Forbes Global 2000 companies are failing to adopt key domain security measures, exposing them to significant security risks, according to CSC’s Domain Security Report 2022.
The enterprise-class domain registrar and Domain Name System (DNS) threats mitigator found that 75 per cent of Global 2000s have implemented fewer than half of all domain security measures with Domain-based Message Authentication, Reporting and Conformance (DMARC), the only domain security measure with significantly increased adoption since 2020.
Domain security measure adoption slow, DMARC most popular
Adoption of recommended domain security measures by Global 2000 companies has been slow in the last couple years, CSC stated. Measures such as DNS redundancy, registry lock, Certificate Authority Authorisation (CAA) records and DNS Security Extensions (DNSSEC) have seen only very modest growth since 2020.
“With the risks of not having domain security in place potentially leading to phishing or ransomware attacks and many other cyber threats, we hoped to see a higher implementation of some of these security measures,” the report read.
In contrast, adoption of DMARC has risen from 38.9 per cent in 2020 to 61.5 per cent in 2022. CSC cited the fact that Verified Mark Certificates (VMC) now require DMARC to be set up to ascertain Secure Sockets Layer (SSL) certificates as a key driver behind the adoption.
“Additionally, Apple announced Brand Indicators for Message Identification (BIMI) in September and stated that its email clients for iOS 16 and macOS will support a broad industry effort to combat brand spoofing and impersonation. Senders that support BIMI must meet a strong standard of email authentication and this includes using the DMARC security standard,” the report added.
Overall, companies with the most adoption of domain security measures had the “highest security score” based on CSC calculations, according to the report. Conversely, 137 companies were given a domain security score of zero, with most these based in the Asia Pacific region.
Lookalike domains targeting firms to launch phishing attacks, abuse brands
Lookalike/fake domains are targeting Global 2000s to leverage the trust placed on well-known brands and launch phishing attacks or other forms of digital brand abuse/IP infringement, CSC’s report read.
Over 75 per cent of homoglyph domains are owned by third parties, meaning that many of the world’s largest brands contend with web domains appearing to look like their brands that were maliciously registered, the firm added.
GoDaddy, Namecheap and PDR LTD are the companies most associated with fake domain registrations owned by third parties, the report stated. As for industry verticals, banking (10 per cent), IT software and services (7 per cent) and business services and supplies (5.5 per cent) were listed as the sectors most targeted by fake domain registrations, with food markets (0.4 per cent), semiconductors (1.7 per cent) and media (1.8 per cent) the least.
High-profile domain cyber attacks should never be underestimated
Domain-based security threats are plentiful, but the most prevalent threats are the least exciting: phishing domains and BEC attacks using short-term domains registered for the purpose of attacking a customer, Peter Lowe, principal security researcher at DNSFilter, told CSO.
“However, the risk of higher-profile attacks should never be underestimated – with ransomware on the rise globally, protecting your network against communication with C2 domains can prevent critical loss of data, downtime and potentially even expensive ransoms,” he added.
While adoption of domain-based security measures is steadily improving, there is still some way to go, Lowe said.
“DNS as a threat protection layer is now being accepted as a standard part of security strategies, with the US government launching multiple initiatives to provide protective DNS and officially recommending it, along with guidance on how to select a service,” he said. “However, it still lacks the focus and awareness it deserves from many MSSPs and individual companies.”
To protect their domains, it’s crucial for organisations to use a trusted registrar that provides 2FA, registry lock and DNSSEC built-in, along with a robust support department, Lowe said.
“On the network side, selecting a DNS resolver that provides effective and configurable filtering over an encrypted DNS channel is essential. Any commercial resolver should also be providing a decent Anycast network behind the scenes and provide useful reporting that can give you insights into what’s happening on your network,” he added.