Elisa Cooper, Head of Marketing, GoDaddy Corporate Domains
Type “Peta.com” into your web browser, and you’ll arrive at the website of People for the Ethical Treatment of Animals, an animal rights organization.
For a time, though, if you entered a very similar web address — “Peta.org” — it took you to a site branded “People Eating Tasty Animals,” complete with links to meat vendors.
PETA put an end to this with a lawsuit under the Anticybersquatting Consumer Protection Act,and today, either address will take you to the animal rights group’s site. But this kind of brand hijacking has not gone away.
Some of the biggest companies, celebrities, and even politicians have fallen prey to cybersquatting or typosquatting, whereby someone grabs a domain that’s just a letter or two off from a famous brand name. During the 2020 presidential campaign, the Photon Research Team tabulated more than 550 typosquats for 34 different domains related to candidates or the election.
Most were harmless or inactive. But some redirected to competitors’ websites — and others tried to install malicious browser extensions.
Big companies fight back against would-be trolls by purchasing a host of domain names similar to the real deal, so that they can redirect visitors to the right place. This is one reason major corporations end up owning vast portfolios of domain names — sometimes tens of thousands. They also implement programs to detect abusive registrations and take action to recover names where it makes sense.
Unfortunately, many companies don’t take the next step and make sure all the sites they own are secure, which leaves their domains vulnerable to hacking. Nor do they ensure that all their sites actually lead to active web pages.
In fact, just 28% of the domains owned by the 50 top-rated public companies in the Forbes Global 2000 lead to live content, according to research conducted by GoDaddy Corporate Domains. That’s much lower than the 90% goal that most companies should aim for.
All those dead ends represent missed opportunities to attract fans or customers. And they’re a sign that certain domains may be unnecessary — and thus wasteful spending. After all, why pay for a domain that doesn’t direct viewers to your actual site?
Worse, many big companies are not properly securing their registered domains. Our study found that only 17% of the primary corporate websites of the Global 2000 use registry locking, a relatively straight-forward two-step system that prevents unauthorized updates and potentially disruptive automated updates. Companies ought to strive, at a minimum, to use registry locking on all core domains, including production websites, email, internal applications, and websites used for channel partners and resellers.
The study also found that only 3.5% of the websites had implemented DNSSEC, a security measure that protects domains against spoofing and other types of attacks. DNSSEC is recommended for any website that collects customer information.
And while 84% of corporate domains starting with “www.” are secured with a SSL, or secure socket layer — which protects encrypted links between networked computers — barely 60% of root domains are similarly secured. That means some companies are only partially protecting their sites from hackers.
In short, companies are leaving their domain portfolios unattended — and putting their reputations, data, and customers at risk in the process. Hackers can find a way in, and criminals may be able to obtain customer information.
It’s not hard to see how this happens. Despite registering many thousands of domains, corporations often have no centralized policy for when and how to establish new ones. As a result, employees often register domain names without guidance or oversight. Especially at big companies, keeping track of these various domains — across multiple different departments and divisions, and over years or even decades-long periods — can be an administrative nightmare.
But there are steps companies can take to crack down on the problem.
It starts with appointing a team responsible for managing a company’s corporate domains. Any company big enough to own a few hundred domains is big enough to need designated staff and procedures for handling them. Have a single person in charge and a clear set of guidelines for registering new domains. Make sure the policy is communicated to employees.
The next step is for that manager and her team to take inventory of what they have. A company needs a central list of every domain it has registered, and domain name ownership information should be periodically reviewed for accuracy.
Those responsible for domain name security should require registry locking on all their core sites, as well as DNSSEC wherever appropriate.
Domain name security can seem like a daunting task — and it clearly is, given the number of top companies that neglect their own. But it’s well worth getting on top of, before the next domain security mishap damages a company’s reputation — or bottom line.
