Cybersecurity and the elephant in the room

Following the recent CrowdStrike incident, criminals registered thousands of variants of plausible CrowdStrike domains to use in their phishing attacks. Most of these will be removed by the various online takedown services or by organisations like the UK National Cyber Security Centre (NCSC) but probably not before claiming an unknown number of victims. In fact, every week criminals register a steady stream of typosquatting web domains and the cybersecurity world tries to take them down in an endless game of? Whac-A-Mole. This insanity cannot continue, so maybe it is time to address the elephant in the room.

Domain registrars need to be held accountable and new rules need to be drawn up and agreed upon to stop the endless profiteering from cyber-criminals constantly registering web domains to facilitate their activities. Know Your Customer (KYC) checks are desperately needed before anyone is allowed to register a new web domain, especially for bulk registrations. An anti-fraud process needs to be in place for domain names that include trademarked names and blatantly fraudulent addresses, rather than allowing them to be created and then forcibly taken down, sometimes just a few hours later. The use of a single (or a few) international characters in a web domain using look-alike letters also needs to be screened and blocked.

ICANN, the Internet Corporation for Assigned Names and Numbers earns a fee from every registered domain. The fee is nominal, but given the sheer number of domains being registered every month, it quickly adds up to a substantial amount. An increase in this fee could easily go towards policing the registration of domain names if the domain registrars are reluctant to do the checks themselves.. A delay of 14 days before any registered domain name is added to the global DNS register, would stop a lot of the opportunistic criminal activity around specific events and provide a time frame to allow checks to take place. Maybe a minimum registration fee by the domain registrar could fund these checks, which would free many organisations from having to pay for a long list of domain names so that someone else doesn’t register them, knowing that paying to register a web domain is not a guarantee of it being accepted.

Something major needs to change, the small changes that have been made over the years have not made enough of a difference. Adding more and more online security and brand protection services is also not the solution. We need to stop the ease at which typosquatting fraudulent domains are registered and take security seriously instead of playing around the edges and spending increasing amounts year on year.

For more security resources, including a free copy of the 10th Anniversary Edition eBook of Internet Security Fundamentals, see: www.booleanlogical.com