SIDN Finds Suspected Phishing In Big Brand .NL Domains On The Increase, But Visible Abuse Declining

According to an analysis of the Netherlands’ 50 biggest brand names, the number of .nl domain names suspected of being used or intended for use in phishing has been increasing, but monitoring and intervention appears to be suppressing visible abuse such as phishing.

In their analysis of the Netherlands’ 50 biggest brand names using .nl domains back in 2016, SIDN detected 675 domain names suspected of being used or intended for use in phishing. In 2016 and 2017, SIDN’s analysis revealed a significant number of the detected sites remained visibly active, distributing malware, using logos without authorisation and so on.

201620182020
Normal website60.20%53.58%55.45%
Unused domain name7.20%6.37%9.64%
Parking website16.10%12.97%9.31%
Unresponsive5.50%7.73%6.06%
Adult website4.67%
(Possible) phishing website2.20%4.00%4.35%
‘For sale’ site3.00%3.45%3.52%
Unclassified0.31%2.56%
Advertising network1.40%6.34%2.13%
E-mail onlu2.40%2.97%1.59%
Redirect to original domain name1.30%2.19%0.73%
Removed0.70%0.06%0.37%
Table 1. Domain names resembling the Netherlands’ top 50 brands. Source: SIDN

Since then, the number of suspect names has gradually risen. When scanned in May 2020, 1,079 dubious domains with names resembling the fifty biggest brands were found, plus 91 that had already been taken down by the relevant hosting firms.

However SIDN notes the study also brought some good news. Monitoring and intervention appears to be suppressing visible abuse such as phishing with cybercriminals apparently shifting their focus to less conspicuous malpractices, such as spamming.

In 2020 the suspect domain names, SIDN note, appeared to be used for activities that could go ‘under the radar’ such as sending spam. In many cases, the associated web servers redirected to external IP addresses linked to the mimicked brand’s own website. SIDN explains this is a common tactic adopted by scammers, so that email recipients who check the sending domain get the impression that the sender is legitimate. The only visible difference between the scam domain name and the brand’s official domain name is that the fraudulent one isn’t registered to the brand owner.

ProfileDescription
Normal websiteDomain name is linked to an ordinary website belonging to the brand owner or another legitimate party.
Unused domain nameNo information about the domain name is available from the DNS; no IP address and no mail server. The domain name has been registered, but nothing more.
Parking websiteRegistrant is not currently making active use of the domain name, which is linked to the hosting firm’s standard parking page.
UnresponsiveUnresponsive A web server IP address is linked to the domain name, but the server does not respond.
Adult websiteAdult Domain name is used for content unsuitable for minors.
(Possible) phishing siteDomain name is possibly linked to a website that is used for phishing.
‘For sale’ siteDomain name is for sale.
UnclassifiedProfiler cannot classify the domain name.
Advertising networkDomain name is linked to a website made up of advertising links.
E-mail onlyDomain name is not linked to a website, but does have a mail server.
Redirect to original domain nameUsers are redirected to the original domain name.
RemovedWebsite linked to the domain name has been taken down by the hoster.
Table 2. Description of categories in which websites are classified by the profiler. Source: SIDN

There are also situations which point to poor domain name management. One example SIDN gave was of a bank. SIDN’s analysis found a domain name incorporating the name of this bank, which isn’t named. SIDN explains the domain “was used for a website whose landing page featured the bank’s logo. However, the domain wasn’t registered to the bank and the landing page was very amateurish and insecure. Understandably, alarm bells started ringing. However, an internal investigation by the bank revealed that the site had been created by an intern, who had registered the domain name personally. In fact, it turned out that the bank was using lots of domains that weren’t registered in its name, because staff didn’t know what the correct registration procedure was.”

One of the reasons SIDN gives for the decline in visible abuse is that companies are defending their brands more actively. In 2016, organisations in the Netherlands were using their Domain Name Surveillance Service to protect 47 brands; today the figure is 264. Increasingly, therefore, cybercriminals are turning to other domain name extensions, using domain names that resemble trade journals, or snapping up irrelevant domain names with established traffic flows to use for their fake webshops. However, targeted countermeasures are making those tactics less attractive as well: tools such as the DBS are nowadays able to pick up malicious registrations outside .nl. We’re also co-investing in systems that can detect fake webshops.

Figure 1. Many leading Dutch brands now use our Domain Name Surveillance Service to protect their reputations on line. This graph shows how the number of protected brand names has increased over time. Source: SIDN

Leave a Reply

Your email address will not be published. Required fields are marked *