The SolarWinds and Microsoft Exchange cyber-attacks have shown the importance of vetting third-party technology, operational processes and security controls in order to identify and mitigate supply chain risk. Choosing a domain name registrar is such a vital decision because of the many security risks in the domain and DNS ecosystem such as phishing threats or brand infringements.
When I started my career with a domain registrar 21 years ago, companies and individuals alike only had a few accredited registrars to choose from, and the aim was to quickly secure a domain registration - so your website or email address could be fired up within minutes. What more could anyone really need from a registrar?
Fast forward to today and the last question is no longer rhetorical or at least it shouldn’t be if you are serious about corporate risk mitigation. Today’s headlines scream of online data breaches, identity theft, fraud, counterfeiting, DNS hijacking and phishing attacks. When I look around, I still see corporations unaware of the complexities of the domain registrar ecosystem; the truth is that not all domain registrars are created equal.
There are two general categories of domain registrars: consumer-grade registrars and enterprise-grade registrars. A consumer-grade registrar specializes in domain services, websites and email for personal use, entrepreneurs, and small businesses that are just getting started. In contrast, enterprise-grade registrars are geared for corporations and brand owners that require advanced business practices, capabilities, expertise and support staff in relation to domain and DNS management and security, brand and fraud protection, data governance and cybersecurity.
To put things into perspective, there are thousands of ICANN-accredited domain registrars out there and all—with the exception of a handful of registrars—specialize in consumer-grade offerings. So what’s the problem?
The Tipping Point: COVID-19 Domain Surge
Consumer-grade domain registrars are not inherently malicious actors. However, because of certain standard business practices they have attracted bad actors, which end up exacerbating brand abuse, phishing attacks and fraud.
The surge in COVID-19 related domain fraud made it abundantly clear that the domain and DNS infrastructure will require meaningful oversight, stronger standards for domain and DNS security, and better consumer protections. The Digital Citizens Alliance did a three-month investigation on how “little to no effort” has been made to reduce incidents of consumer-grade registrars selling COVID-19-related domains that end up being used for scams that could impact consumer safety, or worse. Furthermore, a recent three-month study during the peak of COVID-19 by the Interisle Consulting Group highlighted that 684 brands were targeted with phishing attacks by 99,000+ unique domain names that were registered across 400+ domain registrars. Some of these issues were concentrated amongst the larger consumer-grade domain registrars.
The Business Issues that Proliferate with No End in Sight
As more people spend time online, now is the time to put new mechanisms in place that better protect internet users and brand owners, and make domain registrars and others in this complex digital ecosystem more accountable for their actions.
Consumer-grade domain registrars’ anti-abuse programs have focused on mitigation after the fact when what we really need is more preventative measures to solve these problems. In an ideal world, identifying and suspending maliciously registered domains before they become active phishing threats, or online IP infringements—while at the same time deploying better security mechanisms that prevent domain or DNS hijacking—should be a business priority. The latter is a major concern because legitimate domains are being weaponized by frequent occurrences of domain registrar breaches resulting in DNS attacks and business email compromises.
I believe there are three critical steps brand-owners can take to protect their organizations and their consumers. They are:
- Eliminate your third-party risk by assessing the domain registrar(s) you are using and ensure they offer defense-in-depth domain security measures like 2FA, DMARC, DNSSEC and domain registry locks
- Confirm that your domain registrar’s business practices are not contributing to fraud and brand abuse such as:
- Operating domain marketplaces that ‘drop catch’, auction and sell - or domain names containing trademarks to the highest bidder
- Domain name spinning and advocating the registration of domain names containing trademarks
- Monetizing-domain names containing trademarks with pay-per-click sites
- Monitor external infringement of your brands and leverage takedown services for brand abuse and fraud
It is important to acknowledge that companies, especially those with a multinational footprint and a broad product portfolio, face ongoing challenges in defining the risks in their domain ecosystem as well as the third-party owned domains associated with their brand. With the level of investment spent on brand building, and the criticality of consumer safety, companies must hold their registrars more accountable moving forward.
Those responsible for cybersecurity risk mitigation, online brand protection and preserving and expanding online revenue need to understand that so many registrars fall far short of what should be minimally expected from a registrar managing corporate domain names in terms of security, business practices, data governance, capabilities, global support, staff training and expertise.
The biggest question brand-owners need to ask themselves this year - is their domain registrar a friend or a foe?