According to CISA, most cyberattacks, including ransomware and BEC, start with phishing. The losses companies are experiencing due to ransomware are exceeding billions annually. In response, organizations are implementing more sophisticated threat monitoring, detection and mitigation solutions. However, they are routinely failing to implement even basic domain safety measures, leading to crippling vulnerabilities for the largest corporate brands in the world.
If effectively put in place, domain security initiatives proactively target phishing at the source. They include proactive measures to secure legitimate domains and to monitor and then eliminate malicious domains owned by third parties. Domain security can serve as the proactive front line of defense, and yet the measures are vastly underutilized if not overlooked entirely. It’s as if we spent thousands of dollars on installing cameras and locks throughout our homes but ignored a broken lock on our front doors.
Vulnerabilities Across the Enterprise
Because of the highly interconnected nature of domains and DNS, adversaries are now keenly focused on that front door as an access point to not only the victim organization but its supply chain of critical industries and software platforms – a single compromise that can pay off with proliferating, lucrative returns.
- Only 19% use domain registry locks, which enable end-to-end domain name transaction security to avoid unauthorized DNS modifications or domain hijacking
- A mere 5% deploy domain name system security extensions (DNSSECs), which authenticate communications between DNS servers, defending organizations from DNS cache poisoning.
- Just 5% of companies take advantage of certificate authority authorization (CAA) records, which allow security teams to designate a specific certificate authority (CA) to serve as the sole issuer of certificates for their organization’s domains.
- Only one-half use domain-based message authentication, reporting and conformance (DMARC) records, which protects an email domain from spoofing and phishing.
Why are so many organizations leaving themselves exposed this way? Because an astonishing 57% are using consumer-grade registrars instead of enterprise-class ones, which emphasize domain security through advanced services such as domain registry locks, DNSSEC, CAA records, and DMARC, along with DNS hosting redundancy to provide a backup DNS to boost resiliency. Global 2000 businesses frequently assume that they’re getting adequate protection with their consumer-grade registrars and adopt a “set it and forget it” mindset.
What’s more, the CSC report reveals that third parties own 70% of homoglyph domains, which are confusingly similar “fuzzy” domains that are typically used as part of phishing attempts. Of these registered domains, 60% have emerged within just the last eighteen months, signifying a dangerously accelerating attack method. In addition, 77% of them use domain privacy services – or had WHOIS details redacted – to hide their ownership identity, raising suspicions about their intentions. In fact, 43% of these domains are configured with MX records used to send phishing emails or intercept emails. What’s concerning is that these nefarious third-party domains were registered at consumer-grade registrars—known for leveraging tools such as domain spinning or domain auctioning—which led to trademark infringements, brand abuse, and fraud.
In response, companies will rally around employee awareness training and the acquisition of tools to flag and block suspicious emails. But human error will never go away, and the bad actors will find ways to circumvent the tools. For example, an attacker can sidestep those defenses by gaining control of a domain that the user believes to be correct. Once the attacker redirects the DNS records for an organization’s domain, the compromised domain can be used to collect credentials, distribute ransomware or initiate a fraudulent wire transfer. Therefore, organizations should consider the following proactive, preventative recommendations and controls to secure domain assets and thwart phishing attacks:
- Leverage an enterprise-class domain registrar and DNS security provider to adopt a defense in depth approach for domain management;
- Consider using domain registry locks, CAA records, DNSSEC, DMARC, and DNS hosting redundancy;
- Implement multi-factor authentication for systems used to secure domain names, DNS records, and digital certificates to reduce the risk of compromise;
- Register domains that could be high-value targets related to your brands (i.e. homoglyphs, or country domains) to mitigate the risk of bad actors using them;
- Monitor domain and DNS activity on an ongoing basis to identify potential compromises where domains may be used for phishing and other fraudulent activity; and
- Leverage global enforcement mechanisms using a range of technical and legal approaches to takedown, limit, or block access to those domains.
The protection of domains remains the missing front line of defense against cyberattacks including phishing. While they should be among the first assets to secure, they are too often overlooked entirely – raising the likelihood of major threats to brand data, intellectual property, supply chains, consumer safety, revenue and reputation. In adopting our recommendations and controls, along with our online monitoring and fraud takedown capabilities, your organization will instead fortify itself through a multi-layered, defense-in-depth strategy. With this, companies will keep their “front door” off-limits to cybercriminals.