Millions of domains are registered every year, by people looking to defraud businesses, their employees and customers. By utilizing social engineering tactics and phishing techniques, cybercriminals register domains that impersonate trusted brands. From there, they launch phishing attacks and other scams.
More than 75% of businesses came across fraudulent domains posing as their brand, according to research by Proofpoint Digital Risk Protection and their 2019 Domain Fraud Report. Almost all of them (96%) found exact matches of their brand domain, but in a different TLD.
According to the latest Proofpoint report:
“Domain fraud is an attractive attack method used by cyber criminals. Cheap and easy domain registrations create a low barrier to entry. Privacy features offered by most registrars and regulations like European Union General Data Protection Regulation (GDPR) have made it easy to remain anonymous. And, most important, fraudulent domains provide the basis for a wide range of attacks such as wire transfer fraud, phishing, counterfeit good sales, scams and other new attacks.”
What are the TLD trends among the fraudulent TLDs?
Research by Spamhaus recently highlighted several TLDs as “shady,” based on the percentage of websites with specific TLDs conducting spam operations. Several of these “shady” TLDs appear in the list of top TLDs for fraudulent domain registrations as well. For example, “.top” is No. 2, “.men” is No. 19, and “.work” is No. 50. But threat actors are using more “innocuous” TLDs than “shady” TLDs. This includes several European country code TLDs. In the wake of GDPR, some of the European country code TLDs were the first to redact WHOIS information, which may have made them attractive to fraudsters.
Among domain registrars, GoDaddy is at the top spot for TLD attacks with 17% and lookalike domains with 23% – as the world’s biggest registrar, that’s to be expected.
View the full Proofpoint report on fraudulent domains below: