Companies Snap Up New Domains to Fight Phishing

Written by Sue Walsh on August 23, 2012

Many major companies are rushing to snap up exclusive new domains being made available by ICANN (Internet Corp. for Assigned Names and Numbers) in hopes they will help discourage phishing attacks and make brandjacking more difficult.

ICANN, essentially the company that oversees the Internet, has begun offering companies the chance to have domain names that end in the abbreviated form of their names such as .citi or .bofa (for Bank of America). These specialized domains don’t come cheap – companies who want them must fork over $138,000 each – and won’t go live until they are approved, which won’t start happening until sometime next year.

“Hackers can buy domain names at registrars like Go Daddy Group Inc. that alter a letter or two in a company’s brand name—replacing “of” with “at” in bankofamerica.com, for example—and trick consumers by sending them emails dressed up with Bank of America’s logo”, said Jeff Ernst, an analyst at Forrester Research who has advised companies on how to manage the new addresses.

So far many of the most exploited brands have applied for the new extensions, including Bank of America, Barclays, Citibank and JP Morgan Chase. These, and many more well known companies such as Ebay, Paypal, HSBC and UPS, are heavily brandjacked by spammers and phishers hoping to trick people into turning over their log in and financial info. They’ve become quite good at making their spam messages look like legit messages from those companies but one thing they were never able to fake was the domain name. Most people know all they have to do is hover their cursor over the links in an email message to see if it really goes where it says it does. The companies buying the new domain extensions hope they will provide customers with an extra layer of confidence and security. However, what if an enterprising scammer or cybercrime gang were to snap up one of these domains?

Do you think it could happen? If it did, it could very well give a scammer the most convincing phishing attack ever! Say they bought .hsbc or .ups. Can you imagine? One hopes ICANN has some sort of verification system in place so that only the companies that own the original name can get the domain extension version. What do you think? Will this help crack down on phishing or backfire?

Comments

George Carlisle August 30, 2012

As I said in my previous comment a couple of days
ago, the responsibility does not just lie on these website owners or even
ICANN. Everyone should be vigilant, even the Internet users. Once you go online
and check on your e-mails, have your gut instinct ready. Surely any news of malicious
IT attack on huge company gets a broadcast, so unless you hear eBay getting
hacked, you should not reply to any password resets as well as alarming e-mail
messages. I would also like to repeat it doesn’t take a lot of time to read
everything in the mail.

Bernie Sanchez August 30, 2012

Until now I still have not heard any news or
comment on how the system is going to be beneficial to small-time businesses.
Seriously, ICANN, they need protection too. Hell, even those bloggers who have
their own subscribers may require protection against these phishers. Anyway,
back to the news, again this is a huge amount of money to spend on phishing,
and like @Conrad, I’ll keep full judgment to myself first until I hear initial
feedback. I’m praying to God this is going to work. Even though these are huge
companies, hundred thousand dollars is no joke, especially at this time of
recession.

Elizabeth Myrnes August 31, 2012

Kudos to ICANN for coming up with such a brave idea, but I think this is already bordering on desperation. And I pity for all the rest that cannot afford such a hefty fee. Worse, if these scammers can find any loophole into this system, those that have paid need to say bye-bye to their investments. I think the best move they can do is to come up with a list of best practices or update their guidelines. Teach companies how to further protect themselves without breaking the bank. This way even small businesses and even individuals with their own website can protect themselves.

Nympha Robles August 31, 2012

I have just been hit by spam, and I definitely feel
so awful right now. What more if it was phishing? Now I will be more vulnerable
to identity theft. Though I laud this offer as it sounds good to me, I am also
disappointed since I know only the elite few would get to enjoy this. Those
small businesses and even us have to find other means, albeit very weak means,
to keep ourselves protected. I wish ICANN would also learn to consider that. Otherwise,
I may be forced to spend less time doing e-mails and then miss out a lot of
things.

  • (required)
  • (required)