A&G-Domain Name Cybersecurity
CYBERSECURITY AND DATA PROTECTION - January 2024

Domain Name Cybersecurity – Current Trends and Strategies for Brand Protection

By Dr Stanley Lai, SC, David Lim and Justin Tay (Allen & Gledhill LLP)

I.   Introduction

In the 40 years since the dawn of the Internet in 1983, our digital landscape has undergone astronomical growth in importance and significance, with wide swathes of our daily affairs transacted through online media. It is therefore unsurprising that domain names, the identification framework on which the whole internet depends, have come to be invaluable digital assets to every business seeking to offer goods and services online, through proper identification and access. Indeed, one could argue that domain names themselves constitute a form of digital asset, with domains being created and transacted at an increasingly frenetic pace. Now, more than ever, is it critical to safeguard these domain names from being used as avenues for the propagation of malicious cyberattacks, which have only grown in frequency and sophistication in recent years.

In this article, we will delve into the current trends in cyberattacks and digital exploitation which pose a pressing concern to businesses, both from a commercial and legal standpoint. Some practical strategies are then offered to enhance digital security and protect brand identity in the virtual realm.

II.  Current cybersecurity trends and threats

1.   Phishing attacks and domain name spoofing

“Phishing” is a form of social engineering attack designed to trick users into clicking on malicious links and/or divulging sensitive data, such as login credentials and credit card numbers. Generally, a phishing attack involves an email or other message disguised as being sent from a legitimate entity, requesting the user to click on a phishing link. Thereafter, the user will be asked to input login credentials or the user’s system may be infected with malware.

Phishing attacks commonly arise out of domain name spoofing, which refers to a malicious actor impersonating a known business or person with a fake or lookalike website or email domain.

It is common knowledge that phishing attacks are becoming increasingly commonplace. The Cybersecurity Agency of Singapore (CSA) reported earlier this year that there were 8,500 reported phishing cases in 2022, more than twice the 3,100 cases reported in 2021, whilst more than 80% of the reported phishing sites masqueraded as entities within the banking and financial services sector.[1]

A particularly pressing concern is the rise in “spear-phishing”, i.e. a phishing attack specifically tailored to target a particular individual or organisation, which has been reported to comprise about 65% of all phishing attacks.[2] These include business email compromise (BEC) scams, which are a type of phishing scam involving an attacker gaining unauthorised access to a company’s email system and/or a domain spoof or lookalike. The attacker then sends phishing emails to targets within the organisation to obtain unauthorised transfers of funds or sensitive information.

The FBI reported in June 2023 that reported global business losses to BEC scams had crossed USD 50 billion, with nearly 300,000 BEC incidents in 177 countries over the last 9 years.[3] Locally, the Straits Times has reported that victims lost a combined SGD 56.2 million to BEC scams between January to March 2022.[4]

2.   AI-related or AI-facilitated phishing attacks

A more notable recent trend is that cybercriminals have been exploiting the hype surrounding artificial intelligence by creating fraudulent domains using the “.ai” extension to imitate legitimate businesses.

According to data compiled by Netcraft, the number of .ai domains used by web servers has grown 12,523% from 913 to 115,245 domains since 2013.[5] For example, this includes technology giants Meta and Google, who have both registered the web domains “facebook.ai” and “google.ai”, which redirect to websites promoting their AI-related work.

The combination of a familiar company brand name together with the “.ai” domain extension potentially gives victims a false sense of security, making them more susceptible to the scam. In this regard, the 2023 Domain Security Report by CSC, a domain name registrar, reports that 43% of the Forbes Global 2,000 companies do not have control of their branded “.ai” domain names as they are registered by third parties. Additionally, 49% of these branded “.ai” domains remain unregistered, leaving the companies exposed to brand infringement and other malicious activities.[6]

Generative AI can also directly facilitate and lower the barrier to entry for committing cybercrime. Cybersecurity professionals have reported being able to trick ChatGPT into creating source code for malware and ransomware.[7] In this regard, Darktrace has reported a 135% increase in “novel social engineering attacks”, which it attributes to the widespread adoption of generative AI such as ChatGPT.[8]

In a similar vein, there has been a worrying trend in AI-generated deepfakes and scams arising thereof, which has been extensively reported by news outlets such as Channel NewsAsia and The Straits Times.[9] As generative AI technology continues to grow rapidly, we expect that hyper-realistic phishing attacks will continue to become more commonplace.

3.   Ransomware attacks

Ransomware refers to a type of malware designed to encrypt files on a device until a ransom, typically in cryptocurrency, is paid to decrypt the files. Some strains of ransomware may corrupt other devices within the same network (i.e., lateral movement) or exfiltrate data and threaten to divulge it to the public.

The primary way that ransomware enters a business’s digital environment is phishing. For example, Verizon’s Data Breach Investigations Report 2023 found that malware is largely distributed via email and frequently in the form of Microsoft Office documents, given their ability to run code on the client system.[10]

There have been a series of high-profile ransomware attacks in recent years, such as the attack on JBS in May 2021, which resulted in JBS paying USD 11 million in ransom after the ransomware attack had forced it to halt operations across all its beef plants in the US.[11] Locally, the Singapore Cyber Landscape 2021 and 2022 reports provide that there were 132 ransomware cases in 2022 and 137 cases in 2021, which was a 54% increase from 89 cases in 2020. [12]

Evidently, ransomware attacks may be highly disruptive to business operations, and the implications may include temporary or permanent loss of files or data, disruption to business services and operations, and data exfiltration and leaks (which may attract reputational damage or fines under data protection regulations).

According to a 2022 study by IBM, the average cost of a ransomware attack in 2022, not including the cost of the ransom itself, was USD 4.54 million.[13]  This may be because apart from the ransom, companies facing cyberattacks face indirect costs of downtime and recovery of lost data, as well as other expenses such as potential class-action lawsuits and reputational damage.

III.  Strategies for domain name security and brand protection

Given the potentially devastating legal, financial and reputational consequences of a cyberattack, proactive steps should be taken to mitigate risk and ideally prevent any cyberattack from occurring in the first place.

At the organisational level, implementing domain name security measures may help to mitigate the risk of a cyberattack. These include, but are not limited to:

  • Registry locks – registry locks safeguard against unauthorised modifications, transfers and deletion of DNS, because the registry will implement such an instruction only after a two or three-factor authentication process.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – Adopting a DMARC policy allows a sender of an email to indicate that their messages are protected under the Sender Policy Framework (SPF) or Domain Key Identified Message (DKIM) protocols. If the message is not properly authenticated, the DMARC may also automatically reject, quarantine or send the message to junk.
  • DNS security extensions (DNSSEC) – DNSSEC refers to a cryptographic digital signature which validates the IP address of a domain name, prevents malicious actors from re-directing end-users (at the DNS level) to a fake website or service.
  • Domain monitoring – A domain monitoring service may assist in alerting a company to newly registered look-alike and/or potentially infringing domains, allowing it to proactively take action to combat potential abuse.

In addition, having a robust domain name and/or trade mark registration portfolio is one of the most effective ways to prevent malicious actors from impersonating a company’s website and/or email domain address, thereby minimising the likelihood of phishing attacks that may be carried out against a company’s unsuspecting employees or customers.

In terms of domain name registration, businesses may wish to register not only the core or critical domain names to their business, but also defensively register similar-sounding domains or misspellings to their main brand name, as well as other brand names which are similar to their core brand(s) and/or trade marks. For example, these may include registering the “.ai” variants of their core brand names, to prevent it from being used by malicious actors. The defensively registered domain can then be redirected to the company’s legitimate website address.

That being said, it is generally not possible to defensively register all possible and plausible variants of a brand name, since a cybersquatter can potentially register any domain name that is similar (but not identical, e.g. a one letter difference) to a business’s main domain name. As such, businesses should strongly consider trade mark registration for its core brand names, as registered trade mark protection may potentially be able to protect a brand against the use of a domain name that is similar (but not identical) to the business’s registered domain name(s).

IV.  Conclusion

It was never in doubt that a technology-based epoch would trigger a technological arms race in cyberspace, and while the technical details of the newfangled sophistry employed by would-be cybercriminals are far too complex to explain in a short article, we can take comfort in the fact that there are relatively straightforward defensive measures (such as registry locks, DMARC, DNSSEC, etc) that can be deployed to safeguard businesses and individuals alike. They will be complimentary to domain name and trade mark filing strategies that should also be rigorously deployed.

AUTHOR INFORMATION:

Dr Stanley Lai, SC is a Partner at Allen & Gledhill, where he is also the Head of the Intellectual Property Practice and Co-Head of the Cybersecurity & Data Protection Practice.
Email: stanley.lai@allenandgledhill.com

David Lim is a Senior Associate in the Intellectual Property Practice of Allen & Gledhill.
Email: david.lim@allenandgledhill.com

Justin Tay is an Associate in the Intellectual Property Practice of Allen & Gledhill.
Email: justin.tay@allenandgledhill.com

REFERENCES

[1]           https://www.csa.gov.sg/Tips-Resource/publications/2023/singapore-cyber-landscape-2022 (accessed 12 December 2023).

[2]           https://aag-it.com/the-latest-phishing-statistics/ (accessed 12 December 2023).

[3]            https://www.ic3.gov/Media/Y2023/PSA230609 (accessed 12 December 2023).

[4]            https://www.straitstimes.com/singapore/courts-crime/at-least-562-million-lost-to-business-e-mail-compromise-scams-between-jan-and-march-2022-police (accessed 12 December 2023).

[5]           https://www.netcraft.com/blog/the-rise-of-ai-cyber-criminals-and-anguilla-look-to-profit/#:~:text=Since%202013%2C%20the%20number%20of,from%20913%20to%20115%2C245%20domains (accessed 12 December 2023).

[6]            https://www.cscglobal.com/service/press/many-global-2000-companies-neglect-their-ai-domains/ (accessed 12 December 2023).

[7]            https://www.scmagazine.com/analysis/how-chatgpt-is-changing-the-way-cybersecurity-practitioners-look-at-the-potential-of-ai (accessed 12 December 2023).

[8]           https://ir.darktrace.com/pressreleases/2023/4/3/8b2d6ba25d9d54a
1895956a985fe4a7d08d9f42607a112fb17964e4b57fad7d6 (accessed 12 December 2023).

[9]           https://www.channelnewsasia.com/singapore/regulation-will-always-be-chasing-technology-education-key-combating-risks-ai-and-deepfakes-experts-cybercrime-3966226 (accessed 12 December 2023); https://www.straitstimes.com/singapore/scammers-use-deepfakes-to-create-voice-recordings-and-videos-of-victims-family-friends-to-trick-them (accessed 12 December 2023).

[10]          https://www.verizon.com/business/en-sg/resources/reports/dbir/ (accessed 12 December 2023).

[11]          https://www.straitstimes.com/world/united-states/jbs-paid-us11m-in-ransom-to-resolve-meatplant-cyberattack (accessed 12 December 2023).

[12]          https://www.csa.gov.sg/News-Events/Press-Releases/2022/ransomware-and-phishing-attacks-continued-to-threaten-singapore-organisations-and-individuals-in-2021 (accessed 12 December 2023).

[13]          https://www.ibm.com/topics/ransomware (accessed 12 December 2023).