Forbes 2000 brands are dangerously unprotected from phishing and hijacking, with 81% failing to use registry locks for their domains, according to Domain Security Report: Forbes Global 2000
Companies, a study released Tuesday by domain protection firm CSC.
Only 50% utilize a DMARC (domain-based message authentication and conformance) record, the standard email
authentication method.
And, 57% utilize off-the-shelf consumer-grade registrars, offering limited domain security mechanisms.
In addition, 70%
of homoglyph (fuzzy match) domains typically used in phishing and brand abuse are owned by third parties.
Basic domain security measures “continue to get
overlooked because they’re still not considered an essential component to a company’s broader phishing, BEC or ransomware mitigation approach,” states Mark Calandra, president of CSC
Digital Brand Services.
advertisement
advertisement
Calandra adds: “A focus on securing legitimate domains while monitoring for malicious domains in parallel needs to be a bigger priority
for companies in order to stay protected and mitigate cyber risk. Otherwise, companies are exposing themselves to significant threats to their cybersecurity posture, data protection, intellectual
property, supply chains, consumer safety, revenue and reputation.”
DMARC adoption varies by industry:
- IT software and services—74%
- Healthcare equipment and services—73%
- Semiconductors—72%
- Media—64%
- Hotels,
restaurants, and leisure—63%
- Retailing—60%
- Drugs and biotechnology—60%
- Oil and gas
operations—59%
- Conglomerates—56%
- Telecommunication services—56%
- Technology
hardware and equipment—56%
- Food, drink and tobacco—54%
- Utilities—54%
- Business services and
supplies—53%
- Aerospace and defense—50%
- Banking—50%
- Materials—47%
- Household and personal products—47%
- Transportation—46%
- Insurance—46%
- Diversified
financials—43%
- Trading companies—41%
- Chemicals—41%
- Consumer durables—38%
- Food markets—38%
- Capital goods—37%
- Construction—28%
CSC also
found 70% of the third-party domains reviewed were suspicious:
- 77% of third-party domains used domain privacy services and/or had WHOIS details
redacted.
- 43% were configured with MX email records, allowing them to send phishing emails.
- 56% pointed to
advertising, pay-per-click content, or being used for domain parking.
- 38% had inactive web content.
- 6% pointed to brand impersonation and
malicious content, such as phishing and potential malware delivery.
The research is based on analysis of publicly available DNS records and domain registrations,
combined with CSC's proprietary technology.