The GDPR Facilitates Large-Scale Phishing
Phishing is the fraudulent attempt to obtain sensitive information, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. This practice uses domains identical or very similar to well-known brands: banks, insurance companies or airline companies are very often victims of these attacks.
A number of elements help to create large-scale phishing operations at low costs.
1/ Free Domain Names
Some domain name registrars specialize in free domains and allow for bulk registration of domains for a very short time (often one month) at no costs:
This way, they would own domains over a month, launch large phishing operations, and lapse the domain quickly in a hope not to be identified by monitoring services.
2/ Phishing Packs
Phishers then get their hands on “phishing packs”: they set up a unique mail server on dozens of domain names very easily and buy large mailing lists allowing to target as many potential victims.
These packs are easy to find on the darknet – a part of the Internet not indexed by search engines and which have abundant illicit content.
3/ Major Novelty: GDPR
No need to remind that the newest European regulation pertaining to the protection of personal data has come into force on 25th May. One of the first impacts of the regulation was to hide any and all whois data, regardless of the owner is European or a company, without distinction made at ICANN.