The holiday shopping season, especially Black Friday and Cyber Monday, is a prime time for cybercriminals. McAfee Labs consistently observes a significant spike in malicious activity during this period, fueled by the combination of high web traffic, deals that create a sense of urgency, and a massive increase in card-not-present online transactions that create a perfect storm. Attackers exploit the chaos, knowing shoppers are often distracted and rushing to find the best Black Friday deals, making them more susceptible to phishing scams, fake websites, and malware designed to steal financial information.

As we gear up to feast with family and friends this Thanksgiving, and prepare our wallets for Black Friday and Cyber Monday, let’s look at how these two popular shopping events can impact your online security, and how to protect yourself from scammers.

Stolen credentials and identity theft

The consequences of falling for a holiday scam can be devastating. Beyond the initial financial loss from a fraudulent purchase, victims often face the long-term nightmare of identity theft. According to the Federal Trade Commission (FTC), consumers reported losing $12.5 billion to fraud in 2024, with online shopping scams as the second most commonly reported incident. Recovering from identity theft is not just costly. It’s also incredibly time-consuming. On average, it can take victims months to clear their names and correct their credit reports, adding significant emotional stress during what should be a joyful season.

The Black Friday shopping phenomenon

Historians trace the use of Black Friday to the 1960s, when Philadelphia police officers named the day after Thanksgiving as Black Friday because they had to work overtime to manage the mob of holiday shoppers and attendees to the traditional Army-Navy football game on Saturday. Later on, Shop.org coined the term Cyber Monday as a way for online retailers to participate in the Black Friday shopping frenzy.

Since the beginning of these two massive shopping holidays, both have seen incredible growth as more shoppers are turning to the Internet to participate in holiday bargain hunting. In the US, consumers reportedly spent $10.8 billion online on Black Friday 2024, a 10.2% increase from 2023, while Cyber Monday brought in a record $13.3 billion. 

The uptick in online shopping activity provides cybercriminals the perfect opportunity to disrupt shoppers’ holiday activities and compromise their online security. During this festive season, it is best to take proactive measures to safeguard your digital presence. 

Black Friday risks versus Cyber Monday risks

Historically, Black Friday was initially focused on in-store shopping, while Cyber Monday centered on online deals. As such, each shopping event presented its own cyber risks: 

Black Friday risks

• Mobile-first scams: Shoppers often hunt for deals on their phones on the go before heading to the physical stores, making them more susceptible to smishing and malicious links sent via text.
• Public Wi-Fi dangers: While in-store, shoppers usually connect to unsecured public Wi-Fi at malls or cafes, exposing their data to hackers on the same network.
• Fake QR Codes: Shoppers could click on malicious QR codes on posters or flyers that promise exclusive deals, but lead to phishing sites.

Cyber Monday risks

• Sophisticated phishing emails: Attackers often use data from weekend shopping activities to launch targeted email campaigns with fake shipping notifications or order confirmations for incredible deals.
• Desktop-based Malware: With more people shopping from work or home computers, there’s a higher risk of encountering malicious ads or downloading fake browser extensions that steal data.
• Lookalike websites: Scammers create highly convincing replicas of popular retail websites to trick users into entering login and payment details.

As retailers embrace both in-store and online platforms, cyber fraudsters are blurring the lines to take their scams to both domains.

How to protect yourself from these scams 

With the surge in online shopping during both shopping holidays, cybercriminals are also on high alert, crafting sophisticated scams to trick unsuspecting shoppers. It’s essential to approach every email or text message suspiciously, checking the sender’s information and avoiding clicking on unsolicited links.Thankfully, there are steps you can take to protect yourself when shopping online during Black Friday and Cyber Monday. 

• Never give your information. Be suspicious of unsolicited messages, even if it appears to be from a trusted source. Hover over links in emails or texts to see the actual destination URL before clicking. If the offer seems tempting, visit the retailer’s official website and check if the same deal is available there. 
• Eye the website with skepticism: If you happen to click the link and are led to a website, always ensure that the website you’re shopping from is legitimate. Check for the padlock icon in the address bar and “https” in the URL, as these are indicators of a secure site. Steer clear of websites that have misspelled domain names, as they could be fraudulent. Learn more about the traits of a fake website.
• Use credit instead of debit cards. Credit cards generally offer better fraud protection and make it easier to dispute unauthorized charges.
• Enable multi-factor authentication (MFA). Add this extra layer of security to your email and retail accounts whenever possible.
• Beware of too good to be true offers. Extreme discounts are a common lure for scams. If a deal seems unbelievable, it probably is.
• Verify the seller. Shop with well-known, reputable retailers. For unfamiliar sellers, look for reviews and a physical address.
• Avoid public Wi-Fi for purchases. Your personal data is vulnerable on unsecured networks. Use your mobile data or a secure VPN instead.
• Keep your software updated. Install updates for your operating system, browser, and security software to address known vulnerabilities.
• Install a reputable security software. This can provide you with real-time protection and alert you to a malicious website or link.

Use virtual cards and trusted payment gateways

One of the most effective ways to protect your financial data is to avoid entering your actual debit or credit card number directly on websites. Instead, use payment methods that act as a buffer. Virtual credit cards, offered by many banks and privacy services, generate a unique, temporary card number for a single transaction or vendor, making your real account information useless to thieves if a site is breached. 

Similarly, digital wallets such as PayPal, Apple Pay, and Google Pay use tokenization to mask your card details. When using browser extensions for coupons, be cautious. Only install trusted extensions and check their permissions. 

Monitor price drops without sacrificing security

Everyone wants to find the best price, but be wary of how you track those Black Friday deals. While some deal-tracking apps and browser extensions are helpful, others are privacy nightmares, requesting broad permissions to read all your browsing data. 

Before installing any price tracker, carefully review the permissions it requests. Better yet, use well-known, reputable services or set up price alerts directly on major retail websites. Before you download any new app to your phone or computer, use a security solution with a safe-app check feature to ensure it doesn’t contain malware or spyware.

Invest in McAfee security software

Keeping your digital data and identity safe during the holiday shopping fever might be the best gift you could give yourself and your family. Consider these top features:

• McAfee® Total Protection: This powerful solution provides essential antivirus and web protection to block malicious websites and phishing links in their tracks while you hunt for online deals.
• McAfee® Scam Detector: This feature uses patented AI technology to detect and protect you from risky links in texts, emails, and social media, stopping scams before you can even click.
• McAfee® Mobile Security: This comprehensive protection on the go helps shield you from risky Wi-Fi networks and malicious apps.
• Identity Monitoring: Get alerts if your personal information, like email addresses or credit card numbers, is found on the dark web, allowing you to take action quickly to prevent identity theft. 

FAQs: Stay protected while holiday shopping

Is it safe to shop Cyber Monday deals on mobile?

Shopping for Cyber Monday deals on your phone can be convenient, but it requires extra caution. The biggest pitfall is using unsecured public Wi-Fi networks in places like coffee shops or malls, allowing criminals to intercept your data. 

Another major threat is fraudulent shopping apps designed to steal your information. For another layer of protection, use mobile wallets like Apple Pay or Google Pay as they use tokenization to process payments without exposing your actual card number.

Are deals advertised on social media legitimate?

They can be, but social media is also rife with scams. Instead of clicking links in ads, go directly to the retailer’s official website to find the deal. Scammers often create fake storefronts on social platforms to steal your money and data.

Do retailers release Cyber Monday deals early?

Yes, many retailers start their Cyber Monday deals during the Black Friday weekend or earlier. However, be cautious of unsolicited emails announcing “early access.” Always verify these offers on the retailer’s actual website, as this is a common phishing tactic.

Is it safe to pay with a QR code?

Only use QR codes from trusted sources. Criminals can place malicious QR code stickers over legitimate ones, redirecting you to a phishing site. When in a store, confirm the QR code is legitimate with an employee. When shopping online, only scan codes on a retailer’s official site or app.

What should I do if I get a suspicious shipping notification?

Do not click any links in the email or text message. Scammers send fake shipping alerts to get you to click on malicious links or provide personal information. Instead, go to the retailer’s website and use your official order number to track your package directly.

Final thoughts

Black Friday and Cyber Monday are prime opportunities for consumers to snag once-a-year deals and for cybercriminals to exploit their eagerness to save. However, being aware of the prevalent scams and knowing how to protect yourself can save you from falling prey to these ploys. 

One effective way to do so is by investing in top-tier online protection solutions. McAfee offers award-winning cybersecurity solutions developed to shield you from the ever-evolving threats. Explore the features of our McAfee+ Ultimate and Total Protection plans and stay informed about the latest cyber threats with McAfee Labs.

Always strive to shop wisely and stay safe, and remember that if an offer seems too good to be true, it probably is.

The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blog.

The value of Bitcoin has had its ups and downs since its inception in 2013, but its recent skyrocket in value has created renewed interest in this virtual currency. The rapid growth of this alternative currency has dominated headlines and ignited a cryptocurrency boom that has consumers everywhere wondering how to get a slice of the Bitcoin pie. For those who want to join the craze without trading traditional currencies like U.S. dollars (i.e., fiat currency), a process called Bitcoin mining is an entry point. However, Bitcoin mining poses a number of security risks that you need to know.

What Is Bitcoin Mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. Miners, as they are called, essentially maintain and secure Bitcoin’s decentralized accounting system. Bitcoin transactions are recorded in a digital ledger called a blockchain. Bitcoin miners update the ledger by downloading a special piece of software that allows them to verify and collect new transactions. Then, they must solve a mathematical puzzle to secure access to add a block of transactions to the chain. In return, they earn Bitcoins, as well as a transaction fee.

What Are Bitcoin Security Risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning, a Bitcoin user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power. This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices.

One example of this security breach happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors used this time delay to access the users’ laptops for mining. In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. When an attacker loads mining software onto devices without the owner’s permission, it’s called a cryptocurrency mining encounter or cryptojacking.

It’s estimated that 50 out of every 100,000 devices have encountered a cryptocurrency miner. Cryptojacking is a widespread problem and can slow down your device; though, that’s not the worst that can happen. Utility costs are also likely to go through the roof. A device that is cryptojacked could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

What Are Some Bitcoin Privacy Tips?

Now that you know a little about mining and the Bitcoin security risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

• Avoid public Wi-Fi networks: These networks often aren’t secured, opening your device and information up to a number of threats.
• Use a VPN: If you’re away from your secure home or work network, consider using a virtual private network (VPN). A VPN is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee+ can help safeguard your online privacy no matter where you go.
• Secure your devices: New Bitcoin threats, security concerns, and malware are emerging all of the time. Protect your devices and information with comprehensive security software

The post Bitcoin Security: Mining Threats You Need to Know appeared first on McAfee Blog.

Smartphone hacking is the unauthorized access to and control over a mobile device or its communications. This goes beyond a simple malware infection; it’s a targeted breach aimed at stealing your personal data, spying on your activities, or using your device for malicious purposes.

Unlike general viruses that may just slow down your device, a hack can lead to severe real-world consequences. This article aims to increase your awareness about hacking methods, how to prevent it or determine if your phone has been infiltrated, and how to protect your phone moving forward.

Why cybercriminals target smartphones

Your smartphone is a goldmine of personal information, making it a high-value target for cybercriminals whose motivations are typically centered on financial gain and identity theft. Hackers seek banking credentials, credit card numbers, and access to payment apps for direct financial theft. Meanwhile, stealing your personal information—like emails, contacts, and passwords—allows them to commit identity fraud or sell on dark-web markets.

Beyond money, attackers may use your phone for surveillance, secretly activating your camera or microphone to spy on you. In other cases, they may hijack your device’s resources to include it in a botnet for larger attacks or hold your files hostage with ransomware. Understanding these threats is the first step in knowing how to protect yourself from them, so it’s vital to learn the methods hackers use to get into your phone.

Hackers exploit iOS and Android differently

While both iOS and Android are secure, their core philosophies create different opportunities for hackers. Android’s open-source nature allows for greater customization, including the ability to “sideload” third-party apps from outside the official Google Play Store. Unvetted apps with malicious code are a primary vector for malware.

In contrast, Apple’s iOS’s closed ecosystem makes it much harder to install unauthorized software. For this reason, many attacks targeting iPhones rely on social engineering, sophisticated zero-day exploits that target unknown vulnerabilities, or jailbroken devices, which strips away Apple’s built-in protections.

To protect your device, tailor your defense to its ecosystem. The best practice for Android users is to stick to the Google Play Store and ensure Google Play Protect is active, as it continuously scans your apps for harmful behavior. iPhone users concerned about targeted attacks should activate Lockdown Mode, an extreme feature that limits functionality to reduce the potential attack surface. Regardless of your platform, keeping your operating system updated is the single most important step you can take to stay secure.

How your phone gets hacked: Common attack vectors

Wondering how your phone gets compromised? Hackers use several common pathways.

Jailbreaking or rooting

A hacker might install spyware after you jailbreak or root your smartphone to bypass the security of their respective stores. Jailbreaking or rooting gives smartphone users more control over their devices, such as removing pre-installed apps and installing third-party apps from unvetted sources. However, this action removes barriers that keep viruses and malware from entering the smartphone’s system and spreading to apps, files, devices and other networks. And because Apple and Google don’t review the apps in those sources, this allows the hacker to post a bad app with relative ease.

Sneaking a malicious app update

Apple has a strict review policy before apps are approved for posting in the App Store. Meanwhile, Google started applying AI-powered threat detection, stronger privacy policies, supercharged developer tools, industry-wide alliances, and other methods in its app reviews. Bad actors, however, could still sneak malware into the stores by uploading infected app versions during updates. Other times, they’ll embed malicious code that triggers only in certain countries or encrypt malicious code into the app they submit, making it difficult for reviewers to sniff out.

Remote hacking

Cybercriminals have several sophisticated methods to hack smartphones remotely. One common technique is phishing, where you might receive a text or email with a malicious link that, when clicked, installs spyware on your device. Another remote hacking vector is through unsecured public Wi-Fi networks, where hackers can intercept your data. Spyware can also be delivered via SMS payloads that require no user interaction.

Text messages

Smishing (SMS phishing) is a common and effective way for hackers to attack your phone, where they send an urgent text with a malicious link, like a fake delivery notification or a bank alert, to trick you into clicking without thinking. Once you click, the link can lead to a fake website designed to steal your login credentials or directly download malware onto your device. Attackers also use MMS messages to send malicious files, like images or videos, which in some rare “zero-click” exploits, can infect your phone without you even opening the message.

To protect yourself, treat all unexpected links in text messages with suspicion. Never click on a link from an unknown sender. A key preventive step is to go into your messaging app’s settings and disable the automatic download of MMS files. This prevents malicious media from loading onto your device automatically. Always verify urgent requests by contacting the company or person directly through a trusted channel, not by using the contact information provided in the suspicious text.

Malicious websites

In this method, hackers use techniques like drive-by downloads, which silently installs malware onto your device the moment a page loads—no click required. Malvertising is where malicious code is hidden in online ads that, if served on a site you visit, can trigger a spyware or ransomware download. These attacks are most effective against devices with outdated web browsers, as they target known security holes that have since been patched.

Fake “update required” pop-ups are designed to scare you into installing malicious software disguised as a critical browser update. To protect yourself, always keep your mobile browser and operating system fully updated. Use your browser’s built-in safe-browsing features, and be cautious about granting permissions or clicking links on unfamiliar websites.

SIM-swap and phone cloning

These two sophisticated attacks can give a hacker complete control over your phone number. In a SIM-swap attack, a criminal tricks your mobile carrier into transferring your phone number to a SIM card they control. In phone cloning, they copy the identifying information from your phone to another, making a functional duplicate. In either case, the attacker can then intercept your calls, texts, and two-factor authentication codes.

Proactive defense includes setting up a unique PIN or password on your account for an extra layer of security. Switch to an eSIM if possible, as eSIMs are not as easily swapped as physical cards. If you suspect an attack, immediately report the issue to your carrier and check your financial and email accounts for unauthorized activity. You can also use the dial codes, like *#62#, to see if your calls are being forwarded to an unknown number.

Compromised phone camera

Malicious apps and spyware can secretly access your camera and microphone, potentially livestreaming audio and video to an attacker without your knowledge. Key warning signs include the camera indicator light turning on unexpectedly, significant and unexplained battery drain, or finding unfamiliar photos and videos in your gallery. To protect yourself, regularly audit the apps installed on your phone. Go into your device’s settings to review which apps have permission to access your camera and revoke access for any that don’t need it.

Other methods

Network-based attacks occur over unsecured public Wi-Fi where attackers can intercept your data. Finally, unsecure cloud backups can be a weak point, as a compromised password for your Apple or Google account could give a hacker access to all the data you’ve stored. Knowing these attack vectors is the first step toward understanding how to know if your phone is hacked.

9 Warning signs your smartphone has been hacked

Because we spend so much time on our phones, it’s fairly easy to tell when something isn’t working right. Sometimes those issues are symptoms of an infection. Possible signs that your device has been hacked include:

• Performance issues:  A slower device, webpages taking way too long to load, or a battery that never keeps a charge can be attributed to your device reaching its retirement. However, these things might also signal that malware has compromised your phone.
• Your phone feels hot: Malware running in the background of your device might burn extra computing power, causing your phone to feel overheated.
• Mysterious calls, texts, or apps: If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you didn’t make pop up on your phone bill, these are definite red flags that your device has been hacked.
• Changes or pop-ups crowd your screen: If you are getting an influx of spammy ads or your app organization is suddenly out of order, or your home screen has been reorganized, there is a big possibility that your phone has been hacked.
• Unexpected battery drain: Your phone’s battery dies much faster than usual because malware is constantly running in the background.
• Sudden data spikes: You notice a sharp, unexplained increase in your mobile data usage as spyware sends your information to a hacker.
• Unexplained charges: You find subscriptions or premium service charges on your phone bill or to your account that you never authorized.
• Background noise on calls: You hear clicks, static, or distant voices during phone conversations, which could indicate a call-monitoring app is active.
• Sudden loss of mobile service on your phone, notifications of account changes you didn’t make, or being locked out of your online accounts.

Confirm a breach with built-in diagnostics

If these symptoms are present, use the following tools to verify whether your device has been compromised:

1. For Android, run Google Play Protect: This is your first line of defense on an Android device. Open the Google Play Store app, tap your profile icon in the top right, and select Play Protect. Tap “Scan” to check your installed apps for harmful behavior. Play Protect runs automatically but a manual scan can help confirm if your phone is hacked.
2. For iOS, use Apple’s Safety Check: To check if your iPhone has been hacked, go to Settings > Privacy & Security > Safety Check. This tool helps you review and revoke the access you’ve granted to people, apps, and devices, which is a common way iPhones are compromised.
3. Install a reputable antivirus scanner: For a deeper analysis, install a trusted mobile security app like McAfee to detect a wider range of malware, spyware, and risky settings. Run a full system scan.
4. Interpret the results: If the scan detects a threat, it will typically be labeled with a name and a risk level. The security app will also give you an option to remove or uninstall the malware. If you receive a warning but no option to remove, boot your phone into safe mode and manually uninstall the suspicious app.

What to do if your phone is hacked? Your next steps

The results of the scan are in: your smartphone has clearly been hacked. There is no time to lose. To start the process of blocking the hacker or removing the malware, follow these essential first steps:

1. Remove apps you didn’t install and restart. Check your apps folder for anything unfamiliar and remove them. From there, disconnect from the Internet and restart your phone to halt any malicious activity.
2. If issues persist, reset. If you still have issues, restoring your phone to its factory settings is an option, provided you have backed up photos, contacts, and other vital info in the cloud. A quick online search can show how relatively straightforward it is to wipe and restore your model of phone.
3. Flash the stock firmware. As a last resort for technical users, reinstalling the official operating system will almost certainly remove the hack.
4. Change critical passwords: Using a different, trusted device, immediately change the passwords for your most important accounts—email, banking, and social media.
5. Check your accounts and credit. Some online security solutions like McAfee+ are capable of Identity Monitoring, which alerts you if your info winds up on the dark web, while Credit Monitoring alerts you of unauthorized activity in your accounts.
6. Get expert help. Our Identity Theft Coverage & Restoration service offers $2 million that covers required travel, losses, and legal fees associated with identity theft. It also offers the services of a licensed recovery professional who can repair your credit and your identity after a hack attack.
7. Notify financial institutions: Contact your bank and credit card companies to alert them to the potential breach. Monitor your statements closely for any fraudulent charges.
8. Report the incident: Inform your mobile carrier about the breach and consider filing a report with the appropriate authorities, such as local law enforcement and the FBI’s Internet Crime Complaint Center.

Seek professional help

Persistent problems with your smartphone after a factory reset, may indicate a sophisticated, low-level hack. If you are the victim of significant financial fraud or identity theft, or if the hack involves sensitive legal or corporate data, it is crucial to stop using your smartphone and get assistance. In these cases, continued use could tamper with evidence.

After reporting the hacking incident to your mobile carrier, and authorities, you may need a certified digital forensic analyst for deep analysis, especially in corporate or legal cases. Before you call, gather key information: the make and model of your phone, the date you first noticed issues, a list of suspicious apps or messages, and any known fraudulent activity on your accounts.

Dial codes to detect hidden hacks

Certain dial codes, also known as Unstructured Supplementary Service Data (USSD) or Man-Machine Interface (MMI) codes, can help you check for signs of suspicious activity or hidden configurations. These codes can reveal call forwarding, SIM tracking, or conditional redirects that may indicate a compromise:

• Dial *#21#: This code shows you the status of call forwarding. If calls, messages, or other data are being diverted without your knowledge, this is one of the key signs your phone is hacked. The results should all say “Not Forwarded.”
• Dial *#62#: Use this code to find out where calls are being forwarded when your phone is unreachable (e.g., turned off or out of service area). It should typically go to your carrier’s voicemail number, so check if the number shown is unfamiliar.
• Dial ##002#: This universal code disables all call forwarding. If you suspect your calls are being diverted, dialing this code will reset it. Note that availability and functionality of these codes can vary by carrier and country.

Tips to block hackers from your phone

You can take simple, effective steps to protect yourself and your device from hackers. Here are some practical tips, from the basic to the more layered steps, to help you block hackers from accessing your phone.

Basic best practices

To avoid the hassle of having a hacked phone in the first place, here are some fundamental measures you can do as part of your routine:

• Update your phone and its apps. Promptly updating your phone and apps is a primary way to keep your device safer. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks.

• Avoid third-party apps from unvetted stores. Apple’s App Store and Google Play have protections in place, unlike third-party sites which sometimes purposely host malicious apps. Avoiding these sites altogether can block hackers from your device.

• Don’t use a jailbroken or rooted phone. Jailbreaking or rooting a phone introduces all kinds of security issues. Your best bet as an everyday internet user is to rely on the built-in security features of iOS and Android.

Layered protection beyond the basics

Beyond the foundational advice, fortifying your smartphone requires a layered defense. We suggest the following actions you can apply:

• Install a reputable mobile security app: A trusted provider like McAfee can scan for malware and alert you to risky websites.
• Enable two-factor authentication: Use this feature on all critical accounts, such as your email, banking, and social media apps. This adds a crucial second layer of verification that protects you even if your password is stolen.
• Disable connective services: Minimize your attack surface by disabling wireless radios like Bluetooth, near field communication (NFC), and location tracking when not in use.

• Leverage hardware security: Rely on built-in hardware features like Apple’s Secure Enclave or Android’s Titan M chip, which protect your biometric data and encryption keys.
• Review app permissions regularly: Make it a monthly habit to check which apps have access to your camera, microphone, location, and contacts, revoking permissions from any that seem unnecessary.
• Adopt a zero-trust mindset: Never automatically trust links or attachments in emails and messages, even if they appear to be from someone you know. Use a VPN on public Wi-Fi to encrypt your connection and protect your data from eavesdroppers. In addition, ensure your device’s storage is always encrypted for a strong baseline of protection.
• Take full advantage of built-in safety features: Apple offers Lockdown Mode for high-risk users, while Google has Play Protect which continuously scans your apps for harmful behavior.

• Avoid using public USB charging stations: These can be used for juice jacking, where hackers steal data from or install malware on your device. It’s best to bring a portable battery pack, especially during travel or long days out.

One-tap checklist: Security settings you can enable today

Securing your device doesn’t have to be complicated or time-consuming. In fact, many powerful protections are just a tap away. This quick checklist offers quick and simple security settings you can enable with minimal effort.

1. Turn on automatic updates: Go to Settings > General > Software Update on iOS or Settings > System > System Update on Android to enable automatic updates and ensure you always have the latest security patches.
2. Enable biometric lock: Set up Face ID or Touch ID (iOS) or Fingerprint Unlock (Android) for a fast, secure way to protect your device from unauthorized physical access.
3. Activate “Find My” feature: Turn on Apple’s “Find My iPhone” or Android’s “Find My Device” to allow you to locate, lock, or remotely erase your phone if it’s lost or stolen.

FAQs about phone hacking

Does dialing *#21# show if I’m hacked? This code shows if your calls and messages are being forwarded, which can be a sign of a hack, but it doesn’t detect other types of malware or spyware.

Can iPhones get viruses? While less common due to Apple’s strong security structure, iPhones can still be compromised, especially through malicious apps from outside the App Store or sophisticated phishing attacks.

Will a factory reset remove spyware? In most cases, yes. A factory reset erases all data and apps on your device, including most forms of malware and spyware, returning it to its original state.

Can my phone be hacked while powered off? A phone that is truly powered off cannot be hacked remotely. When the device is off, its wireless radios (cellular, Wi-Fi, Bluetooth) are inactive, and the operating system is not running, cutting off any connection for an attacker to exploit. In Airplane Mode, only the radios are disabled, but leaves the OS running.

The myth of a phone being hacked while off often stems from two things: advanced, targeted attacks that fake a shutdown to compromise firmware, or physical attacks like a “cold boot” where a forensics expert with physical access can extract data from the RAM shortly after shutdown. To mitigate these extremely rare risks, always ensure your phone is fully encrypted, a default setting on modern iPhones and Androids, to make data unreadable even if accessed physically.

For everyday security, shutting off your phone is a good first step to sever any potential malicious connection.

Does my iPhone need antivirus? If your iPhone is not jailbroken, you don’t need antivirus. But your phone should still get extra protection to deal with other cyberthreats such as scammy text messages, phishing and AI-driven attempts. Comprehensive online protection software like McAfee keeps you and your phone safer. It can:

• Block sketchy links in texts, emails, messages, as well as suspicious links during searches, while surfing, and on social media.
• Protect your identity by keeping tabs on your credit and accounts.
• Protect your privacy by removing your personal info from shady data broker sites.
• Make you more private by locking down your privacy settings on social media.

Those are only some of the many McAfee capabilities that protect you and your phone.

Final thoughts

Recognizing the signs your phone is hacked is the critical first step, but swift and correct action is what truly protects you.

You can usually determine your smartphone has been hacked by observing any unusual behavior patterns, such as unexplained battery drain, data usage spikes, a blitz of ad pop-ups, unexplained charges on your banking accounts, and even mysterious calls, texts, or apps. Another way to confirm a breach is by running built-in diagnostics such as security scans and security keys. If any of the odd behaviors listed above sound familiar, don’t wait. Take immediate action and implement a layered defense.

In the first place, you can significantly reduce your risk of being hacked through regular software updates, careful app management, and smart browsing habits. Another important component is installing a complete privacy, identity and device solution like McAfee that provides comprehensive protection.

Don’t wait until you suspect a breach; adopt these protective strategies today to keep your digital life private and secure.

The post How to Tell If Your Phone Has Been Hacked and What to Do appeared first on McAfee Blog.

Tax season isn’t just busy for taxpayers—it’s prime time for scammers, too. As you gather your W-2s, 1099s, and other tax documents, cybercriminals are gearing up to exploit the flood of personal and financial data in circulation. From phishing emails posing as the IRS to fake tax preparers looking to steal your refund, these scams can lead to identity theft, fraudulent tax returns, and serious financial headaches. 

The good news? IRS scams follow predictable patterns, and with a little awareness, you can spot the warning signs before falling victim. Let’s break down the most common tax scams and how you can safeguard your personal information this filing season. 

Impersonation Schemes

A commonly used tactic involves hackers posing as collectors from the IRS, as tax preparers, or government bureaus. This tactic is pretty effective due to Americans’ concerns about misfiling their taxes or accidentally running into trouble with the IRS. Scammers take advantage of this fear, manipulating innocent users into providing sensitive information or money over the phone or by email. And in extreme cases, hackers may be able to infect computers with malware via malicious links or attachments sent through IRS email scams.

Robocalls

Another tactic used to take advantage of taxpayers is the canceled social security number scam. Hackers use robocalls claiming that law enforcement will suspend or cancel the victim’s Social Security number in response to taxes owed. Often, victims are scared into calling the fraudulent numbers back and persuaded into transferring assets to accounts that the scammer controls. Users need to remember that the IRS will only contact taxpayers through snail mail or in person, not over the phone.

Emails

Another scam criminals use involves emails impersonating the IRS. Victims receive a phishing email claiming to be from the IRS, reminding them to file their taxes or offering them information about their tax refund via malicious links. If a victim clicks on the link, they will be redirected to a spoofed site that collects the victim’s personal data, facilitating identity theft. What’s more, a victim’s computer can become infected with malware if they click on a link with malicious code, allowing fraudsters to steal more data.

Phony CPAs

Scammers also take advantage of the fact that many users seek out the help of a tax preparer or CPA during this time. These criminals will often pose as professionals, accepting money to complete a user’s taxes but won’t sign the return. This makes it look like the user completed the return themselves. However, these ghost tax preparers often lie on the return to make the user qualify for credits they haven’t earned or apply changes that will get them in trouble. Since the scammers don’t sign, the victim will then be responsible for any errors. This could lead to the user having to repay money owed, or potentially lead to an audit.

While these types of scams can occur at any time of the year, they are especially prevalent leading up to the April tax filing due date. Consumers need to be on their toes during tax season to protect their personal information and keep their finances secure. To avoid being spoofed by scammers and identity thieves, follow these tips:

File before cybercriminals do it for you. The easiest defense you can take against tax seasons schemes is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a cybercriminal.

Keep an eye on your credit and your identity. Keeping tabs on your credit report and knowing if your personal information has been compromised in some way can help prevent tax fraud. Together, they can let you know if someone has stolen your identity or if you have personal info on the dark web that could lead to identity theft.

• Our credit monitoring servicecan keep an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.
• Our identity monitoring servicechecks the dark web for your personal info, including email, government IDs, credit card and bank account info, and more—then provides alerts if your data is found on the dark web, an average of 10 months ahead of similar services.​

 

Beware of phishing attempts. It’s clear that phishing is the primary tactic crooks are leveraging this tax season, so it’s crucial you stay vigilant around your inbox. This means if any unfamiliar or remotely suspicious emails come through requesting tax data, double check their legitimacy with a manager or the security department before you respond. Remember: the IRS will not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial info. So someone contacts you that way, ignore the message.

Watch out for spoofed websites. Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search. If you receive any suspicious links in your email, investigating the domain is usually a good way to tell if the source is legitimate or not.

Use a VPN, especially in public. Also known as a virtual private network, a VPN helps protect your vital personal info and other data with bank-grade encryption. The VPN encrypts your internet connection to keep your online activity private on any network, even public networks. Using a public network without a VPN can increase your risk because others on the network can potentially spy on your browsing and activity. If you’re new to the notion of using a VPN, check out this article on VPNs and how to choose one so that you can get the best protection and privacy possible. (Our McAfee+ plans offer a VPN as part of your subscription.)

Protect yourself from scam messages. Scammers also send links to scam sites via texts, social media messages, and email. Text Scam Detector can help you spot if the message you got is a fake. It uses AI technology that automatically detects links to scam URLs. If you accidentally click, don’t worry, it can block risky sites if you do.

Clean up your personal info online. Crooks and scammers have to find you before they can contact you. After all, they need to get your phone number or email from somewhere. Sometimes, that’s from “people finder” and online data brokers that gather and sell personal info to any buyer. Including crooks. McAfee Personal Data Cleanup can remove your personal info from the data broker sites scammers use to contact their victims.

Consider an identity theft protection solution. If for some reason your personal data does become compromised, be sure to use an identity theft solution such as McAfee Identity Theft Protection, which allows users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

The post Watch Out For IRS Scams and Avoid Identity Theft appeared first on McAfee Blog.

This blog was also published by APNIC.

With so much traffic on the global internet day after day, it’s not always easy to spot the occasional irregularity. After all, there are numerous layers of complexity that go into the serving of webpages, with multiple companies, agencies and organizations each playing a role.

That’s why when something does catch our attention, it’s important that the various entities work together to explore the cause and, more importantly, try to identify whether it’s a malicious actor at work, a glitch in the process or maybe even something entirely intentional.

That’s what occurred last year when Internet Corporation for Assigned Names and Numbers staff and contractors were analyzing names in Domain Name System queries seen at the ICANN Managed Root Server, and the analysis program ran out of memory for one of their data files. After some investigating, they found the cause to be a very large number of mysterious queries for unique names such as f863zvv1xy2qf.surgery, bp639i-3nirf.hiphop, qo35jjk419gfm.net and yyif0aijr21gn.com.

While these were queries for names in existing top-level domains, the first label consisted of 12 or 13 random-looking characters. After ICANN shared their discovery with the other root server operators, Verisign took a closer look to help understand the situation.

Exploring the Mystery

One of the first things we noticed was that all of these mysterious queries were of type NS and came from one autonomous system network, AS 15169, assigned to Google LLC. Additionally, we confirmed that it was occurring consistently for numerous TLDs. (See Fig. 1)

Although this phenomenon was newly uncovered, analysis of historical data showed these traffic patterns actually began in late 2019. (See Fig. 2)

Perhaps the most interesting discovery, however, was that these specific query names were not also seen at the .com and .net name servers operated by Verisign. The data in Figure 3 shows the fraction of queried names that appear at A-root and J-root and also appear on the .com and .net name servers. For second-level labels of 12 and 13 characters, this fraction is essentially zero. The graphs also show that there appears to be queries for names with second-level label lengths of 10 and 11 characters, which are also absent from the TLD data.

The final mysterious aspect to this traffic is that it deviated from our normal expectation of caching. Remember that these are queries to a root name server, which returns a referral to the delegated name servers for a TLD. For example, when a root name server receives a query for yyif0aijr21gn.com, the response is a list of the name servers that are authoritative for the .com zone. The records in this response have a time to live of two days, meaning that the recursive name server can cache and reuse this data for that amount of time.

However, in this traffic we see queries for .com domain names from AS 15169 at the rate of about 30 million per day. (See Fig. 4) It is well known that Google Public DNS has thousands of backend servers and limits TTLs to a maximum of six hours. Assuming 4,000 backend servers each cached a .com referral for six hours, we might expect about 16,000 queries over a 24-hour period. The observed count is about 2,000 times higher by this back-of-the-envelope calculation.

From our initial analysis, it was unclear if these queries represented legitimate end-user activity, though we were confident that source IP address spoofing was not involved. However, since the query names shared some similarities to those used by botnets, we could not rule out malicious activity.

The Missing Piece

These findings were presented last year at the DNS-OARC 35a virtual meeting. In the conference chat room after the talk, the missing piece of this puzzle was mentioned by a conference participant. There is a Google webpage describing its public DNS service that talks about prepending nonce (i.e., random) labels for cache misses to increase entropy. In what came to be known as “the Kaminsky Attack,” an attacker can cause a recursive name server to emit queries for names chosen by the attacker. Prepending a nonce label adds unpredictability to the queries, making it very difficult to spoof a response. Note, however, that nonce prepending only works for queries where the reply is a referral.

In addition, Google DNS has implemented a form of query name minimization (see RFC 7816 and RFC 9156). As such, if a user requests the IP address of www.example.com and Google DNS decides this warrants a query to a root name server, it takes the name, strips all labels except for the TLD and then prepends a nonce string, resulting in something like u5vmt7xanb6rf.com. A root server’s response to that query is identical to one using the original query name.

The Mystery Explained

Now, we are able to explain nearly all of the mysterious aspects of this query traffic from Google. We see random second-level labels because of the nonce strings that are designed to prevent spoofing. The 12- and 13-character-long labels are most likely the result of converting a 64-bit random value into an unpadded ASCII label with encoding similar to Base32. We don’t observe the same queries at TLD name servers because of both the nonce prepending and query name minimization. The query type is always NS because of query name minimization.

With that said, there’s still one aspect that eludes explanation: the high query rate (2000x for .com) and apparent lack of caching. And so, this aspect of the mystery continues.

Wrapping Up

Even though we haven’t fully closed the books on this case, one thing is certain: without the community’s teamwork to put the pieces of the puzzle together, explanations for this strange traffic may have remained unknown today. The case of the mysterious DNS root query traffic is a perfect example of the collaboration that’s required to navigate today’s ever-changing cyber environment. We’re grateful and humbled to be part of such a dedicated community that is intent on ensuring the security, stability and resiliency of the internet, and we look forward to more productive teamwork in the future.

The post More Mysterious DNS Root Query Traffic from a Large Cloud/DNS Operator appeared first on Verisign Blog.

This article is based on a paper originally published as part of the Global Commission on the Stability of Cyberspace’s Cyberstability Paper Series, “New Conditions and Constellations in Cyber,” on Dec. 9, 2021.

The Domain Name System has provided the fundamental service of mapping internet names to addresses from almost the earliest days of the internet’s history. Billions of internet-connected devices use DNS continuously to look up Internet Protocol addresses of the named resources they want to connect to — for instance, a website such as blog.verisign.com. Once a device has the resource’s address, it can then communicate with the resource using the internet’s routing system.

Just as ensuring that DNS is secure, stable and resilient is a priority for Verisign, so is making sure that the routing system has these characteristics. Indeed, DNS itself depends on the internet’s routing system for its communications, so routing security is vital to DNS security too.

To better understand how these challenges can be met, it’s helpful to step back and remember what the internet is: a loosely interconnected network of networks that interact with each other at a multitude of locations, often across regions or countries.

Packets of data are transmitted within and between those networks, which utilize a collection of technical standards and rules called the IP suite. Every device that connects to the internet is uniquely identified by its IP address, which can take the form of either a 32-bit IPv4 address or a 128-bit IPv6 address. Similarly, every network that connects to the internet has an Autonomous System Number, which is used by routing protocols to identify the network within the global routing system.

The primary job of the routing system is to let networks know the available paths through the internet to specific destinations. Today, the system largely relies on a decentralized and implicit trust model — a hallmark of the internet’s design. No centralized authority dictates how or where networks interconnect globally, or which networks are authorized to assert reachability for an internet destination. Instead, networks share knowledge with each other about the available paths from devices to destination: They route “by rumor.”

The Border Gateway Protocol

Under the Border Gateway Protocol, the internet’s de-facto inter-domain routing protocol, local routing policies decide where and how internet traffic flows, but each network independently applies its own policies on what actions it takes, if any, with data that connects through its network.

BGP has scaled well over the past three decades because 1) it operates in a distributed manner, 2) it has no central point of control (nor failure), and 3) each network acts autonomously. While networks may base their routing policies on an array of pricing, performance and security characteristics, ultimately BGP can use any available path to reach a destination. Often, the choice of route may depend upon personal decisions by network administrators, as well as informal assessments of technical and even individual reliability.

Route Hijacks and Route Leaks

Two prominent types of operational and security incidents occur in the routing system today: route hijacks and route leaks. Route hijacks reroute internet traffic to an unintended destination, while route leaks propagate routing information to an unintended audience. Both types of incidents can be accidental as well as malicious.

Preventing route hijacks and route leaks requires considerable coordination in the internet community, a concept that fundamentally goes against the BGP’s design tenets of distributed action and autonomous operations. A key characteristic of BGP is that any network can potentially announce reachability for any IP addresses to the entire world. That means that any network can potentially have a detrimental effect on the global reachability of any internet destination.

Resource Public Key Infrastructure

Fortunately, there is a solution already receiving considerable deployment momentum, the Resource Public Key Infrastructure. RPKI provides an internet number resource certification infrastructure, analogous to the traditional PKI for websites. RPKI enables number resource allocation authorities and networks to specify Route Origin Authorizations that are cryptographically verifiable. ROAs can then be used by relying parties to confirm the routing information shared with them is from the authorized origin.

RPKI is standards-based and appears to be gaining traction in improving BGP security. But it also brings new challenges.

Specifically, RPKI creates new external and third-party dependencies that, as adoption continues, ultimately replace the traditionally autonomous operation of the routing system with a more centralized model. If too tightly coupled to the routing system, these dependencies may impact the robustness and resilience of the internet itself. Also, because RPKI relies on DNS and DNS depends on the routing system, network operators need to be careful not to introduce tightly coupled circular dependencies.

Regional Internet Registries, the organizations responsible for top-level number resource allocation, can potentially have direct operational implications on the routing system. Unlike DNS, the global RPKI as deployed does not have a single root of trust. Instead, it has multiple trust anchors, one operated by each of the RIRs. RPKI therefore brings significant new security, stability and resiliency requirements to RIRs, updating their traditional role of simply allocating ASNs and IP addresses with new operational requirements for ensuring the availability, confidentiality, integrity, and stability of this number resource certification infrastructure.

As part of improving BGP security and encouraging adoption of RPKI, the routing community started the Mutually Agreed Norms for Routing Security initiative in 2014. Supported by the Internet Society, MANRS aims to reduce the most common routing system vulnerabilities by creating a culture of collective responsibility towards the security, stability and resiliency of the global routing system. MANRS is continuing to gain traction, guiding internet operators on what they can do to make the routing system more reliable.

Conclusion

Routing by rumor has served the internet well, and a decade ago it may have been ideal because it avoided systemic dependencies. However, the increasingly critical role of the internet and the evolving cyberthreat landscape require a better approach for protecting routing information and preventing route leaks and route hijacks. As network operators deploy RPKI with security, stability and resiliency, the billions of internet-connected devices that use DNS to look up IP addresses can then communicate with those resources through networks that not only share routing information with one another as they’ve traditionally done, but also do something more. They’ll make sure that the routing information they share and use is secure — and route without rumor.

The post Routing Without Rumor: Securing the Internet’s Routing System appeared first on Verisign Blog.

For over a decade, the Internet Corporation for Assigned Names and Numbers (ICANN) and its multi-stakeholder community have engaged in an extended dialogue on the topic of DNS abuse, and the need to define, measure and mitigate DNS-related security threats. With increasing global reliance on the internet and DNS for communication, connectivity and commerce, the members of this community have important parts to play in identifying, reporting and mitigating illegal or harmful behavior, within their respective roles and capabilities.

As we consider the path forward on necessary and appropriate steps to improve mitigation of DNS abuse, it’s helpful to reflect briefly on the origins of this issue within ICANN, and to recognize the various and relevant community inputs to our ongoing work.

As a starting point, it’s important to understand ICANN’s central role in preserving the security, stability, resiliency and global interoperability of the internet’s unique identifier system, and also the limitations established within ICANN’s bylaws. ICANN’s primary mission is to ensure the stable and secure operation of the internet’s unique identifier systems, but as expressly stated in its bylaws, ICANN “shall not regulate (i.e., impose rules and restrictions on) services that use the internet’s unique identifiers or the content that such services carry or provide, outside the express scope of Section 1.1(a).” As such, ICANN’s role is important, but limited, when considering the full range of possible definitions of “DNS Abuse,” and developing a comprehensive understanding of security threat categories and the roles and responsibilities of various players in the internet infrastructure ecosystem is required.

In support of this important work, ICANN’s generic top-level domain (gTLD) contracted parties (registries and registrars) continue to engage with ICANN, and with other stakeholders and community interest groups, to address key factors related to effective and appropriate DNS security threat mitigation, including:

• Determining the roles and responsibilities of the various service providers across the internet ecosystem;
• Delineating categories of threats: content, infrastructure, illegal vs. harmful, etc.;
• Understanding the precise operational and technical capabilities of various types of providers across the internet ecosystem;
• Relationships, if any, that respective service providers have with individuals or entities responsible for creating and/or removing the illegal or abusive activity;
• Role of third-party “trusted notifiers,” including government actors, that may play a role in identifying and reporting illegal and abusive behavior to the appropriate service provider;
• Processes to ensure infrastructure providers can trust third-party notifiers to reliably identify and provide evidence of illegal or harmful content;
• Promoting administrative and operational scalability in trusted notifier engagements;
• Determining the necessary safeguards around liability, due process, and transparency to ensure domain name registrants have recourse when the DNS is used as a tool to police DNS security threats, particularly when related to content.
• Supporting ICANN’s important and appropriate role in coordination and facilitation, particularly as a centralized source of data, tools, and resources to help and hold accountable those parties responsible for managing and maintaining the internet’s unique identifiers.

Definitions of Online Abuse

To better understand the various roles, responsibilities and processes, it’s important to first define illegal and abusive online activity. While perspectives may vary across our wide range of interest groups, the emerging consensus on definitions and terminology is that these activities can be categorized as DNS Security Threats, Infrastructure Abuse, Illegal Content, or Abusive Content, with ICANN’s remit generally limited to the first two categories.

• DNS Security Threats: defined as being “composed of five broad categories of harmful activity [where] they intersect with the DNS: malware, botnets, phishing, pharming, and spam when [spam] serves as a delivery mechanism for those other forms of DNS Abuse.”
• Infrastructure Abuse: a broader set of security threats that can impact the DNS itself – including denial-of-service / distributed denial-of-service (DoS / DDoS) attacks, DNS cache poisoning, protocol-level attacks, and exploitation of implementation vulnerabilities.
• Illegal Content: content that is unlawful and hosted on websites that are accessed via domain names in the global DNS. Examples might include the illegal sale of controlled substances or the distribution of child sexual abuse material (CSAM), and proven intellectual property infringement.
• Abusive Content: is content hosted on websites using the domain name infrastructure that is deemed “harmful,” either under applicable law or norms, which could include scams, fraud, misinformation, or intellectual property infringement, where illegality has yet to be established by a court of competent jurisdiction.

Behavior within each of these categories constitutes abuse, and it is incumbent on members of the community to actively work to combat and mitigate these behaviors where they have the capability, expertise and responsibility to do so. We recognize the benefit of coordination with other entities, including ICANN within its bylaw-mandated remit, across their respective areas of responsibility.

ICANN Organization’s Efforts on DNS Abuse

The ICANN Organization has been actively involved in advancing work on DNS abuse, including the 2017 initiation of the Domain Abuse Activity Reporting (DAAR) system by the Office of the Chief Technology Officer. DAAR is a system for studying and reporting on domain name registration and security threats across top-level domain (TLD) registries, with an overarching purpose to develop a robust, reliable, and reproducible methodology for analyzing security threat activity, which the ICANN community may use to make informed policy decisions. The first DAAR reports were issued in January 2018 and they are updated monthly. Also in 2017, ICANN published its “Framework for Registry Operators to Address Security Threats,” which provides helpful guidance to registries seeking to improve their own DNS security posture.

The ICANN Organization also plays an important role in enforcing gTLD contract compliance and implementing policies developed by the community via its bottom-up, multi-stakeholder processes. For example, over the last several years, it has conducted registry and registrar audits of the anti-abuse provisions in the relevant agreements.

The ICANN Organization has also been a catalyst for increased community attention and action on DNS abuse, including initiating the DNS Security Facilitation Initiative Technical Study Group, which was formed to investigate mechanisms to strengthen collaboration and communication on security and stability issues related to the DNS. Over the last two years, there have also been multiple ICANN cross-community meeting sessions dedicated to the topic, including the most recent session hosted by the ICANN Board during its Annual General Meeting in October 2021. Also, in 2021, ICANN formalized its work on DNS abuse into a dedicated program within the ICANN Organization. These enforcement and compliance responsibilities are very important to ensure that all of ICANN’s contracted parties are living up to their obligations, and that any so-called “bad actors” are identified and remediated or de-accredited and removed from serving the gTLD registry or registrar markets.

The ICANN Organization continues to develop new initiatives to help mitigate DNS security threats, including: (1) expanding DAAR to integrate some country code TLDs, and to eventually include registrar-level reporting; (2) work on COVID domain names; (3) contributions to the development of a Domain Generating Algorithms Framework and facilitating waivers to allow registries and registrars to act on imminent security threats, including botnets at scale; and (4) plans for the ICANN Board to establish a DNS abuse caucus.

ICANN Community Inputs on DNS Abuse

As early as 2009, the ICANN community began to identify the need for additional safeguards to help address DNS abuse and security threats, and those community inputs increased over time and have reached a crescendo over the last two years. In the early stages of this community dialogue, the ICANN Governmental Advisory Committee, via its Public Safety Working Group, identified the need for additional mechanisms to address “criminal activity in the registration of domain names.” In the context of renegotiation of the Registrar Accreditation Agreement between ICANN and accredited registrars, and the development of the New gTLD Base Registry Agreement, the GAC played an important and influential role in highlighting this need, providing formal advice to the ICANN Board, which resulted in new requirements for gTLD registry and registrar operators, and new contractual compliance requirements for ICANN.

Following the launch of the 2012 round of new gTLDs, and the finalization of the 2013 amendments to the RAA, several ICANN bylaw-mandated review teams engaged further on the issue of DNS Abuse. These included the Competition, Consumer Trust and Consumer Choice Review Team (CCT-RT), and the second Security, Stability and Resiliency Review Team (SSR2-RT). Both final reports identified and reinforced the need for additional tools to help measure and combat DNS abuse. Also, during this timeframe, the GAC, along with the At-Large Advisory Committee and the Security and Stability Advisory Committee, issued their own respective communiques and formal advice to the ICANN Board reiterating or reinforcing past statements, and providing support for recommendations in the various Review Team reports. Most recently, the SSAC issued SAC 115 titled “SSAC Report on an Interoperable Approach to Addressing Abuse Handling in the DNS.” These ICANN community group inputs have been instrumental in bringing additional focus and/or clarity to the topic of DNS abuse, and have encouraged ICANN and its gTLD registries and registrars to look for improved mechanisms to address the types of abuse within our respective remits.

During 2020 and 2021, ICANN’s gTLD contracted parties have been constructively engaged with other parts of the ICANN community, and with ICANN Org, to advance improved understanding on the topic of DNS security threats, and to identify new and improved mechanisms to enhance the security, stability and resiliency of the domain name registration and resolution systems. Collectively, the registries and registrars have engaged with nearly all groups represented in the ICANN community, and we have produced important documents related to DNS abuse definitions, registry actions, registrar abuse reporting, domain generating algorithms, and trusted notifiers. These all represent significant steps forward in framing the context of the roles, responsibilities and capabilities of ICANN’s gTLD contracted parties, and, consistent with our Letter of Intent commitments, Verisign has been an important contributor, along with our partners, in these Contracted Party House initiatives.

In addition, the gTLD contracted parties and ICANN Organization continue to engage constructively on a number of fronts, including upcoming work on standardized registry reporting, which will help result in better data on abuse mitigation practices that will help to inform community work, future reviews, and provide better visibility into the DNS security landscape.

Other Groups and Actors Focused on DNS Security

It is important to note that groups outside of ICANN’s immediate multi-stakeholder community have contributed significantly to the topic of DNS abuse mitigation:

Internet & Jurisdiction Policy Network
The Internet & Jurisdiction Policy Network is a multi-stakeholder organization addressing the tension between the cross-border internet and national jurisdictions. Its secretariat facilitates a global policy process engaging over 400 key entities from governments, the world’s largest internet companies, technical operators, civil society groups, academia and international organizations from over 70 countries. The I&JP has been instrumental in developing multi-stakeholder inputs on issues such as trusted notifier, and Verisign has been a long-time contributor to that work since the I&JP’s founding in 2012.

DNS Abuse Institute
The DNS Abuse Institute was formed in 2021 to develop “outcomes-based initiatives that will create recommended practices, foster collaboration and develop industry-shared solutions to combat the five areas of DNS Abuse: malware, botnets, phishing, pharming, and related spam.” The Institute was created by Public Interest Registry, the registry operator for the .org TLD.

Global Cyber Alliance
The Global Cyber Alliance is a nonprofit organization dedicated to making the internet a safer place by reducing cyber risk. The GCA builds programs, tools and partnerships to sustain a trustworthy internet to enable social and economic progress for all.

ECO “topDNS” DNS Abuse Initiative
Eco is the largest association of the internet industry in Europe. Eco is a long-standing advocate of an “Internet with Responsibility” and of self-regulatory approaches, such as the DNS Abuse Framework. The eco “topDNS” initiative will help bring together stakeholders with an interest in combating and mitigating DNS security threats, and Verisign is a supporter of this new effort.

Other Community Groups
Verisign contributes to the anti-abuse, technical and policy communities: We continuously engage with ICANN and an array of other industry partners to help ensure the continued safe and secure operation of the DNS. For example, Verisign is actively engaged in anti-abuse, technical and policy communities such as the Anti-Phishing and Messaging, Malware and Mobile Anti-Abuse Working Groups, FIRST and the Internet Engineering Task Force.

What Verisign is Doing Today

As a leader in the domain name industry and DNS ecosystem, Verisign supports and has contributed to the cross-community efforts enumerated above. In addition, Verisign also engages directly by:

• Monitoring for abuse: Protecting against abuse starts with knowing what is happening in our systems and services, in a timely manner, and being capable of detecting anomalous or abusive behavior, and then reacting to address it appropriately. Verisign works closely with a range of actors, including trusted notifiers, to help ensure our abuse mitigation actions are informed by sources with necessary subject matter expertise and procedural rigor.
• Blocking and redirecting abusive domain names: Blocking certain domain names that have been identified by Verisign and/or trusted third parties as security threats, including botnets that leverage well-understood and characterized domain generation algorithms, helps us to protect our infrastructure and neutralize or otherwise minimize potential security and stability threats more broadly by remediating abuse enabled via domain names in our TLDs. For example, earlier this year, Verisign observed a botnet family that was responsible for such a disproportionate amount of total global DNS queries, we were compelled to act to remediate the botnet. This was referenced in Verisign’s Q1 2021 Domain Name Industry Brief Volume 18, Issue 2.
• Avoiding disposable domain name registrations: While heavily discounted domain name pricing strategies may promote short-term sales, they may also attract a spectrum of registrants who might be engaged in abuse. Some security threats, including phishing and botnets, exploit the ability to register large numbers of ‘disposable’ domain names rapidly and cheaply. Accordingly, Verisign avoids marketing programs that would permit our TLDs to be characterized in this class of ‘disposable’ domains, that have been shown to attract miscreants and enable abusive behavior.
• Maintaining a cooperative and responsive partnership with law enforcement and government agencies, and engagement with courts of relevant jurisdiction: To ensure the security, stability and resiliency of the DNS and the internet at large, we have developed and maintained constructive relationships with United States and international law enforcement and government agencies to assist in addressing imminent and ongoing substantial security threats to operational applications and critical internet infrastructure, as well as illegal activity associated with domain names.
• Ensuring adherence of contractual obligations: Our contractual frameworks, including our registry policies and .com Registry-Registrar Agreements, help provide an effective legal framework that discourages abusive domain name registrations. We believe that fair and consistent enforcement of our policies helps to promote good hygiene within the registrar channel.
• Entering into a binding Letter of Intent with ICANN that commits both parties to cooperate in taking a leadership role in combating security threats. This includes working with the ICANN community to determine the appropriate process for, and development and implementation of, best practices related to combating security threats; to educate the wider ICANN community about security threats; and support activities that preserve and enhance the security, stability and resiliency of the DNS. Verisign also made a substantial financial commitment in direct support of these important efforts.

Trusted Notifiers

An important concept and approach for mitigating illegal and abusive activity online is the ability to engage with and rely upon third-party “trusted notifiers” to identify and report such incidents at the appropriate level in the DNS ecosystem. Verisign has supported and been engaged in the good work of the Internet & Jurisdiction Policy Network since its inception, and we’re encouraged by its recent progress on trusted notifier framing. As mentioned earlier, there are some key questions to be addressed as we consider the viability of engaging trusted notifiers or building trusting notifier entities, to help mitigate illegal and abusive online activity.

Verisign’s recent experience with the U.S. government (NTIA and FDA) in combating illegal online opioid sales has been very helpful in illuminating a possible approach for third-party trusted notifier engagement. As noted, we have also benefited from direct engagement with the Internet Watch Foundation and law enforcement in combating CSAM. These recent examples of third-party engagement have underscored the value of a well-formed and executed notification regime, supported by clear expectations, due diligence and due process.

Discussions around trusted notifiers and an appropriate framework for engagement are under way, and Verisign recently engaged with other registries and registrars to lead the development of such a framework for further discussion within the ICANN community. We have significant expertise and experience as an infrastructure provider within our areas of technical, legal and contractual responsibility, and we are aggressive in protecting our operations from bad actors. But in matters related to illegal or abusive content, we need and value contributions from third parties to appropriately identify such behavior when supported by necessary evidence and due diligence. Precisely how such third-party notifications can be formalized and supported at scale is an open question, but one that requires further exploration and work. Verisign is committed to continuing to contribute to these ongoing discussions as we work to mitigate illegal and abusive threats to the security, stability and resiliency of the internet.

Conclusion

Over the last several years, DNS abuse and DNS-related security threat mitigation has been a very important topic of discussion in and around the ICANN community. In cooperation with ICANN, contracted parties, and other groups within the ICANN community, the DNS ecosystem including Verisign has been constructively engaged in developing a common understanding and practical work to advance these efforts, with a goal of meaningfully reducing the level and impact of malicious activity in the DNS. In addition to its contractual compliance functions, ICANN’s contributions have been important in helping to advance this important work and it continues to have a critical coordination and facilitation function that brings the ICANN community together on this important topic. The ICANN community’s recent focus on DNS abuse has been helpful, significant progress has been made, and more work is needed to ensure continued progress in mitigating DNS security threats. As we look ahead to 2022, we are committed to collaborating constructively with ICANN and the ICANN community to deliver on these important goals.

The post Ongoing Community Work to Mitigate Domain Name System Security Threats appeared first on Verisign Blog.