A large proportion of the Forbes Global 2000 companies web domains are vulnerable to DNS attacks, domain hijacking, and other common threats.
Domain protection provider, CSC Brand Services Division, did a recent study that showed that up to 83% of these companies don’t have basic security protections in place.
Most of these companies have failed to protect themselves against unauthorized WHOIS information changes, transfer-away risks, or DNS modifications.
An astonishing 97% of these companies do not protect against DNS hijacking attacks with the use of DNS security extensions.
Registry-lock services are only used by 73% of these companies. This service prevents unauthorized DNS information changes. Unauthorized DNS changes could lead to a website redirecting visitors to a malicious website or make the company’s website unavailable.
Over 60% of these companies do not use DMARC email authentication protocol. This helps protect organizations email domain from being used in email spoofing.
Mark Calandra, the executive vice president of CSC stated that “The main takeaway from this report is that the largest companies in the world remain very vulnerable to domain name and DNS hijacking, domain shadowing, and subdomain hijacking attacks.”
What’s most troubling is that banks seem to be one of the worst offenders.
Banks rank the lowest in terms of using corporate domain-registrar services and registry lock services, even though these businesses are the most targeted.
Calandra tried to explain this discrepancy due to most of these banks being in Asia. “One rationale may be because close to half of the banks represented in the Global 2000 are from Asia, and Asia is the region where there is generally lower domain security measures in place.”
There are signs that attacks are ramping up on weakly protected and vulnerable DNS services and domains that aren’t well protected. A recent increase in domain-name hijacking was reported earlier this year by Spamhaus Project which tracks spam-related email activity worldwide. The company found that criminals are increasingly using social engineering, phishing, and vulnerability exploits to gain access to domains which aren’t well protected.
Once they gain access, they “create new hostnames (domain shadowing) that point to a different IP range that is not associated with the root domain … Alternatively, they will change the name servers of the domain to point to a new location.”
A company’s reputation and brand image can be irreparably harmed by malware, spam attack or website disruption. Ironically, it is the good reputation of the company that’s being targeted that helps criminals avoid anti-spam measures to begin with.
The use of generic retail service providers and domain-name registrars may be at the root of the issue. More than half of these companies use these retail services that don’t offer the security protections for enterprises. And most of the businesses are susceptible to a denial-of-service attack due to a lack of DNS hosting redundancy.
Inadequate training, insufficient technical support, and poor operational processes are part of the reasons these retail grade registrars are not appropriate for these businesses. This leads to an inability to safeguard business domains against domain-name hijacking, domain shadowing, subdomain hijacking, and DNS hijacking.
Calandra stated that it’s these issues that “have created a sort of haven for bad actors to take advantage.”
What companies need to do is transition toward using IP validation, two-factor authentication, and federated id mechanisms in order to secure access to their domain and DNS management systems. Businesses also need to manage their user permissions and roles on their DNS management systems and domain systems.
Security features such as registry lock, DMAC, DNSSEC, and CAA records will help DNS security once adopted by these companies.
Tech and entertainment companies have a much higher adoption of these controls and use of enterprise-grade domain registrars. Other industries, however, like real-estate firms and banks, have not faired as well.