The internet domain registration system is a major weakness that malicious hackers can exploit, but is often being overlooked, a senior Secret Service official said Thursday.
“It is staggering to me that we live in a world where domain registrars and registrars will do bulk registration of various spellings of a major institution’s brand name to create URLs to then use in phishing campaigns or in fraudulent advertising,” the official, Matt Noyes, said at a conference in Washington, D.C.
It was one of two areas Noyes identified as attack vectors that aren’t adequately being addressed during a panel at the 2026 Identity, Authentication and the Road Ahead Policy Forum, along with susceptibility to business email compromise scams.
The problem is in how the Internet Assigned Numbers Authority (IANA) functions, he said. A decade ago, the United States relinquished its control of that process.
“It’s not discussed normally in polite company, but very important … for the handful of people that engage in Internet governance,” Noyes said.
‘Think about every phishing campaign that contains a link, whether that’s sent by SMS or email,” he said. “They want a URL that is deceptive. That is an identity weakness there in how internet assigned names and numbers function; there was not sufficient validation that the person registering that domain name has rights to that — owns a trade right.”
That forces companies like Microsoft and Google to seek court-ordered takedown operations on the “back end,” as Noyes described it. However, Noyes suggested that internet companies could address the problem proactively.
“That is fundamentally a failure of internet governance that we have not created identity checks to ensure that when someone is registering names and numbers or concentrating a huge amount of abuse in fraudulent activity in particular ASN, autonomous system numbers, that it’s getting addressed and cleaned up,” he said. “The major internet players in the U.S., they could change the nature of the internet and change the governance of that, to clean that up when there’s a heavy concentration of abuse and fraud.”
That would involve not selling certain ads or showing certain results in web searches, Noyes said. “It could be addressed that way, but that’s that underpinning that gets neglected because it’s not in that direct consumer account interaction,” he said.
And on business email compromise, which involves sending fake emails to solicit fraudulent payments, “we put implicit trust that the person we think we’re communicating with controls an email address routinely. That trust is not earned. The system isn’t designed that way.”
Business email compromise routinely accounts for a significant amount of internet-enabled fraud losses annually in the United States.