Trends in URLs used for phishing scams and countermeasures
With the significant growth in internet usage, phishing has become a regular form of cybercrime. Though most of us are aware of it, phishing is still one of the most effective methods to deceive users and steal critical data. In order to be credible and deceive as many people as possible, these campaigns rely on the digital identity of large companies, putting their brand image at risk. In this article, we present the different types of phishing and the measures you can take to protect your company’s brand image.
- Phishing scams
- Phishing URLs
- How can you prevent attacks and take countermeasures?
Phishing scams
Phishing scams are when individuals who send fake emails pretending to be personal, work, or money-related emails and trick victims into providing their personal information (e.g. bank account information, passwords, etc.) or pretend to send emails from companies. It refers to the act of directing you to a website that deceives you into providing information.
Cybercrime, including phishing scams, is increasing year over year due to the recent popularity of remote work and the rise in internet usage.
If your brand is damaged by a phishing attack, it can take time and money to support customers who receive phishing messages, as well as to communicate, which was otherwise unnecessary. In addition, some people may stop using the service due to the abuse of the brand, and people may start to publicly tell your customers or potential customers that it’s better not to use your services, which can lead to further brand damage.
Phishing URLs
One situation that can lead to brand damage is that “a fake domain name that abuses the brand name is acquired, and the user is directed to a website that uses that domain name to deceive personal information.”
In most cases, the company already owns domain names that use brand names, but the existing domain names that everyone knows are used, and fake domain names are registered and used for phishing scams.
Let’s take a look at what some common domain name abuse situations you might see. Cases like the one below are based on examples of suspicious domain names that we have verified for a company’s domain name or detected by Gandi’s monitoring service.
1. Domain name using subdomain
We previously explained how to use subdomains in an article titled “How to use subdomains.”
The thing to note about subdomains is that you do not need to register the domain name through the registrar for the subdomain part — you can just use the domain name you already own and freely enter whatever character string you like to define a subdomain.
Needless to say that some people exploit subdomains to create URLs for phishing scams.
For example, we often see the following cases.
<Service name> .com.example.com
www. <service name> .com.example.com
<Company name> .example.com
(the domain names themselves are often using domain endings other than .com)
In these examples, even though the actual domain name is “example.com,” an attacker can create a subdomain (or third-level domain) using the name of the brand or the company that they want to abuse in front of example.com and create a website with an address that at first glance seems legitimate. There are many examples where phishers publish sites and use them for phishing scams.
2. Domain names similar to a brand name
In order to impersonate an existing brand that everyone knows, phishers can register a domain name with a character string similar to that brand name.
In some cases, a domain name will be registered for misuse by making one the following changes to the existing brand name to produce a similar domain name:
- Using homoglyphs (certain characters that look the same but are in fact different)
- Using common typos or misspellings (miskey)
- Adding 1-3 characters for typos (miskeyed addition)
- Replacing one character with another (bitflipped)
- Duplicating characters in the domain name
- Missing characters in the domain name
- Changing the order of the characters used in the domain name (projected characters)
- Adding ‘ings’ or plurals (ings and plurals)
(Source: https://adultblock.adult/trademark-variant-search/)
3. Register the same brand name in another top-level domain
In our studies, we have identified multiple cases of cybersquatting related to domain name registrations limited to the .com extension, bypassing the ccTLD, the domain name extension of the country of activity.
For example, a company might register
“<Company name> .com” but not “<Company name> .uk” or “<Company name> .us.”
Or they might register “<Company name> .co.uk” but not “<Company name> .uk.”
If you do business in the UK, be sure to register both the “.co.uk” domain name and the “.uk”.
In a nutshell, we advise you to register your domain name:
- in the ccTLD of the country where you do business,
- in the TLD (.app, .cloud, .car, .bank, etc.) related to your industry.
This will prevent cybersquatting and improve the trust of your website.
4. A completely irrelevant string
Some fraudsters register a domain name with a character string in it that has nothing to do with the brand name. Unlike the above case, this is often unavoidable. The phishers rely on the low IT literacy of the person who receive the phishing message.
In this case, it is more important to alert your company’s users on a regular basis in order to protect your brand through your domain name.
How can you prevent attacks and take countermeasures?
To prevent malicious domain registration like in the examples above, we recommend the following brand protection services:
- Register your trademark with TMCH
- Use the DPML/DPML+ blocking services
- Use AdultBlock/AdultBlock+ blocking services
- Use UniEPS/UniEPS+ blocking services
- Use TREx blocking services
- Use Gandi’s monitoring service
- Use Gandi’s Takedown Service
Register trademark in TMCH
TMCH is a trademark protection program for domain names run by ICANN, allowing trademark owners to access a priority phase of domain name registration. You can find out more about TMCH in this article.
Use blocking services
The blocking service is a service provided by the registry that blocks the registration of third party domain names in a predetermined top-level domain.
There are currently four online brand protection services implemented by registries and included with Gandi Corporate Services: DPML, Uni EPS, TRex, and AdultBlock.
- DPML and DPML+: the Domain Protected Marks List (DPML) is the mechanism offered by the registry Donuts which guarantees a block on the registration of an exact match trademark from among 241 top-level domains (TLDs) offered by the registry.
- AdultBlock and Adultblock+: let you block registrations linked to a trademark as well as other distinctive marks on the four domains related to the adult industry: .xxx, .adult, .porn, and .sex.
- UniEPS and UniEPS+: the protection system implemented by Uniregistry for blocking terms within the twenty-three registry’s top-level domain portfolio.
- TREx: a product specifically developed by TMCH (Trademark Clearinghouse) that can be subscribed to via a TMCH-accredited agent and which covers more than 40 domains.
Use Gandi Corporate Services’ monitoring service
Gandi Corporate Services’ monitoring service makes it possible to detect domain names by a specified character string or a character string similar to that character string registered by a third party, and quickly stop or request deletion of the domain name. With the Takedown Service, Gandi Corporate Services submits a request to suspend or remove a phishing domain or phishing site on your behalf.
Use Gandi Corporate Services Takedown Service
Also, if you find a suspicious site in your daily work, it may be a good idea to check if the suspicious site has already been detected on a site such as the “Google Transparency Report.”
In addition, Gandi Corporate Services allows you to register domain names in more than 750 types of top-level domains, and to quickly register domains in newly released top-level domains. Rather than managing domain names using many types of top-level domains with multiple registrars (such as .zuerich and .spa), managing them collectively in Gandi Corporate Services makes it safer and more efficient to manage domain names.
If you would like to know more about the above services or try it as a trial, please feel free to contact us at corporatecontact@gandi.net.
Tagged in corporateDomain namesSecurity