Australian businesses can now register .au domains without the ‘com’.

But cyber security authorities are warning owners of web domains to be vigilant about the risks of the new service that will, from today, allow the registration of these top-level .au domain names.

The new service, called .au direct, is available to “anyone with a verified connection to Australia who wants to create or manage an online presence for themselves or their organisation,” domain-name administrator auDA explained.

To qualify for a .au name, buyers must meet criteria including having a “verifiable Australian presence” such as being a citizen or permanent resident, or being an organisation registered in Australia.

Applicants can choose any name they like, apart from the usual list of reserved names.

To ensure they aren’t elbowed aside by competitors or domain squatters, .au domains similar to existing .com.au, .net.au, .org.au and other domains will be locked until 20 September so existing owners can be given priority.

Conflicts between legitimate rights holders will be resolved through a Priority Application Process that groups rights holders into two priority categories based on how long they have held the domains.

Those who held a domain name before 4 February 2018 are considered to be Category 1 applicants, and will have higher priority than Category 2 applicants that acquired their domain since that date.

Category 1 applicants have priority over Category 2 applicants, but if two Category 1 applicants are contesting the same .au domain they will be directed to negotiate an outcome.

Conflicts between two Category 2 applicants will give the.au name to the registrant who has held the domain for the longest.

A new security risk

After 20 September the new domain will be open slather for anybody – and authorities are expecting the new domain will become a magnet for fraudsters and domain-name squatters.

The new category of domain name “creates another avenue for cybercriminals to conduct fraudulent cyber activities,” the Australian Cyber Security Centre (ACSC) warned in a recent advisory.

“If a business does not reserve their .au equivalent direct domain name during this six-month period, that name will become available to the public on a first-come, first-served basis…. Opportunistic cybercriminals could register your .au domain name in an attempt to impersonate your business.”

To improve protections against malicious domain names, in October the ACSC launched an Australian Protective Domain Name Service (AUPDNS) – a domain-name system for government bodies that checks incoming and outgoing network traffic against a list of “high-risk websites and email servers”.

“A single malicious connection could result in a government network being vulnerable to attack or compromise,” Assistant Minister for Defence Andrew Hastie said at the time, “so it’s vital we do everything we can to prevent cybercriminals from gaining a foothold.”

Fraudsters and cybercriminals have a long history of exploiting new domain names by registering names that are equivalent or similar to existing domains, then using them to seed malware via emails or text messages linking to that domain.

Even where malware is not involved, fraudsters use fake renewal notices to trick domain registrants into paying unnecessary fees, or just to boost traffic to sites displaying ads.

A recent CSC DBS analysis, which examined around 500,000 domain names registered since the COVID-19 pandemic began, found that 80 per cent of 350 domain names relating to pandemic-related organisations – Pfizer, Moderna, Johnson & Johnson, the CDC and others – were actually registered to third parties.

More than 478,000 of the domain names referenced key terms such as ‘covid’ and ‘vaccine’, while the surge of the Omicron coronavirus variant saw the registration of 832 new domains – 70 per cent of all domain names containing that word – within the two weeks after the new strain was formally named.

Many redirected users to entirely different businesses, while others posed as omicron news sites while asking for donations or promoting cryptocurrencies.