I recently had the opportunity to speak on a podcast with Dave Bittner at CyberWire to discuss how .AI is giving cybercriminals a new avenue to take advantage of some of the largest companies in the world based on research findings from CSC’s 2023 Domain Security Report. Below is a summary of the key points discussed during this podcast.
Lack of focus outside a company’s perimeter
As a corporate domain registrar that also offers Brand Protection and Anti-Fraud Protection services, we’ve noticed that while cybersecurity professionals are doing a great job at defending within the perimeter of their enterprise, there are gaps and lack of focus outside of that when managing the external attack surface online. Our annual Domain Security Report on the Forbes Global 2000 companies highlights the importance of domain security on the internet.
A growing domain namespace means a greater attack surface
Today, the domain namespace goes beyond the traditional .COM, .NET, .ORG, and has now extended to everything including .APP, and the most recent .AI for artificial intelligence.
Our report shows that 43% of .AI are registered to third parties—meaning the brand owner does not own the domain name that belongs to them. For example, company XYZ is operating online on XYZ.COM, and everything is fine. However, XYZ.AI is owned by a third party that could be a malicious party—a cybercriminal or a fraudster. The same logic applies to other new or known gTLD or ccTLD domain extensions. This is detrimental to the brand owner as their reputation is at stake, and our statistics show that many top global companies are at risk in the .AI domain space.
Furthermore, we reported that about 21% of the subdomain names don’t resolve to anything. This leaves the subdomain names—that are legit on cloud infrastructures—prone to being hijacked by cybercriminals. Many corporations have grown over time, and as acquisitions are completed, it leaves domain name system (DNS) zones that have not been “cleaned” for 20, 30 years. These are exposed surfaces on the internet of which cybercriminals try to take advantage.
Monitoring for indicators of malicious intent
There are so many tools in our arsenal today that allow us to immediately identify threats, such as when a branded domain name is not registered by the brand owner themselves, or when a domain name is found dormant. Dormant domain names are considered suspicious domain names that can be activated anytime by bad actors to launch targeted phishing and malware campaigns. A dormant domain name does not have a website associated with it now, but when there’s an MX record that enables the email channel, it’s a tell-tale sign that it could be used in a phishing or malware campaign very soon.
Dormant domain names are critical and should be integrated in the modern security operation center. Through continuous daily monitoring, as soon as a website is activated, it can be investigated for phishing activity and action can be taken immediately to mitigate the situation with takedown enforcement.
Moreover, cybercriminals are also using generative AI in these targeted attack campaigns to achieve higher sophistication and deployment speed. Generative AI is also enabling bad actors to craft phishing emails that are personalized, targeted, free of spelling errors, and with proper grammar, making such emails harder to detect. Dark Web AI tools such as FraudGPT are currently available, and they enable bad actors to launch more complex, socially engineered deepfake attacks that manipulate the emotions or trust of targets at even faster rates.
Recommendations for a strong security posture
Domain security should be an integral part of the security posture of any company, corporations operating online, even government sectors. Currently the domain name portfolios for a lot of companies are dispersed globally across many generic top-level domains (TLDs) such as .COM, and country-code TLDs such as .UK, for example. Security professionals and chief information security officers should have full access to the domain name portfolio, and augment that data through fewer vendors.
They need to be able to manage the portfolio and monitor it continuously to identify any social engineering attacks that could lead to DNS hijacking, domain hijacking, or domain shadowing, and prevent phishing attacks.
Unlike retail registrars, we recommend using enterprise-level registrars that have well-trained teams working 24×7 to protect domains from any addition, modification, and deletion requests that have to be fully authorized and authenticated.
To learn more, listen to the full podcast interview.