Home / Blogs

Holiday Shoppers Beware: Tips on Protecting Brand Owners and Consumers from Domain Security Threats

Co-authored by CSC’s Global Director Vincent D’Angelo, Senior Global Brand Security Advisor Quinn Taggart and Global Marketing Leader Sue Watts.

With the COVID-19 pandemic persisting, online shopping will be the preferred method for the 2020 holiday shopping season. While staying home to shop is the safest option right now, it means consumers are more vulnerable to online fraud, counterfeits, and cyber crime. Increased online activity provides opportunities for unscrupulous infringers to abuse trusted brand names to drive visitors to their own fraudulent content.

Research findings: Holiday shopping and eCommerce domain security briefing

In our latest security briefing, we analyzed the domain security posture of the top 500 global eCommerce and shopping domains.1 Then we observed whether these top web properties are being targeted by domain spoofing.

I. Domain spoofing risks

As our recent election security research showed, domain spoofing is a preferred attack vector. According to the Oregon FBI in their Tech Tuesday, “Cyber actors set up spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word (‘electon’ instead of ‘election’), or use ‘[.]com’ in place of ‘[.]gov.’” Additionally, fraudsters are looking to capitalize on consumers restricted to their homes because of COVID-19, especially during the peak holiday shopping season.

To highlight the extent of this threat to brand owners and consumers, we identified and analyzed registered domain typos (misspellings) associated with the top 10 online shopping brands.

Our findings show:

Over 70% of the 1,553 registered domain typos appear to be owned by third parties. Out of the third-party owned domains:

  • Close to 48% are configured with MX (mail) records that can be used to send phishing emails or to intercept email
  • 40% are using domain privacy services to mask or hide their ownership and identity showing that they may have some nefarious intentions
  • Furthermore, these typo domains receive over 5 million visits2 annually; a deeper dive of the top 100 most visited typo domains in our research shows they’re being used in this manner:
    • 38% are pointing to advertising-related and pay-per-click web content Risk: Palo Alto’s recent research showed how pay-per-click domains are used to spread malware via domain parking services.
    • 27% had no live web content Risk: Although these domains do not appear to have web content associated with them, 37% were configured to send and receive email with MX records.
    • 15% were engaged in affiliate referrals Risk: The brand owner could be targeted for unauthorized affiliate activity resulting in financial loss.
    • 12% were pointing at shopping-related web content Risk: The brand owner could experience financial loss and the consumer could be engaging with nefarious retailers selling potential counterfeits and/or receiving a poor shopping experience.
    • 8% were pointing toward malicious web content Risk: The risk is that the consumer could engage with websites that contain malicious content (i.e. malware).

We believe this domain-spoofing problem is vastly underestimated because we know there are hundreds of thousands of registered domains linked to third parties associated with some of these top shopping destinations.

II. Domain security adoption

As we observed in our Domain Security Report on the Forbes Global 2000 companies, these eCommerce and shopping web domains fared better than the Global 2000 companies, but still lack basic domain security measures. These businesses are so reliant on online shopping for their revenue that downtime can cost the company $500K+ an hour1.

For example, as noted in a Harvard study on DNS redundancy, it’s surprising that these companies would not secure their online presence from a distributed denial of service (DDoS) attack with only 16% leveraging DNS hosting redundancy. Furthermore, because DNS hijacking could essentially commandeer an organization, we were surprised to see registry lock adoption at only 18%. This is partially explained by the fact that still 40% of the observed domains rely on retail registrars that typically don’t provide advanced domain security features. Deployment of DNSSEC is close to 3%; DNSSEC is a security measure to prevent DNS cache poisoning. Lastly, although close to 60% of the observed domains had a domain-based message authentication, reporting, and conformance (DMARC) record, we know the lack of a DMARC reject policy still poses phishing risks to hundreds of millions of global consumers.

Below are our findings:

Each of the security measures listed above are industry best practices that help mitigate against cyber attacks, and are a part of CSC’s defense in depth approach.

Three holiday shopping tips for brand owners

  1. Establish a domain security council that assists with domain strategy and policy. This includes identifying and registering defensive domains in key country markets, including keywords and misspellings. Additionally, the council should champion defense in depth recommendations for secure domain management, including registry lock, reliance on enterprise class domain registrars, DMARC, DNS security extensions (DNSSEC), and DNS redundancy.
  2. Continuously monitor the domain space and key digital channels like marketplaces, apps, and email for brand abuse, infringements, and fraud.
  3. Perform global enforcement, including takedowns and advanced techniques in internet blocking.

Four holiday shopping tips for consumers

Below are some additional tips from the FBI3:

  • Ensure operating systems and applications are updated to the most current versions.
  • Update anti-malware and anti-virus software and conduct regular network scans.
  • Use strong two-factor authentication if possible, via biometrics (such as face or fingerprint scans), hardware tokens, or authentication apps.
  • Never provide personal information of any sort via email.

Additionally, in terms of consumer safety online, CSC recommends using the education and awareness materials from the National Cyber Security Alliance (NCSA).

“We’re delighted that companies like CSC are advocating for companies and online brands to put the necessary security protocols in place to protect not only their brand reputation but their consumers, from online fraud and cybercrime,” says Daniel Eliot, Director of Education and Strategic Initiatives at the NCSA. “The National Cyber Security Alliance’s mission is to educate consumers and businesses about these credible risks, and the importance of practicing recommended cybersecurity best practices. CSC’s research is also an important part of advocating for consumers, showing the pervasive risk of these cyber-attacks and fraudulent domains.”

By Vincent D'Angelo, Global Director at CSC

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API