Domain Names and Cyber Security

There may not be an immediately obvious connection between the domain names of a business and cyber security precautions. However, the Australian Cyber Security Centre (ACSC) has released an Alert warning businesses that the new .AU domain name category, which became available on 24 March 2022, presents a potential opportunity for cyber criminals. The ACSC Alert is available on their website^[1].

The ACSC Alert status is Low, but it does highlight the potential for cyber criminals (or others) to impersonate your business. Emails from a domain name with the exact same name as your domain name, but ending in .AU instead of, for example, .COM.AU, may appear to come from your business. In the words of Pooh-Bah in The Mikado, the similarity of the names may be “merely corroborative detail, intended to give artistic verisimilitude to an otherwise bald and unconvincing narrative”.

What to do?

The ACSC recommends that Australian businesses with existing domain names register the names as .AU domain names before 20 September 2022. After that date, the equivalent .AU domain name will then become publicly available for anyone to register.

Registration of a new.AU domain name can be made through an accredited auDA registrar.

How far should you go?

If, as the ACSC points out, the new .AU category could be used by cyber criminals (or others) to register a domain name that is identical with an existing domain name of your business, this could also be done by utilising existing categories or “namespaces”, such as .NET.AU. The .NET.AU category has the same description as .COM.AU, that is:

For commercial entities, such as companies (with an ABN or ACN as registered through ASIC), and businesses (registered with State Governments).

These are Australian categories, or namespaces. The same top-level domains can be registered with other country identifiers such as .UK or .NZ or just .COM.

Whether a business takes action to register its domain name(s) in other categories is a matter for the business to assess, having regard to the likelihood of bad actors registering the name in another category for nefarious purposes. If the domain name is a well known valuable trade mark or business name, the potential threat may be credible and may justify registration.

The other categories in which registration is made is also a value judgment. Possibly the principal categories where registration could be made are .AU, .NET and .COM.

Just something else to think about.

https://www.cyber.gov.au/about-us/alerts/new-domain-name-changes-could-leave-your-business-or-organisation-risk

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.