Web domain fraud is a growing risk for businesses, employees, and their customers. Every year, threat actors register millions of domains to impersonate brands (and major global events) and defraud those who trust them. It’s fairly simple to execute, since registering a domain requires little more than an internet connection. Privacy features offered by registrars and regulations like GDPR allow criminals to remain anonymous. Researchers have also documented frequent sales of fraudulent domain services on the dark web. These services make it simple for criminals with no web design skills to quickly replicate a brand’s website on their domains, buy security certificates, and even fake company documentation. Some vendors even sell “aged” domains, which have been active for a long time and carry more credibility than newly created domains.
Like many of today’s major cybersecurity threats, domain fraud targets people rather than technology. Domain fraudsters use social engineering tactics to trick users into believing their domains are legitimate and trustworthy. And they’re effective: the news is rife with stories of fake domains successfully duping audiences.
Recent research by Proofpoint, detailed in the 2019 Domain Fraud Report, uncovers the latest trends shaping the domain landscape and the tactics and activity of threat actors. Below are some of the key findings surrounding domain fraud threats.
There's No Single Smoking Gun
Fraudulent domains “hide in plain sight” by using many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains. For example, 52% of all new domain registrations in 2018 used the .com TLD. The TLD was similarly popular with fraudsters: nearly 40% of new fraudulent domain registrations used .com.
Because fraudulent domains camouflage themselves, there is no single factor that definitively indicates whether a domain is fraudulent or not. And a previously innocuous (or inactive) domain can quickly turn fraudulent if ownership changes hands. Assessing security risk requires a comprehensive and continuous analysis of domain characteristics and website content.
Most Large Businesses Are Affected
Our research showed that domain fraud is a widespread threat to businesses. Proofpoint Digital Risk Protection customers across a wide variety of industries all faced threats from fraudulent domains. For example:
- 76% found “lookalike” domains posing as their brand
- 96% found exact matches of their brand-owned domain with a different TLD (e.g., “.net” vs. “.com”)
- 85% of retail brands found domains selling counterfeit goods
Domain Fraud Is A Launchpad for Highly Targeted Email Attacks
Proofpoint researchers also observed email activity for fraudulent domains. For 94% of Proofpoint Digital Risk Protection customers, at least one of their fraudulent domain detections was seen sending email. Proofpoint generally observed low volumes of email from these accounts, pointing to highly targeted and socially engineered attacks, such as business email compromise (BEC).
Market Factors Create Opportunity For Threat Actors
Finally, researchers observed that market factors such as pricing and availability appear to influence the behavior of domain fraudsters. For example, when the .app TLD launched in May of 2018, fraudulent domain registrations with the new TLD spiked, as fraudsters rushed to register domains resembling brand names using the new TLD.
Another new tech-related TLD, .dev, entered the market on February 28 of this year. Within two weeks of its launch, 30% of Proofpoint Digital Risk Protection customers found potentially fraudulent domains using the new TLD with their brand name.
To see the detailed breakdown of domain trends and fraudulent domain activity, download the full report here.
As threat actors adopt new tactics and the domain landscape continues to evolve, identifying the fraudulent domains threatening your business is an increasingly complex endeavor. To learn how Proofpoint can help you detect and respond to domain fraud, visit our Digital Risk Protection site.
Subscribe to the Proofpoint Blog