Lookalike domains are targeting Forbes Global 2000 brands to launch phishing attacks and other forms of digital brand abuse/IP infringement. Credit: Alpesh Ambalal Patel / Getty Images Forbes Global 2000 companies are failing to adopt key domain security measures, exposing them to significant security risks, according to CSC’s Domain Security Report 2022. The enterprise-class domain registrar and Domain Name System (DNS) threats mitigator found that 75% of Global 2000s have implemented fewer than half of all domain security measures with Domain-based Message Authentication, Reporting, and Conformance (DMARC), the only domain security measure with significantly increased adoption since 2020. The data follows Akamai research from August, which discovered increased malicious domain activity and phishing toolkit reuse based on DNS data.Domain security measure adoption slow, DMARC most popularAdoption of recommended domain security measures by Global 2000 companies has been slow in the last couple years, CSC stated. Measures such as DNS redundancy, registry lock, Certificate Authority Authorization (CAA) records, and DNS Security Extensions (DNSSEC) have seen only very modest growth since 2020. “With the risks of not having domain security in place potentially leading to phishing or ransomware attacks, and many other cyberthreats, we hoped to see a higher implementation of some of these security measures,” the report read.In contrast, adoption of DMARC has risen from 38.9% in 2020 to 61.5% in 2022. CSC cited the fact that Verified Mark Certificates (VMC) now require DMARC to be set up to ascertain Secure Sockets Layer (SSL) certificates as a key driver behind the adoption. “Additionally, Apple announced Brand Indicators for Message Identification (BIMI) in September and stated that its email clients for iOS 16 and macOS will support a broad industry effort to combat brand spoofing and impersonation. Senders that support BIMI must meet a strong standard of email authentication and this includes using the DMARC security standard,” the report added. Overall, companies with the most adoption of domain security measures had the “highest security score” based on CSC calculations, according to the report. Conversely, 137 companies were given a domain security score of zero, with most these based in the APAC region. Lookalike domains targeting firms to launch phishing attacks, abuse brandsLookalike/fake domains are targeting Global 2000s to leverage the trust placed on well-known brands and launch phishing attacks or other forms of digital brand abuse/IP infringement, CSC’s report read. Over 75% of homoglyph domains are owned by third parties, meaning that many of the world’s largest brands contend with web domains appearing to look like their brands that were maliciously registered, the firm added.GoDaddy, Namecheap, and PDR LTD are the companies most associated with fake domain registrations owned by third parties, the report stated. As for industry verticals, banking (10%), IT software and services (7%) and business services and supplies (5.5%) were listed as the sectors most targeted by fake domain registrations, with food markets (0.4%), semiconductors (1.7%) and media (1.8%) the least. High-profile domain cyberattacks should never be underestimatedDomain-based security threats are plentiful, but the most prevalent threats are the least exciting: phishing domains and BEC attacks using short-term domains registered for the purpose of attacking a customer, Peter Lowe, principal security researcher at DNSFilter, tells CSO. “However, the risk of higher-profile attacks should never be underestimated – with ransomware on the rise globally, protecting your network against communication with C2 domains can prevent critical loss of data, downtime, and potentially even expensive ransoms,” he adds.While adoption of domain-based security measures is steadily improving, there is still some way to go, Lowe says. “DNS as a threat protection layer is now being accepted as a standard part of security strategies, with the US government launching multiple initiatives to provide protective DNS and officially recommending it, along with guidance on how to select a service. However, it still lacks the focus and awareness it deserves from many MSSPs and individual companies.”To protect their domains, it’s crucial for organizations to use a trusted registrar that provides 2FA, registry lock, and DNSSEC built-in, along with a robust support department, Lowe says. “On the network side, selecting a DNS resolver that provides effective and configurable filtering over an encrypted DNS channel is essential. Any commercial resolver should also be providing a decent Anycast network behind the scenes and provide useful reporting that can give you insights into what’s happening on your network.” Related content feature What is biometrics? 10 physical and behavioral identifiers that can be used for authentication Biometrics has the potential to make authentication dramatically faster, easier and more secure than traditional passwords, but companies need to be careful about the biometric data they collect. By Maria Korolov Apr 24, 2024 14 mins Biometrics Authentication Security feature The rise in CISO job dissatisfaction – what’s wrong and how can it be fixed? Frustration, stress, and increased liability are only a few of the off-putting realities giving CISOs cold feet. It doesn’t have to be that way, experts say. By Mary Pratt Apr 24, 2024 11 mins CSO and CISO Careers IT Leadership opinion The Assumed Breach conundrum Assumed Breach is the third but often overlooked principle of zero trust. When we talk about adopting a “not if, but when” attitude to security, are we merely paying lip service or do we really believe and internalise it? By Steven Sim Apr 23, 2024 4 mins Zero Trust Security news Authentication failure blamed for Change Healthcare ransomware attack Absence of multi-factor authentication reportedly left a remote access application exposed. By John Leyden Apr 23, 2024 5 mins Ransomware Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe