Summary: The article discusses the emerging threat of “phantom domains,” which are active links to unregistered dot-com domains that can be exploited by malicious actors to hijack hyperlinks and deceive users. It highlights the risks associated with these domains and offers strategies for enterprises to mitigate potential attacks.
Threat Actor: Malicious actors | malicious actors
Victim: Enterprises and users | enterprises and users
Key Point :
- Phantom domains can arise from simple errors or as placeholders in web development, creating potential attack vectors.
- Malicious actors can register these domains and create spoofed websites, tricking users into providing sensitive information.
- Education and awareness are crucial for users to recognize and avoid clicking on suspicious links, even on trusted websites.
- Enterprises should actively scan for phantom links and implement credential management tools to enhance security.
- Training staff to double-check URLs can significantly reduce the risk of falling victim to hijacked hyperlinks.
<!—->
<!– –>
According to a recent paper published at the 2024 Web Conference, so-called âphantom domainsâ make it possible for malicious actors to hijack hyperlinks and exploit usersâ trust in familiar websites.
The research defines phantom domains as active links to dot-com domains that have never been registered.
Hereâs what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.
Domain errors
Errors occur when web developers or administrators make mistakes, such as misspelling the intended domain destination. The result is a link that looks legitimate but instead goes nowhere.
Consider the example of a fictional sporting goods store, Bobâs Sports Gear. As expected, Bobâs website is www.bobssportsgear.com. Links on the companyâs website should point to subdomains of this top-level domain, such as /products, /about or /contact. A simple mistake, however, can create a phantom domain.
With Bobâs under a time crunch to complete their new website, one (or more) links on the homepage are entered as www.bobsportsgear.com. Itâs a simple error â all thatâs missing is the second âsâ in the domain name. Because the mistake is so close to the actual site name, itâs easy for these errors to go unnoticed for weeks or months.
Placeholder domains
Developers may also use placeholder domains for links. Placeholder links may point to domains that arenât live yet but are part of a larger web project. If the project isnât completed and the links arenât removed, they remain active but effectively useless.
Continuing with the example from above, Bob decides to expand his business and start selling outdoor goods for camping, fishing and BBQing. While developers get to work on the new site, his team adds a placeholder link on the original Bobâs Sports website that points to www.bobsoutdoorgear.com. Unfortunately, changing market conditions force Bob to scrap the idea. The website is never completed â but the link remains active.
Placeholder links may also pop up when companies purchase web templates directly from designers or developers. These templates often contain placeholder links to nonsense domains that should be replaced by businesses before the website goes live.
According to the paper, these domains arenât digital outliers â the web currently contains links to more than 572,000 phantom domains.
Explore IBM cybersecurity services
The phantom menace
Phantom domains become potential attack vectors when compromised by malicious actors. If attackers discover a misspelled link on a popular website that leads to a phantom domain, they could purchase this domain, often for a low cost. As the new owners of the domain, they properly register and list their website, then create a spoofed copy of the legitimate site. From a userâs perspective, clicking a link on a trusted webpage takes them to another section of that same webpage â in actuality, theyâve arrived on a fake page that may ask for their credentials or convince them to download infected files.
The result? Hijacked hyperlinks on trusted pages â hyperlinks that users may click through without checking for typos or other issues because their guard isnât up. Spoofing attacks tied to phantom links offer a significantly higher likelihood of success for attackers. For example, an analysis of 51 phantom domains bought and registered found that 88% exceeded the traffic of a control domain, sometimes up to 10 times more visits.
Education is key
From an education standpoint, enterprises need to communicate the inherent risk of any link on any page â not just those that appear in unsolicited emails or text messages. Spoofed websites are a common tactic used by cyber criminals in phishing and smishing attacks, which has led many enterprises to invest time and effort in teaching staff to recognize and avoid the risk of spoofed links.
Pared down to its basic premise, this education is simple: Donât click on links you donât recognize. Itâs good advice, and it helps companies significantly reduce the risk of compromise. The problem with phantom domains, however, is that compromise doesnât start with cyber criminals. Instead, users navigate to a legitimate website with a familiar URL. Because the site is familiar, they donât spend time checking every link on the page â instead, they assume the owners of the site have done their due diligence to ensure hyperlink security.
From the usersâ perspective, no risk exists: they entered the right URL, clicked on a secure link and provided their credential data in response to a legitimate request.
Build your action plan
When it comes to action, companies need to ensure theyâre actively scanning their web pages for links that donât lead anywhere. Free tools are available for this purpose, but thereâs also an opportunity here to leverage AI to find phantom links, check if theyâre now tied to active websites and assess the potential risk of those sites.
Itâs also worth deploying credential management tools that offer autofill options for trusted sites. but wonât populate credentials for unknown URLs. This means that if users land on the e-commerce account login page for www.bobssportsgear.com, security tools will automatically provide login data. If, however, theyâve ended up on bobsportsgear.com, credentials wonât appear. While this isnât a 100% deterrent against hijacked hyperlinks, itâs often enough to get users thinking about whatâs going on, and why itâs happening.
Eliminating the weakest link(s)
Links to phantom domains donât pose an inherent risk â so long as companies ensure they review websites for misspelled URLs and remove any placeholder links, hijacked hyperlinks are impossible.
The challenge, however, is that enterprise control only extends to the sites they own. If staff visit trusted banking, e-commerce or business partner websites that have been subject to spooky action, the results are much the same as phishing or spoofing attacks.
Not surprisingly, the secret to eliminating weakest links is recognizing that theyâre human rather than digital. By training staff to double-check domains before they click through, companies can reduce the risk of hijacked hyperlink hacks.
