Tag Archives: Phishing

Domain Name Registrants, Domain Name Registrars, Domain Name Registry, ICANN and Governance, New gTLDs, Opinion

Use of .BRANDS and Efforts To Thwart Domain Name Abuse Industry Highlights For DOTZON’s Katrin Ohlmer

Criminal activities continue to be an issue and challenge for the domain name industry, and it’s one of the main issues addressed in today’s Q&A with Katrin Ohlmer, CEO and founder of DOTZON GmbH. Ohlmer cites it as a highlight and lowlight – a highlight because the industry is attempting to tackle domain name abuse and a lowlight with phishing, malware, botnets and pharming being threats to consumers putting the whole industry in a bad light and seemingly not interested in fixing the issue. Ohlmer also sees the growth in usage of .brand new gTLDs as another highlight while she says the whole domain industry could improve in terms of customer experience and customer-centric marketing and communications.

Domain Pulse: What were the highlights, lowlights and challenges of 2019 in the domain name industry, both for you and/or the industry in general?

Katrin Ohlmer:

Highlights

A new awareness has been reached within the industry that many registries and registrars are responsible and taking actions against abuse, including the “Framework to Mitigate Abuse”. We started to communicate our efforts better to the community and will continue these efforts in 2020.

We noticed a growing use of domain names of .brands including the likes of .audi, .dvag and .mma – all with well beyond 1,000 registered domain names. We spotted quite a number of .brand domains “in the wild” – in print advertising, on vehicles and social media ads.

Lowlights

The ever-present existence of phishing, malware, botnets and pharming threats to consumers puts the whole industry in a bad light seemingly not interested in fixing this issue. The industry has to improve its communication activities within the community and to all stakeholders in 2020.

In 2020, we would like ICANN to focus again on their mission “to ensure the stable and secure operation of the Internet’s unique identifier systems”.

Challenges

GDPR brought to our industry new challenges and burdens. GDPR and its consequences are an asset for our industry that personal data are not published anymore. Even though this negatively affects the interests of the trademark industry.

DP: What are you looking forward to in 2020?

KO: I’m really looking forward to welcoming the ICANN community to Hamburg in Autumn and showcasing the broad use of .hamburg domain names in the city. With and ICANN meeting taking place only for the second time ever, it will be a great opportunity for the local and national Internet community to meet the ICANN community.

DP: What challenges and opportunities do you see for the year ahead?

KO: As the next round of new TLDs is still ahead of us, .brands including some of our customers have the opportunity to showcase the many usage scenarios which they have already implemented and will be implemented in 2020.

The whole industry has to increase their communication efforts about DNS Abuse to demonstrate that they take abuse seriously. Further debates are likely whether registries and registrars will mitigate abuse beyond DNS like counterfeiting, but hopefully ICANN will stay within its remits.

Further consolidation will happen between registries, registrars and vertically integrated groups. We might also see further investments from equity investment companies within the industry.

Tech trends like Artificial Intelligence, Bitcoin, Internet of Things will improve our industry – whether process-wise, with new products or communication channels.

The topic how ICANN will consider in its actions the Public Interest – not only at the Board level, but also within the wider community – will be a challenge. A first step has been made with the proposal drafted by the Board, and further activities will likely happen in 2020.

DP: How have new gTLDs fared in 2019?

KO: We observed that the diversity of TLDs being actively used across the globe is slowly but constantly increasing. Therefore we expect a steady uptake over the next few years and establishing the new gTLDs as a valid alternative to former TLDs.

A number of the new gTLDs are doing very well – they are chosen by users because they have a meaning like .realestate, .consulting and .rich, some provide local and regional identity to users like .berlin, .bzh and .nyc, and some represent the brand online like .audi, .google and .edeka. The more generic TLDs are, the less differentiation and meaning they have making it harder to develop a long-term value proposition beyond the price.

DP: What progress do you see on a new round of applications for new gTLDs in 2020?

KO: We are currently finalising the last open issues within the Subsequent Procedures PDP Working Group. I expect that the substantive progress of our ongoing work will continue in 2020, leading to a final report being sent to the GNSO Council and later to the ICANN Board for approval.

DP: What one thing would you like to see addressed or changed in the domain name industry?

KO: I tend to repeat myself: I still think the whole domain industry could improve in terms of customer experience and customer-centric marketing and communications including lower barriers to set-up a website, easing the whole domain registration process, and setting up an email account.

For decades, customers were attracted by prices. This led to many registrations with no or very limited usage. Now it’s time to encourage existing customers to use the product they bought and improve processes for new customers making it easier to bring their website with their new domain online.

Previous Q&As in this series were with:

ICANN and Governance

ICANN Alert on Phishing Scam Email

ICANN is alerting the community to a phishing scam that involves emails sent from “sales@icann.org” sent to ICANN contracted parties.

The sales@icann.org email address, for example, is not a valid ICANN organisation email address. Contracted parties may have recently received emails from “accounting@erp.icann.org”, which is a valid ICANN org email address. If you receive an email from the “sales@icann.org” address, or any other suspicious email address, do not respond. Please forward the email in its entirety to globalsupport@icann.org.

ICANN has a resource on phishing scams at icann.org/resources/pages/phishing-2013-05-03-en.

Opinion

DomainTools Webinar: DNS Mapping for Better Context on Threats

According to the FBI, U.S. businesses alone suffer from nearly $343k in damages every hour from phishing – and this number has been rising year over year for the last five years. Join Ben April, Chief Technology Officer at Farsight and Corin Imai, Senior Security Advisor at DomainTools for this 30 minute webinar on a real-world DNS forensic investigation. Starting with a single IOC (indicator of compromise), they will step through how to pivot through domain infrastructure to build intelligence of associated malicious activity.

March 26, 2019 at 10 AM PT/1 PM ET

In this webinar, you will learn:

  • How to take an IOC and pivot on supporting threat intelligence
  • Where pDNS can uncover cybercrime forensics data
  • When to leverage DomainTools and Farsight to build an investigation

To register for this free webinar, go to:
https://www.domaintools.com/resources/videos/webinar-dns-mapping-for-better-context-on-threats

Domain Name Registrants, Domain Name Registrars, Domain Name Registry, New gTLDs

Repurposed ccTLDs Showing Higher Levels of Phishing: APWG

Some of the TLDs with the highest levels of domain names used for phishing are in “repurposed” ccTLDs – those where management rights have been granted to third parties who have then commercialised the TLDs, according to the latest Phishing Activity Trends Report for the third quarter of 2018 from the Anti Phishing Working Group. Among those with the highest levels are .tk, .ml, .ga, .cf and .gq who are all operated by a Dutch company that offers domain names in those TLD for free, while .pw is operated by a company based in India. But there are also ccTLDs with a higher than expected number of phishing domain names outside this description such as .br, .ru, .in and .au.

The TLD with the most phishing domain names was unsurprisingly .com which had 922 domain names (out of a total 137.6 million), followed by .org with 80 out of 10.3 million and then .net with 78 out of 14.1 million. They were followed by .pw with 53 phishing domain names, .info (43 out of 5.0 million) and .br (41 out of 4.0 million). The first new gTLD on the list, .xyz, was seventh with 30, .ml an d.ru (28), .in and .tk (24 out of 21.5 million), .ga and .uk (23 out of 11.9 million), .cf and .gq (22), .au and .top (20 out of 3.2 and 3.9 million respectively) while .business (17 out of 63,000) and .agency and .co (15 each out of 64,000 for .agency) rounded out the top 20.

“Sometimes it is easy to discount the total volume of abuse in a TLD if the TLD hasa large number of domains in it,” said Jonathan Matkowsky of RiskIQ. “We assigned a weighted score against the total number of domains in each zone, looking at TLDs where there were at least five unique domain names used for phishing, as a way of understanding the size of the zone and the phishing prevalence in it. After discounting the number of unique hosts by the relative size of those zones, .TOP and .XYZ were still the new gTLDs that scored highest.”

There has also been a growth in websites using web addresses with https, which is supposedly more secure. APWG notes that at the end of 2016, less than 5% of phishing sites were found on HTTPS infrastructure. In the third quarter of 2018, PhishLabs saw the number of phishing web sites using SSL/TLS encryption increase to 49.4%, up from 35.2% in the second quarter.

“This is likely a result of attackers obtaining certificates for use on their own infrastructure , and in general, as more legitimate Web sites obtain SSL certificates, some of those will naturally become compromised by phishers,” John LaCour , the Chief Technology Officer of PhishLabs noted. “As of July 2018, the Google Chrome browser began to warn users that plain HTTP sit es are ‘not secure ’, and that will drive more web site owners to use HTTPS . So over time we expect that most phishing sites will use SSL certificates . Certificate authorities that offer free certificates will be increasingly abused by phishers in the future.”

Domain Name Registrants

DomainTools Webinar: 2019: No Oscars for the Bad Threat Actors

2018 isn’t over and we have already seen a massive increase in the number and types of cybersecurity threats from ransomware to phishing. So what will 2019 bring and what can be done to prevent the next wave of cyber attacks?

Join subject matter experts from DomainTools in a lively discussion of what’s next for information security. CTO Bruce Roberts, Director of Product Management, Tim Helming, Senior Security Advisor, Corin Imai, and Senior Data Scientist, Sean McNee will conduct a round-table discussion on their information security predictions. Highlights include:

  • Let’s Get Critical (The political process is the new critical infrastructure under attack)
  • Breaches and Woes (Change in public perception of breaches)
  • The Automation Invasion (Automation will continue to create more issues than solutions if organizations)
  • Mind the (Skills) Gap

December 11, 2018 at 10 AM PT/1 PM ET

To register for this free DomainTools webinar, go to:
https://www.domaintools.com/resources/videos/webinar-2019-no-oscars-for-the-bad-threat-actors

Domain Name Registrants, Opinion

DomainTools Webinar: The Beginner’s Guide to Mitigating Phishing Attacks

According to the FBI, U.S. businesses alone suffer from nearly $343k in damages every hour from phishing – and this number has been going up year over year for the last five years. Phishing by definition is a fraudulent attempt to gain access to sensitive data and leverage such data for malicious purposes. Most commonly this is done by disguising malicious links to distributed malware.

In this webinar, Corin Imai, Senior Security Advisor at DomainTools will take a look at the steps to executing a phishing attack and the potential ways to help mitigate the risk.

November 14, 2018 at 10 AM PT/1 PM ET

In this webinar, you will learn:

  • Real world examples of attacks leveraging phishing vectors
  • 5 steps of executing a phishing attack – if I can do it, surely anyone can
  • 5 ways to mitigate your risk of a phishing attack

To register for this webinar, click here.

Domain Name Registrants, Domain Name Registrars, Domain Name Registry

CIRA Canadian Cybersecurity Survey identifies disconnect between awareness and actions

The Canadian Internet Registration Authority (CIRA) has released its 2018 CIRA Cybersecurity Security Survey which provides an overview of the Canadian cybersecurity landscape.

For the survey, CIRA, the .ca country code top level domain (ccTLD) registry, surveyed 500 individuals with responsibility over IT security decisions at small and medium-sized businesses across Canada to learn more about how they are coping with the increase in cyber threats. The sample included both business owners and employees who manage information technology.

“A key element of building a better online Canada is ensuring Canadians have safe, secure internet access,” said Byron Holland, president & CEO, CIRA. “Through our experience in managing the .CA domain for Canadians, we hope to help lend our expertise in safeguarding Canada’s internet so that Canadian businesses can thrive online.”

In partnership with CIRA’s technology partner, Akamai Technologies, the full report has been released to coincide with Small Business Week in Canada.

“Training and awareness are critical to ensuring your business is cyber-secure,” Jacques Latour, chief security officer, CIRA. “No matter how great your IT team is, anyone with a network-connected device can be the weak point that brings your business down.”

The report’s key findings are:

  • 40 per cent of respondents experienced a cyberattack in the last 12 months. One in ten experienced 20 or more attacks.
  • Among larger businesses with 250-499 employees, the number who experienced an attack increases to 66 per cent
  • 67 per cent of respondents outsource at least part of the cybersecurity footprint to external vendors.
  • While 59 per cent of respondents said they stored personal information from customers, 38 per cent said they were unfamiliar with PIPEDA.
  • One-third of respondents indicated that the most significant impact of a cyberattack is the time and resources required to respond to the incident.
  • 88 per cent of respondents were concerned with the prospect of future cyberattacks, which resulted in 28 per cent suggesting they would add cybersecurity staff in the next year
  • Although 78 per cent were confident in their level of cyber threat preparedness, 37 per cent didn’t have anti-malware protection installed and a shocking 71 per cent did not have a formal patching policy – exposing these organizations to massive security holes
  • Only 54 per cent of small businesses provide cybersecurity training for their employees even though the most common form of malware seen by our respondents, phishing attacks (42 per cent), directly exploit employees as a point of weakness

Read the full report: https://cira.ca/2018-cybersecurity-survey-report

Domain Name Disputes, Domain Name Registrants

DomainTools Find Cybercriminals Using Typos to Spoof Top UK charities

Cybercriminals are using fraudulent domains to lure unsuspecting members of the public towards spoofs of well-known UK charities, for malicious purposes, according to the results of a DomainTools investigation.

Following on from the National Cyber Security Centre’s warning that cybersecurity poses the most serious threat to UK charities, DomainTools selected ten well-known and popular charitable organizations in the UK to analyse, and found that every charity selected was being spoofed online by cybercriminals, who often used typos in order to dupe unsuspecting Internet users. The team analysed domains associated with Cancer Research, The National Trust, NSPCC, Oxfam, The Red Cross, Salvation Army, Wateraid, Save The Children and Unicef. In total, over 170 domains were deemed high-risk for phishing, malware and other forms of cybercrime. Some examples of fraudulent domains with risk scores of 100 – the highest possible score – include:

  • fundraisecancerresearch[.]org
  • nationltrust[.]org
  • nspcv[.]org
  • oxfamsol-mail[.]be
  • redcroas[.]com
  • salvationarmycapitalregion[.]org
  • svaethechildren[.]org
  • sheltern[.]com
  • unicefpro[.]org
  • vistwateraid[.]org.

“It remains incredibly easy for anyone to purchase an available domain,” said Tim Helming, director of product management at DomainTools. “This is part of what helps keep the Internet open and democratic, but it also helps cybercriminals exploit users. In this case the spoofing of charity websites has the added benefit of exploiting people’s wish to donate to these charities, making them a particularly lucrative target.”

Explaining the method by which these websites will be introduced to Internet users, Helming explained “these domains will often be directed towards people via email or SMS phishing campaigns, which hope to encourage users to click on seemingly legitimate looking links such as those included above, which in turn begins another cycle of cybercrime. Phishing can be used by criminals simply to gain credit card or banking information, or as a gateway to install malware on a device or network, which leads to even more serious crimes such as data breaches and or identity fraud.”

DomainTools offers top tips for consumers to avoid falling foul of a spoof website:

  • Watch out for domains that have the pattern com-[text] in them. We’re so accustomed to seeing .com that we can easily overlook the extra text that’s appended to it with a dash.
  • Look for typos on the website, coupon, or link that is directing you – for example, check for extra added letters in the domain, such as Yahooo[.]com.
  • Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com.
  • Watch all website redirects by hovering over URLs to see where the link will take you.Realise that if something is too good to be true, it likely is.
  • Get into the habit of hovering your mouse over links, and then looking for a pop-up that shows what domain the link points to. Typo domains can often be exposed using this method. Chrome and Firefox both have this feature.
Domain Name Registrants

DomainTools: Majority of Consumers Aware of Online Publishing Scams, Yet Still May Fall Victim This Cyber Monday

[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today [8 Nov] released the findings of its 2017 Cyber Monday Phishing Survey. The survey results highlighted that two in five U.S. consumers have fallen victim to an online phishing attack, despite the fact that 91 percent are aware of the existence of these spoofed websites or emails of trusted brands. As the holiday shopping season approaches, 92 percent of all consumers shop online and about half are planning to shop online on Cyber Monday, exposing an opportunity for malicious hackers to strike. DomainTools has illustrated its key findings in an infographic.

“Cyber Monday has grown in popularity year over year, and unfortunately, so has phishing and online counterfeiting. A range of techniques are used to trick shoppers into visiting a fake website or clicking on a malicious link. This can result in a shopper unintentionally sharing financial and personal information with these criminals or even downloading ransomware,” said Tim Chen, CEO of DomainTools. “As shoppers search for Cyber Monday deals, it’s important that they remember to look closely at links and email addresses before clicking. If something seems too good to be true, it may instead be very fake and very bad.”

According to the Anti-Phishing Working Group (APWG), nearly 119,000 unique phishing sites were detected during November 2016, with over 300 individual brands targeted that month. The brands most likely to be spoofed this November likely correspond with the most popular online retailers, which according to the survey include Amazon (82%), Walmart (36%), and Target (20%). Using DomainTools PhishEye, threat hunters identified some of the most recent brand abusing domains created by attackers in an attempt to trick unassuming online shoppers, including the following:

Cyber Monday DomainTools

Consumer education remains the number one way to prevent compromises via phishing. Online shoppers should heed these tactics to safely navigate links to Cyber Monday sales that are shared via email and social media:

Be paranoid. Assume links are dangerous until decided otherwise.

Navigate directly to a company’s website instead of clicking on links in emails or social media.

Closely examine URLs and email senders for typos. Examples could include:

  • extra added letters in the domain, such as Yahooo[.]com
  • ‘rn’ disguised as an ‘m’, such as modem[.]com versus modern[.]com
  • 1’s disguised as l’s, such as wa1mart[.]com
  • added affixes, such as starbucks[.]com-latte[.]us

The DomainTools Cyber Monday Survey was conducted online between October 5-7, 2017. Survey data is available by request.

For more information on DomainTools PhishEye, please visit www.domaintools.com/products/phisheye.

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This DomainTools news release was sourced from:
http://www.domaintools.com/company/press/majority-of-consumers-aware-of-online-publishing-scams-yet-still-may-fall

Domain Name Registrants, Domain Name Registrars, Domain Name Registry, ICANN and Governance, New gTLDs

SIDN Fighting Abuse in .NL

SIDN-logoAbuse is all too common in top level domains. In 2016 the Anti-Phishing Working Group reports phishing occurred in 454 TLDs, including in 228 new gTLDs. So that abuse occurs in any TLD is not surprising. But how the TLD goes about fighting it, or not, can be of interest.

Recently SIDN, the registry for .nl (Netherlands) published a blog post on abuse in .nl. “Abuse is a growing problem, according to Lilian van Mierlo, [SIDN’s] Registration & Service Manager. ‘There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing.’”

SIDN works in partnership with registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk and others where appropriate to fight abuse.

“In recent years, anti-abuse work has been taking up more and more of my department’s time,” Lilian continues. “It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 (“support for abuse to zero”). And it means we’re able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange.”

Explaining Abuse204.nl, the article explains:
“Abuse204.nl (abuse to zero for .nl) is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn’t have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn’t happen, we ask the registrars whether we can help. Where necessary we’ll follow that up with a reminder. Since we started abuse204.nl, we’ve managed to cut the average time-to-live of phishing and malware sites substantially.”

“Fake webshops have been around for years, but recently they’ve been getting more common. Even in the .nl domain, sadly. It’s a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn’t a lot that we can do about fake webshops. But that doesn’t stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don’t we cancel the registration. So the fake webshop can’t make use of the name.”

The post also explains the Abuse Information Exhange that is used to fight botnets and how it’s vital to act quickly.

As a result, .nl is “one of the most secure internet domains in the world”.

“If we can keep it that way, all the effort’s worthwhile,” van Mierlo says. “But we have to be realistic: it’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers.”

read the blog post in full on the SIDN website, see:
https://www.sidn.nl/a/internet-security/a-fight-on-three-fronts