By Kirsty Holmes, Client Research Manager
It’s been 25 years since the domain name registrar Network Solutions, now owned by Verisign, erroneously transferred the ‘valuable’ domain name SEX.COM from its original owner, Gary Kremen, to notorious con man and convicted criminal Stephen Michael Cohen. The wrongful transfer was the result of a forged letter from Cohen to Network Solutions; authorisation from the owner Kremen was not sought and a long-standing legal dispute between parties ensued. This case raised obvious alarm bells as to how a simple fax or letter could easily be used to fraudulently obtain ownership of a product or service, such as a domain name.
Nowadays, millions of internet users place their trust in websites representing official and government organisations around the world – the NHS (NHS.UK), WHO (WHO.INT) EU (EUROPA.EU), to name but a few – seeking authoritative information and advice. The UK government’s website GOV.UK, for instance, describes itself as “The best place to find government services and information” and certainly in these times of COVID-19, it’s crucial that people can access the right accurate information without questioning its authenticity.
However, it is only recently and in an era of Two Factor Authentication (2FA) and other security measures that the US government’s DotGov Program, which is part of the US General Services Administration, has finally introduced an additional measure to help ensure wholly legitimate domain registrations under its restricted .GOV TLD.
.GOV is only available to US-based government organisations, from federal agencies to local municipalities and using a .GOV domain shows you’re an official government organisation and assures people that they are accessing an official US government website.
Requests for domains (and requests for exceptions to policy) have to be sent from an “authorising authority”, which differs slightly for federal, native sovereign nations, state, interstate, independent intrastate, and city/county government organisations.
In spite of this, in November 2019, KrebsOnSecurity.com (which provides investigative reporting on cybercrime and Internet security) reported that it was “Way Too Easy to Get a .gov Domain Name” and described how they had received an email from a researcher who had easily obtained, albeit illegally and as a “thought experiment”, a .GOV domain name. How? By completing and emailing an official authorisation online form, using ‘official’ letterhead (obtained via a Google search) from a small US town’s website that was only using a .US domain name and had no existing .GOV domain. The researcher also used a fake Google Voice number and Gmail address to impersonate the town’s mayor in the application. The domain account creation links were then sent to the contacts in the application form. This highlighted the fact that a cybercriminal, particularly one from outside of the US, could easily do the same thing in order to create a malicious website, emails or make a fake news social media campaign appear more convincing.
KrebsOnSecurity then contacted the government agency and eventually received a response from the Cybersecurity and Infrastructure Security Agency, a division of the US Department of Homeland Security to say that “The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country” and that “Its use by these institutions should instil trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration. This transfer would allow CISA to modernize the .gov registrar, enhance the security of individual .gov domains, ensure that only authorized users obtain a .gov domain, proactively validate existing .gov holders, and better secure everyone that relies on .gov.”.
According to the IANA Root Zone Database, the .GOV TLD is still operated by the General Services Administration, however the DotGov Program has, some four months after the KrebsOnSecurity.com article was published, taken steps to tighten security around .GOV domain registrations. It announced on 5 March 2020 that it would be introducing an additional authorisation step within the domain name registration process: as of 10 March 2020, the DotGov Program now requires notarised signatures on all authorisation letters when submitting a request for a new .GOV domain. “This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain. This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official US government organizations.”, the registry states.
Interestingly, there are still some major cities within the US that still don’t use the .GOV TLD, including HOUSTON.GOV, LOSANGELES.GOV and PHILADELPHIA.GOV.
Furthermore, of course, there’s also the question of a cybercriminal being able to forge a notarisation through the cybercrime underworld and whether the new additional security step is enough to prevent a similar situation from happening without more stringent manual verification from the .GOV registry.
In the meantime, people must assume and hope that an official website and domain name under such a TLD is just that – trustworthy and unlikely to contribute to any adverse geopolitical outcomes.
Indeed, a large amount of online crime related to impersonation is committed through the registration of infringing domain names. At Com Laude many of our clients use our domain name brand protection software that identifies and assesses potential infringements to inform a cost-effective plan to address those that are most severe.