|
Co-authored by CSC’s Global Director Vincent D’Angelo, Senior Global Brand Security Advisor Quinn Taggart and Global Marketing Leader Sue Watts.
With the COVID-19 pandemic persisting, online shopping will be the preferred method for the 2020 holiday shopping season. While staying home to shop is the safest option right now, it means consumers are more vulnerable to online fraud, counterfeits, and cyber crime. Increased online activity provides opportunities for unscrupulous infringers to abuse trusted brand names to drive visitors to their own fraudulent content.
In our latest security briefing, we analyzed the domain security posture of the top 500 global eCommerce and shopping domains.1 Then we observed whether these top web properties are being targeted by domain spoofing.
As our recent election security research showed, domain spoofing is a preferred attack vector. According to the Oregon FBI in their Tech Tuesday, “Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word (‘electon’ instead of ‘election’), or use ‘[.]com’ in place of ‘[.]gov.’” Additionally, fraudsters are looking to capitalize on consumers restricted to their homes because of COVID-19, especially during the peak holiday shopping season.
To highlight the extent of this threat to brand owners and consumers, we identified and analyzed registered domain typos (misspellings) associated with the top 10 online shopping brands.
Our findings show:
Over 70% of the 1,553 registered domain typos appear to be owned by third parties. Out of the third-party owned domains:
We believe this domain-spoofing problem is vastly underestimated because we know there are hundreds of thousands of registered domains linked to third parties associated with some of these top shopping destinations.
As we observed in our Domain Security Report on the Forbes Global 2000 companies, these eCommerce and shopping web domains fared better than the Global 2000 companies, but still lack basic domain security measures. These businesses are so reliant on online shopping for their revenue that downtime can cost the company $500K+ an hour1.
For example, as noted in a Harvard study on DNS redundancy, it’s surprising that these companies would not secure their online presence from a distributed denial of service (DDoS) attack with only 16% leveraging DNS hosting redundancy. Furthermore, because DNS hijacking could essentially commandeer an organization, we were surprised to see registry lock adoption at only 18%. This is partially explained by the fact that still 40% of the observed domains rely on retail registrars that typically don’t provide advanced domain security features. Deployment of DNSSEC is close to 3%; DNSSEC is a security measure to prevent DNS cache poisoning. Lastly, although close to 60% of the observed domains had a domain-based message authentication, reporting, and conformance (DMARC) record, we know the lack of a DMARC reject policy still poses phishing risks to hundreds of millions of global consumers.
Below are our findings:
Each of the security measures listed above are industry best practices that help mitigate against cyber attacks, and are a part of CSC’s defense in depth approach.
Three holiday shopping tips for brand owners
Four holiday shopping tips for consumers
Below are some additional tips from the FBI3:
Additionally, in terms of consumer safety online, CSC recommends using the education and awareness materials from the National Cyber Security Alliance (NCSA).
“We’re delighted that companies like CSC are advocating for companies and online brands to put the necessary security protocols in place to protect not only their brand reputation but their consumers, from online fraud and cybercrime,” says Daniel Eliot, Director of Education and Strategic Initiatives at the NCSA. “The National Cyber Security Alliance’s mission is to educate consumers and businesses about these credible risks, and the importance of practicing recommended cybersecurity best practices. CSC’s research is also an important part of advocating for consumers, showing the pervasive risk of these cyber-attacks and fraudulent domains.”
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC