Share this article on:
The Australian Cyber Security Centre (ACSC) has raised an alert on changing website domain names that simply end in ‘.au’ rather than the traditional .com.au etc, as the new option has created another avenue for cyber criminals to conduct fraudulent cyber activities.
From 24 March 2022, anyone with a local connection to Australia (including businesses, associations and individuals), a new category of domain name will be available which allows users to register shorter, more memorable online names, however, opportunistic cyber criminals could register your .au domain name in an attempt to impersonate Aussie businesses and organisations.
According to Tony Jarvis, director of enterprise security for Darktrace for businesses, the availability of the new, shorter domain names category is handy for businesses, but it creates a new avenue for cyber criminals to take advantage of unused business domain name variants, resulting in fraudulent and malicious activities.
“The move to shorter domain names may be more convenient for businesses and users, but it also offers threat actors an opportunity which can potentially be damaging for a business.
“By establishing an option for shorter ‘.au’ domain names, a whole new category of names now exists for anybody to register.
“It might seem obvious to members of the public that a company with a longer domain name would indeed be the same company that they now observe ending in these shorter extensions, but there is no guarantee this will always be the case,” Jarvis said.
All Australian businesses will have until 20 September to reserve their .au equivalent domain name, then it becomes available to the general public.
For example, if a business or organisation has a currently registered yourbusiness.com.au, a cyber criminal could register yourbusiness.au or yourbusinesscom.au and use these domains to conduct fraudulent cyber activities.
Jarvis further explained that the concern now, is that anybody can register one of these shorter domain names to masquerade as a business who owns the longer version of that same domain, which means valuable data is just a keystroke away from an attacker, leaving businesses open to being targeted by threat actors conducting fraud and engaging in malicious activity.
“Businesses may want to consider purchasing the shorter versions of these domains quickly before somebody else does, minimising the chance of a third party posing as the established organisation.
“Alternatively, if this is not possible, businesses need to have ongoing communication with their customers and stakeholders about which domain name is theirs, in order to reduce the likelihood of successful scams.
“Organisations will need to bolster their basic cyber security training to include this new significant risk to businesses, and ensure they have the right digital security systems in place to continue to shield themselves against malicious attacks.”
How to protect yourself
The ACSC recommends that all Australian businesses with existing domain names register their .au equivalents before 20 September 2022 to To protect the business or organisation from opportunistic cybercriminals.
If a business does not reserve their .au equivalent direct domain name during this six-month period, that name will become available to the public on a first come, first served basis.
The ACSC advises for businesses and organisations your .au domain name by visiting an auDA accredited registrar.
Jarvis added that cyber criminals are constantly innovating.
"While businesses will not be able to prevent all threats, there are steps to take to ensure they are contained quickly, minimising the disruption and potential damage caused."
"We are in a new era of attacks that are silent and stealthy, which aim to get to the heart of an organisation and persist in their digital environments for weeks and even months," Jarvis concluded.
[Related: ASD opens new cyber facility]
Comments powered by CComment