CSC Reports Spike in Fake Baby Formula, Semiconductor Domains

A report published by CSC today revealed a spike in fake domain registrations from entities attempting to leverage the ongoing shortages of baby formula and semiconductors to conduct phishing attacks and perpetrate fraud.

The CSC report found an 84% increase in baby formula-related domains registered by third parties since January of 2021 and a 95% increase in similar semiconductor industry-related domains.

CSC also reported that within third-party registered domains, 26% of baby formula-related and 44% of semiconductor-related domains are configured with MX email records, a mechanism widely used by cybercriminals to disseminate phishing emails.

A total of 93% of baby formula-related and 79% of semiconductor-related domains included privacy services or have WHOIS details redacted as part of a deliberate effort to conceal the true identities of the sites’ owners, according to the report.

Vincent D’Angelo, global director for CSC Digital Brand Services, said the root cause of the problem is that it is simply too easy for cybercriminals to register a domain that mimics a legitimate entity selling a product online. Consumer-grade registrars offer services like name spinning and domain auctioning that promote the registration of confusingly similar names that not only infringe on established brands but are also often used for phishing and fraud, he noted.

CSC is making a case for an enterprise-class domain register service as an alternative. Among other things, that alternative would combine registry- and registrar-level locks and a WHOIS lock to prevent unauthorized changes of DNS records and domain hijacking. Those services don’t prevent cybercriminals from using consumer-grade domain registers, but they are an important part of any larger effort to protect investments in brands.

The challenge is that when it comes to protecting brands online, the responsibility for that activity spans marketing, legal, IT and cybersecurity teams. Exactly which group has primary responsibility is often difficult to determine, said D’Angelo.

Over time, this issue becomes especially problematic when customers start to lose faith in the internet as an e-commerce platform. They may research products and services online, but may only buy from a handful of trusted suppliers. As the number of trusted suppliers shrinks, the overall level of competition within any given vertical industry segment will start to contract.

Ideally, there should be more restrictions on domain name creation. It takes only a few minutes to register a domain name, but it can take months—sometimes years—to resolve a copyright infringement lawsuit. Of course, care also needs to be taken to make sure organizations are not overreaching their branding rights to stifle competition. Right now, however, it’s far too easy for cybercriminals to create a domain by changing a single letter of a popular brand name or use some type of homoglyph that mimics the look and feel of a brand.

In the absence of preventative efforts, however, cybersecurity teams need to stay alert when it comes to rooting out fake websites that send out phishing emails and that are hard for the average end user to confirm as legitimate. They may not be able to eliminate them, but there are measures—such as reporting them to Google and other search engine providers—that will go a long way toward suppressing their reach.