An analysis published today by CSC found 43% of Forbes Global 2000 companies do not have control over their branded artificial intelligence (.AI) domain names that have instead been registered by third parties.

In addition, the report found 49% of the .AI brand domains for these companies remain unregistered, leaving them potentially exposed to brand infringement and fraud.

CSC CTO Ihab Shraim said as AI becomes increasingly mainstream, more end users and customers are being exposed to services that employ a .AI domain. The issue is that it’s not easy to distinguish between legitimate .AI domains and fake ones that cybercriminals have set up to steal credentials and personally identifiable information (PII).

There has been a 350% year-over-year increase in domain dispute cases involving .AI extensions in 2023, most of which involve individuals attempting to extort a payment from a company to regain control of a domain. However, a subset of these .AI domains have actually been registered by cybercriminals that are using them to perpetrate fraud, noted Shraim.

The existence of those fake .AI domains represents a major cybersecurity issue for organizations that are often unaware of how many variations of domains based on their brands might exist. In fact, a full 79% of lookalike domains are owned by third parties, the CSC analysis finds. Many organizations also create sub-domains for a marketing campaign that, once finished, are abandoned, Shraim added. It’s not uncommon for cybercriminals to commandeer these sub-domains to perpetrate additional fraud, he noted. The report noted that 21% of DNS active sub-domain records do not resolve.

Worse yet, a total of 112 of the largest companies in the world had a domain security score of zero, the report found.

The domain management challenges that organizations face today have as much to do with cultural as they do technical issues, said Shraim. In far too many instances, cybersecurity teams are not involved in setting up domains, so they are not always focused on finding fake ones until after there has been a cybersecurity incident. Cybersecurity teams have a vested interest in making sure organizations employ only enterprise-class registries to create domains, said Shraim. That approach makes it much simpler to identify fraudulent activity by monitoring the web for variations that have not been authorized, he noted.

Domain names provide cybercriminals with a soft target they can easily exploit, noted Shraim. In comparison, the time and effort required to compromise enterprise IT systems is much higher, so most cybercriminals are going to look for the path of least resistance to accomplish their aims, he added. The challenge is that in the absence of any means to track that behavior online, it might be months before an organization can successfully make a case to gain control of a domain that has hijacked their brand.

Of course, by then, massive amounts of damage may have been inflicted and the reputation of an organization may never fully recover.