against those two, it's very similar to other regions that we've analyzed.

Peter: Okay. Thanks, Justin. So yeah, that's a good one to note in terms of across those regions around domain launches.

So let's jump to the next slide. So we're just going to sort of wrap this up a little bit. Just in terms of some important learnings, again, we saw with the .au launch, when domain extensions open up, we see big jumps in registrations. As a result, this can increase third-party registrations, and this leads to some of these various forms of abuse that we have seen and talked about. So it's really important to be ready from the get-go, act positively, secure your brands across these target regions, and have a clear enforcement strategy in place when things do go wrong. Take into account prior learnings of what's happened with other domain extensions so you can reduce that risk of infringement happening again.

And for CSC customers and for other prospects as well, the Brand Advisory is here to help and help you understand the domain extension landscape, where you should register, what you should block. We've got reporting that covers all of this in terms of ccTLDs to new gTLDs and across a lot of those typos and lookalike extensions that we saw within those scam alerts as well as brand launches.

So just finally, I'm just going to quickly touch on some new gTLDs because we've got the ICANN update on the Round 2 of new gTLDs. I thought this was important. When I looked at those malicious extensions earlier, about 60% of that group that I looked at were new gTLDs. So these new gTLDs are a big target for phishing and spam abuse. So you had your .xyz, .top, and .shop. So it's going to be a bit of a focus there.

So this next round is coming through. It's just around the corner. You're looking at it's been about 12 years since that first round on the new gTLD program. So we saw around 1,200 applications, about 400 dot brands or so. Part of those dot brands, we had some big Aussie brands pick up dot brands too. So we saw AFL and Monash in there among others. And we've got .google. That's really sort of leading the way around dot brand in terms of its usage as well.

So this new round, we're going to see longer length extensions come in with scripts and aim to sort of provide a broader access for the global audience. So keep an eye out for more information from CSC. And also, there's a new ICANN website. So I'll pass back to Justin.

Justin: Cool. Thanks, Peter. So I'm going to just finish us off with some areas to consider about mitigating some of these domain-based attacks. And before I get into that, what I wanted to do is just actually share some research that we recently published, which is in one of the downloads, if you download it, our CISO report.

So we surveyed 300 CISOs across the globe, and we were asking about trends in the area. And what we found was 98% expect cyber risk to rise over the next three years. So this area is not an area that's going away. CISOs are fully expectant that this is going to continue with more cyberattacks.

Both the first and second-place security threats in 2024 were domain-based threats. So Peter and I have been showing you some of the ways that you can mitigate them, but we've also shown you how they're utilizing it as well. So it's really important that you take your domain portfolio very seriously and everything around it.

And then lastly, 22% of them said they had the right tools in place to deal with domain-based threats. So a relatively low percentage on that front.

So just to sort of, I guess, almost go, "Okay, well, what are these threats?" So when we think about domain threats, we like to sort of say companies are really good at their internal threat data because they hide it behind the firewall. The problem with domains is they sit outside the firewall, and therefore there are a lot of threat vectors associated with that.

And this is just some examples that we've got here. So we've touched on things like typosquatting, hijacked domains, dormant domains, which can lead to phishing. It can lead to DDoS. It can lead to DNS hijacking, ransomware, etc., etc. There is a multitude of risks in this space.

And on top of that, again, we've got statistics here which show that 90% of successful cyberattacks start with a phishing email. So again, everything leads back to the domain. And so all of those security areas that you can put around that domain, the better.

So one of the first steps that you can help mitigate risk, and I'll just remind you of what I mentioned at the beginning, which is if you are using an enterprise-class registrar, who is going to be a registrar that specializes in working with large corporations or brand holders and ensures that their support staff are trained well, that they have robust systems in place, they have good data governance, that they are looking at cyber security, you are by default probably going to get a lot more recommendations on what to do to protect your portfolio.

If you're using consumer grade, this is not to denigrate these providers, but they are mass market. They are selling to small businesses, entrepreneurs. They're looking to sell web hosting and email and all these other various services. But security is not at the forefront of what they're trying to do. So they don't protect. But there are companies out there who use consumer grade, and they're really using a provider that is not built for their needs because their domains can be hijacked, their domains can be socially engineered, etc., etc.

So I'm just going further into this, why use. As I mentioned, an enterprise-class provider is going to be ICANN-accredited. CSC is accredited with hundreds of registries across the world, be it Alder, be it Nominate in the UK, Afnic in France. So we work directly with those companies, and we stay up to date with what's going on in those markets.

So I mentioned NIS2. Every single registry is changing their rules across Europe. We are talking to all of those registries about those changes and how that might affect CSC.

Another great example of process is CSC will not take an order over the phone, and there might be other companies like this. You need to email by an authorized user to actually place an order with CSC. We ensure that we adhere to GDPR rules, etc.

And then when it comes to our technology and other companies, you need to make sure that they're ISO accredited, SOC 2 compliant, ensure that they're doing penetration testing, etc.

And then the final thing is about know your customer. We do a lot of work at CSC on know your customer. Making sure that you've got the global support in-house in local languages, and that their staff are getting trained often. So all of us at CSC, we all have training every year on cyber security.

And just finally, weakest link, that you're only as strong as the weakest vendor. It's just reiterating the points that I've just made. If you're using a low-cost, bulk provider, there are chances there's going to be chinks in their armor. If you're using a provider that this is what they live and breathe, then you're going to have less issues in the future.

This is my final slide, and it's really just to sort of wrap things up on the domain management side. There are four areas to really look after your domains. So one is you can register a domain. If you register a domain, no one else has it. So it's yours. That means it's protected.

The second is you can now block domains. A great example of blocking domains is an adult block, where you can block domains such as .xxx from anybody else getting them. And so those services are really complementary to registering.

And then you need to secure your domains. So it's all very well having them registered, but one is if they get compromised. So that's all of those things that we've talked about throughout this session about DMARC, about DNSSEC, about registry lock. Those are the things you need to put the layers around your domains to make sure that they are properly secured.

And then the final, and this is for me, really important, we can't register every domain name in the world. So nobody has an unlimited budget. Therefore, having a monitoring program, I think, is super important for major brands. So I would always recommend having that to complement these other services that you would need to have a good portfolio in good shape.

So those are just some things to maybe take away, think through, and analyze whether you're doing all of the various things in the right way at the moment. So I think that's me done. So I am going to pass back to Christy.

Christy: Excellent, Justin. Thank you so much, and thank you, Peter, as well.