By Justin Hartland, Global Director of Account Management, CSC
Share this post
Large corporations often amass large domain portfolios. But when the economic climate or security landscape changes, organizations start to look at reducing or shifting the budget away from domain names they feel they no longer need. The process for determining the domain names to lapse is usually arbitrary. Understanding your domain name portfolio is sometimes a forensic examination of evidence when dealing with hundreds or thousands of domain names.
Here’s an example to illustrate.
“Terry, we need to cut our domain portfolio by 20%.”
Off Terry goes to download a list of the domain names and sift through them. At the end, Terry has managed to cut 20% by looking at old brands, obscure countries, and gut feel. This list is circulated around to various business owners in the enterprise. After three reminder emails, Terry finally gets the thumbs up from everyone. He sends the list to his registrar with instructions to divest the domain names. They take care of it, and job done. The boss will be pleased.
A few weeks later, there’s a call from his infrastructure team in a panic because internal services for their business in Germany are no longer working—it seems to be related to the domain dasgoodtechnik.de. After calling his registrar, they inform Terry the name is not in his portfolio. With a dark storm hovering overhead, he goes to his files and opens the Excel® called domainnamelapsereport.xls. A couple of clicks and a quick filter later, there is the domain name staring him in the face—on his lapse list.
The first thing he does is call his registrar back to re-register the domain. “No one will ever want that name,” Terry thinks. Until he hears the fatal words, “it’s been taken.” His heart sinks. The upshot of this event means having to pay a third party thousands of dollars to recover the name, on top of that, senior managers are looking for answers and everyone is pointing the finger at each other.
Now, this is a made-up scenario, but I am sure anyone managing a domain name portfolio can relate. These digital assets—relatively low in price on their own—can have a catastrophic impact on any business if not properly managed.
So, how should you be managing domain names? Keep everything forever? No. There’s a proper way to lapse domain names a company truly no longer needs. But before we go into that, we look at the various risks associated with lapsing the wrong name.
The one thing every major organization needs to be aware of is—your domain name portfolio is being watched like a hawk! There are hundreds of third parties with various motivations that will immediately register your lapsed domain names. Below are some of the risks associated with lapsing the wrong name.
- Phishing – Using a domain name for a phishing attack can be more successful if the related domain name contains your brand. Sometimes these phishing attacks can be very specific, for example, a company lapses an exact match in a country code and its used to send emails to suppliers asking for shipments of goods to a new location. Additionally, phishers may register the name with your company’s details in case someone looks at the WHOIS record.
- Email harvesting – If you lapse a domain name that’s been used for email, a fraudster can reactivate the email and view any emails sent to those addresses. If your business deals with highly sensitive intellectual property, fraudsters can then sell that information on the black market, which can lead to General Data Protection Regulation (GDPR) issues. These fraudsters know if you have an MX email records set up on the domain, as its public information. A recent article on CSO Online outlines how a security researcher re-registered domain names for law firms, set up email servers, and started receiving confidential information.
- Third party registrations – When you lapse a domain name, as mentioned, outside parties who see value in the name will register it. While you can take formal action to stop it, such as cease and desist or filing a dispute, these tactics take a long time. In a lot of cases, you need the domain back quickly, which could result in spending thousands of dollars when the renewal would have cost a fraction of that. As reported on the BBC, a QR code used on Heinz packaging in Germany was redirecting to a pornographic site. This was due to the domain name being lapsed and re-registered by a third party.
- Business continuity – As described in the example above, many domain names are used by company departments for internal uses. The result of domain name management failures can cost businesses millions of dollars in lost revenues or productivity of staff. Additionally, it can cause reputation damage depending on the use of the domain. In 2016, a telecommunications company in the U.S., Sorenson, forgot to renew one of their domain names that helps provide video relay services for the deaf. As a result of the service going offline, the Federal Communications Commission fined Sorenson $3M for being out of compliance. A massive fine for what would have been a small charge to renew the domain.
- Website and email outage – If a domain has a live website associated with it, then there’s no hiding from the effect it will have on your business when the domain goes down. If you conduct any kind of eCommerce on your website, this will be inaccessible until you can get the domain back up and running, resulting in lost revenue. If a domain name’s use is for email, while the outside world may not see the issues, it could have a major impact on an organization’s ability to function.
- Fraud – Some bad actors will look at domain names that have been used for eCommerce in the past, and using archive.org, will set up replica sites and harvest information. Also by setting up email on these domains, fraudsters can reset passwords, so any service related to that domain name can accessed.
We’ve looked at the effects of what can happen when the wrong domain name is lapsed, but what can we do to help prevent this and make sure we are just lapsing names without value? The good news is that each domain name has many characteristics we can review to make an informed decision. Some of the key determinants are found in the zone file. A zone file contains all the attributes of a domain name, such as email, digital certificates, etc. These attributes start to paint a picture of what the domain name has been used for and helps a company determine whether it requires further investigation.
One of the most critical ways to understand the importance of a domain name is through the domain name system (DNS) traffic. Domain names are used for various reasons and are not always a public website. By analyzing the traffic to the domain, it gives you an indication of whether it’s used for a virtual private network (VPN), internal servers, email only, or sub-domains for specific projects. Usually, around 20-25% of a portfolio is used for commercial activity.
Of course, the brand is an important characteristic. So if the domain name is an exact match of your brand, chances are someone will register the domain name quickly if you let it lapse. Where you need to pay particular attention is on extensions where it’s hard to recover names. Countries such as China and Russia have always made it harder for brand owners to recover names, usually resulting in large acquisition fees being paid by the new owner. In addition to this, we should also consider our future needs. Is our organization´s medium- to the long-term goal to expand into the Middle East? If yes, lapsing companyname.com.sa (Saudi Arabia) or companyname.ae (United Arab Emirates) might not be the best idea.
The final component is whether the domain name holds an after-sale value. Many large organizations have generic names they’ve acquired over the years, or brands that cease to be used. If these names are in popular extensions, such as .COM, and are short, they can fetch seven figure sums.
By carrying out the forensic review of key attributes, you’ll have a full picture of what value lies in that name. In June 2020, Google allowed the domain name blogspot.in to lapse. This domain was set up to host blog websites for the Indian market. The name was taken by a third party who has now put it up for sale at $5,999. The more concerning part of lapsing this domain name is that for all the blog sites hosted, they can now be used for harmful content or to spread scams or malware.
At CSC, we run a full forensic analysis for our customers who are looking to lapse domain names. It involves looking at over 12 characteristics that help guide our customers to the right outcome. If Terry from our hypothetical situation had done this, he wouldn’t have ended up in a situation of having lapsed a needed domain name.
Now more than ever, domain names have grown in importance both from a security point of view and for running a business. With so many people working from home using VPN connections, and so many people using the internet to order goods, as keepers of domain names, we need to be extra vigilant. If we’re not, we could end up in the same situation as Terry.
CSC has come up with a three-step strategic plan: Stop – Review – Action. You can download the guide here.