Forbes Global 2000 companies are failing to adopt key domain security measures, exposing them to significant security risks, according to CSC’s Domain Security Report 2022. The enterprise-class domain registrar and Domain Name System (DNS) threats mitigator found that 75% of Global 2000s have implemented fewer than half of all domain security measures with Domain-based Message Authentication, Reporting, and Conformance (DMARC), the only domain security measure with significantly increased adoption since 2020. The data follows Akamai research from August, which discovered increased malicious domain activity and phishing toolkit reuse based on DNS data.
Domain security measure adoption slow, DMARC most popular
Adoption of recommended domain security measures by Global 2000 companies has been slow in the last couple years, CSC stated. Measures such as DNS redundancy, registry lock, Certificate Authority Authorization (CAA) records, and DNS Security Extensions (DNSSEC) have seen only very modest growth since 2020. “With the risks of not having domain security in place potentially leading to phishing or ransomware attacks, and many other cyberthreats, we hoped to see a higher implementation of some of these security measures,” the report read.
In contrast, adoption of DMARC has risen from 38.9% in 2020 to 61.5% in 2022. CSC cited the fact that Verified Mark Certificates (VMC) now require DMARC to be set up to ascertain Secure Sockets Layer (SSL) certificates as a key driver behind the adoption. “Additionally, Apple announced Brand Indicators for Message Identification (BIMI) in September and stated that its email clients for iOS 16 and macOS will support a broad industry effort to combat brand spoofing and impersonation. Senders that support BIMI must meet a strong standard of email authentication and this includes using the DMARC security standard,” the report added.
Overall, companies with the most adoption of domain security measures had the “highest security score” based on CSC calculations, according to the report. Conversely, 137 companies were given a domain security score of zero, with most these based in the APAC region.
Lookalike domains targeting firms to launch phishing attacks, abuse brands
Lookalike/fake domains are targeting Global 2000s to leverage the trust placed on well-known brands and launch phishing attacks or other forms of digital brand abuse/IP infringement, CSC’s report read. Over 75% of homoglyph domains are owned by third parties, meaning that many of the world’s largest brands contend with web domains appearing to look like their brands that were maliciously registered, the firm added.
GoDaddy, Namecheap, and PDR LTD are the companies most associated with fake domain registrations owned by third parties, the report stated. As for industry verticals, banking (10%), IT software and services (7%) and business services and supplies (5.5%) were listed as the sectors most targeted by fake domain registrations, with food markets (0.4%), semiconductors (1.7%) and media (1.8%) the least.
High-profile domain cyberattacks should never be underestimated
Domain-based security threats are plentiful, but the most prevalent threats are the least exciting: phishing domains and BEC attacks using short-term domains registered for the purpose of attacking a customer, Peter Lowe, principal security researcher at DNSFilter, tells CSO. “However, the risk of higher-profile attacks should never be underestimated – with ransomware on the rise globally, protecting your network against communication with C2 domains can prevent critical loss of data, downtime, and potentially even expensive ransoms,” he adds.
While adoption of domain-based security measures is steadily improving, there is still some way to go, Lowe says. “DNS as a threat protection layer is now being accepted as a standard part of security strategies, with the US government launching multiple initiatives to provide protective DNS and officially recommending it, along with guidance on how to select a service. However, it still lacks the focus and awareness it deserves from many MSSPs and individual companies.”
To protect their domains, it’s crucial for organizations to use a trusted registrar that provides 2FA, registry lock, and DNSSEC built-in, along with a robust support department, Lowe says. “On the network side, selecting a DNS resolver that provides effective and configurable filtering over an encrypted DNS channel is essential. Any commercial resolver should also be providing a decent Anycast network behind the scenes and provide useful reporting that can give you insights into what’s happening on your network.”
Copyright © 2022 IDG Communications, Inc.