Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
Many brands end up confused about how best to address parked domains with names similar to their own. Some customers have come to us with a parked domain that could be mistaken for theirs, asking us to have it taken down. Unfortunately, it’s not that simple. If a domain doesn’t display any content, it’s difficult to prove that it’s malicious or that the owner has malicious intent. Luckily, there are steps brands can take to mitigate the risk posed by parked domains. We have helped a number of brands with their approach to these trickier, nuanced brand impersonation risks.
A parked domain is a domain that someone has registered, but it does not point to a website or any content. In many cases, such a domain only displays a generic registrar page or an error that the site can’t be reached. While seemingly harmless, you’ll come to understand (if you don’t already) that such parked domains still present a threat to your brand and customers.
Parked domains with names similar to your brand’s can threaten your reputation and customers, and you can’t afford to ignore them. Luckily, automating the continual monitoring of these domains is a relatively simple-to-implement first step in staying ahead of fraudsters that use them.
The ICANNWiki defines a parked domain as a domain that does not have content. A parked domain is registered by an individual, but does not typically include original digital content.
A domain may be parked because:
Many times parked domains will simply display a generic message from the registrar or a seemingly innocuous “this site cannot be reached” when visited.
The majority of parked domains remain benign or eventually become legitimate websites. On the flip side, however, Emotet – one of the most prevalent malwares currently known – used parked domains as a distribution channel in 2020.
Scammers use domain parking in their fraud schemes for multiple reasons including:
Scammers will also park domains for a period of time to circumvent detection. Some domain monitoring solutions evaluate newly registered domains for a limited period of time, eventually removing them from the scanning regimen. As you might imagine, that’s the perfect time for a fraudster to then launch a phishing site.
Brands also come to us because they notice an MX record associated with a parked domain named similarly to their brand’s. This is good reason to suspect whomever owns said parked domain plans to send, or is sending, phishing messages purporting to be from the brand.
A mail exchange record (MX record) is part of the Domain Name System that identifies e-mail servers on the Internet. An MX record defines the host/server that will accept e-mail sent to its associated domain.
A parked domain with an MX record can send email from said domain for phishing purposes. A parked domain doesn’t always publish content and so, depending on your brand impersonation detection methods, the domain may appear harmless to the novice eye.
Brands often ask us about these protocols, and it’s easy to be confused about what they can and cannot do. Preventing email sender and message forgery with the triple-threat – Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) – is great practice and everyone should implement them if they haven’t already.
Unfortunately SPF, DKIM, and DMARC only mitigate the risk of someone sending a forged email from a specific domain that you own. They do not prevent someone from sending email from a different domain which could be mistaken for yours.
One of the top 25 U.S. banks recently approached Allure Security for help with a number of parked domains they believed were a precursor to or actively phishing their customers via email. Because the parked domains didn’t publish content, registrars and/or hosts would not take action on the domains because the domains were not necessarily breaking any established “rules of the Internet.” There’s no evidence of malicious intent.
A Uniform Domain Name Dispute Resolution Policy (UDRP) filing also requires that the complainant (filer) prove that the owner of the disputed domain is using that domain “in bad faith.” Bad faith is defined as “tak[ing] unfair advantage of or otherwise abus[ing] a complainant’s mark.” According to the policy, evidence typically consists of dated screenshots of the offending website. On most parked domains, there’s no content to be screenshotted.
Added to the difficulty of gathering evidence of malicious intent for a parked domain, the UDRP process takes time – at least 60 days in most cases. Every day that a potential phishing domain remains online means more potential victims, more potential fraud, and more damage to your brand.
Options for responding to problematic parked domain boil down to three:
Despite the challenges and seeming futility of combatting suspicious parked domains, brands can take steps to mitigate the risk. Perhaps most importantly, don’t ignore them. A parked domain may transform into a malicious site at any time. Visibility alone is helpful.
Some steps brands can take to respond to problematic parked domains include:
Long story short, best practice is to maintain visibility of suspicious parked domains because they can become an active threat to your brand and customers at any time.
Posted by Sam Bakken