
According to an analysis of the Netherlands’ 50 biggest brand names, the number of .nl domain names suspected of being used or intended for use in phishing has been increasing, but monitoring and intervention appears to be suppressing visible abuse such as phishing.
In their analysis of the Netherlands’ 50 biggest brand names using .nl domains back in 2016, SIDN detected 675 domain names suspected of being used or intended for use in phishing. In 2016 and 2017, SIDN’s analysis revealed a significant number of the detected sites remained visibly active, distributing malware, using logos without authorisation and so on.
2016 | 2018 | 2020 | |
Normal website | 60.20% | 53.58% | 55.45% |
Unused domain name | 7.20% | 6.37% | 9.64% |
Parking website | 16.10% | 12.97% | 9.31% |
Unresponsive | 5.50% | 7.73% | 6.06% |
Adult website | — | — | 4.67% |
(Possible) phishing website | 2.20% | 4.00% | 4.35% |
‘For sale’ site | 3.00% | 3.45% | 3.52% |
Unclassified | — | 0.31% | 2.56% |
Advertising network | 1.40% | 6.34% | 2.13% |
E-mail onlu | 2.40% | 2.97% | 1.59% |
Redirect to original domain name | 1.30% | 2.19% | 0.73% |
Removed | 0.70% | 0.06% | 0.37% |
Since then, the number of suspect names has gradually risen. When scanned in May 2020, 1,079 dubious domains with names resembling the fifty biggest brands were found, plus 91 that had already been taken down by the relevant hosting firms.
However SIDN notes the study also brought some good news. Monitoring and intervention appears to be suppressing visible abuse such as phishing with cybercriminals apparently shifting their focus to less conspicuous malpractices, such as spamming.
In 2020 the suspect domain names, SIDN note, appeared to be used for activities that could go ‘under the radar’ such as sending spam. In many cases, the associated web servers redirected to external IP addresses linked to the mimicked brand’s own website. SIDN explains this is a common tactic adopted by scammers, so that email recipients who check the sending domain get the impression that the sender is legitimate. The only visible difference between the scam domain name and the brand’s official domain name is that the fraudulent one isn’t registered to the brand owner.
Profile | Description |
Normal website | Domain name is linked to an ordinary website belonging to the brand owner or another legitimate party. |
Unused domain name | No information about the domain name is available from the DNS; no IP address and no mail server. The domain name has been registered, but nothing more. |
Parking website | Registrant is not currently making active use of the domain name, which is linked to the hosting firm’s standard parking page. |
Unresponsive | Unresponsive A web server IP address is linked to the domain name, but the server does not respond. |
Adult website | Adult Domain name is used for content unsuitable for minors. |
(Possible) phishing site | Domain name is possibly linked to a website that is used for phishing. |
‘For sale’ site | Domain name is for sale. |
Unclassified | Profiler cannot classify the domain name. |
Advertising network | Domain name is linked to a website made up of advertising links. |
E-mail only | Domain name is not linked to a website, but does have a mail server. |
Redirect to original domain name | Users are redirected to the original domain name. |
Removed | Website linked to the domain name has been taken down by the hoster. |
There are also situations which point to poor domain name management. One example SIDN gave was of a bank. SIDN’s analysis found a domain name incorporating the name of this bank, which isn’t named. SIDN explains the domain “was used for a website whose landing page featured the bank’s logo. However, the domain wasn’t registered to the bank and the landing page was very amateurish and insecure. Understandably, alarm bells started ringing. However, an internal investigation by the bank revealed that the site had been created by an intern, who had registered the domain name personally. In fact, it turned out that the bank was using lots of domains that weren’t registered in its name, because staff didn’t know what the correct registration procedure was.”
One of the reasons SIDN gives for the decline in visible abuse is that companies are defending their brands more actively. In 2016, organisations in the Netherlands were using their Domain Name Surveillance Service to protect 47 brands; today the figure is 264. Increasingly, therefore, cybercriminals are turning to other domain name extensions, using domain names that resemble trade journals, or snapping up irrelevant domain names with established traffic flows to use for their fake webshops. However, targeted countermeasures are making those tactics less attractive as well: tools such as the DBS are nowadays able to pick up malicious registrations outside .nl. We’re also co-investing in systems that can detect fake webshops.
