About 150 dodgy sites found to be exploiting .sg domains

About 150 sites found using fake, stolen IDs since 2011; domain registry boosts security

About 150 .sg domain names are known to have been registered under a fake or stolen identity since 2011, said the Singapore Network Information Centre (SGNIC), which oversees the registration of .sg domain names.

Many originate overseas and tend to be doing something illegal while using the Singapore domain name to lend them legitimacy, or avoid being traced, said an SGNIC spokesman.

It has become rampant enough that the authorities have, since last month, required additional verification of all new domain-name owners in the Singapore registry.

Registries traditionally trust that the applicant has provided accurate and complete registration details such as his identity and contact information.

But under a six-month pilot scheme, interested registrants of Singapore domain names must be verified by a Singapore Personal Access (SingPass) holder - someone who has a common password to transact with various online government services.

The idea is that "individuals in Singapore can conveniently be identified online using SingPass" and "thus act as the administrative contact for a '.sg' domain name, and assist in verifying the identity and contact information of the registrant via a convenient online process", according to SGNIC.

SGNIC said it had not observed any trends and refused to divulge details of the websites, citing confidentiality reasons, but some cybersecurity experts say .sg domains - which currently number around 149,000, up from 87,650 in 2007 - are increasingly common targets for scams, with growing Internet penetration and Singapore's emerging global presence.

"There has been an uptick in phishing and spear phishing attacks within Singapore, due to the ever-growing importance of the country in regional informational and communications technology security and law enforcement coordination issues," said Mr Eddie Schwartz, vice-president and chief information security officer at RSA, the security division of data storage firm EMC.

"Also, as a powerful economy, Singapore is a target of many criminal groups."

Phishing is a type of online identity theft, typically through e-mail and fraudulent websites that are designed to steal personal data or information such as credit card numbers and passwords. Spear phishing is targeted phishing wherein the victim is addressed directly, by name or with reference to a recent purchase, for instance.

Fake domains are registered for various reasons, such as to serve malware, spoof legitimate websites, serve fraudulent ads, and act as relays for proxies, added Mr Schwartz.

The most common type of scam seen under the .sg domain is "typo-squatting", wherein advertisement revenue could be earned from users who accidentally key in a mis-typed URL, said Mr Wally Lee, president of the Association of Information Security Professionals.

A typical instance of typo-squatting would be registering a ".ocm.sg" domain and leading users who have misspelt ".com.sg" as ".ocm.sg" to a site that displays lots of ads.

Fake domains are known to be a problem worldwide, not just on .sg domains, but Mr Terrence Tang, Trend Micro's director for consumer business, believes .sg domains are targeted because of their good reputation and the trust that Web users may associate with Singapore as a politically and economically stable country.

Mr Tang said 150 cases of fake domains were more than he had expected given SGNIC's tight regulation of .sg domains.

A ".com.sg" registrant, for instance, would need to provide proof that it is a commercial entity registered with the Accounting and Corporate Regulatory Authority of Singapore, International Enterprise Singapore or any professional body, while a ".edu.sg" registrant must register with the Ministry of Education or be recognised by other relevant government agencies.

Any name which has been registered by misrepresentation or fraud is liable to be suspended or deleted by SGNIC.

Information security engineer Teo Tse Chin is, however, of the opinion that compromised .sg domain names would not have a big impact on business as the .sg market is relatively small, compared to other more common domains such as .com ones.

But Mr Tang welcomed SGNIC's additional verification requirements, noting that .sg domain's security and reputation are "a reflection of the governance in Singapore and impacts the trust entrepreneurs and investors may have in us".


Join ST's WhatsApp Channel and get the latest news and must-reads.