#FactCheck - Viral Postcard Attributing Fake UGC Statement to Keshav Prasad Maurya Is False

Introduction

In the evolving landscape of cybercrime, attackers are not only becoming more sophisticated in their approach but also more adept in their infrastructure. The Indian Cybercrime Coordination Centre (I4C) has issued a warning about the use of ‘disposable domains’ by cybercriminals. These are short-lived websites designed tomimic legitimate platforms, deceive users, and then disappear quickly to avoid detection and legal repercussions.

Although they may appear harmless at first glance, disposable domains form the backbone of countless online scams, phishing campaigns, malware distributionschemes, and disinformation networks. Cybercriminals use them to host fake websites, distribute malicious files, send deceptive emails, and mislead unsuspecting users, all while evading detection and takedown efforts.

As India’s digital economy grows and more citizens, businesses, and public services move online, it is crucial to understand this hidden layer of cybercrime infrastructure.Greater awareness among individuals, enterprises, and policymakers is essential to strengthen defences against fraud, protect users from harm, and build trust in thedigital ecosystem

What Are Disposable Domains?

A disposable domain is a website domain that is registered to be used temporarily, usually for hours or days, typically to evade detection or accountability.

These domains are inexpensive, easy to obtain, and can be set up with minimal information. They are often bought in bulk through domain registrars that do not strictly verify ownership information, sometimes using stolen credit cards or cryptocurrencies to remain anonymous. They differ from legitimate temporary domains used for testing or development in one significant aspect, which is ‘purpose’. Cybercriminals use disposable domains to carry out malicious activities such as phishing, sextortion, malware distribution, fake e-commerce sites, spam email campaigns, and disinformation operations.

How Cybercriminals Utilise Disposable Domains

1. Phishing & Credential Stealing: Attackers tend to register lookalike domains that are similar to legitimate websites (e.g., go0gle-login[.]com or sbi-verification[.]online) and trick victims into entering their login credentials. These domains will be active only long enough to deceive, and then they will disappear.

2. Malware Distribution: Disposable domains are widely used for ransomware and spyware operations for hosting malicious files. Because the domains are temporary, threat intelligence systems tend to notice them too late.

3. Fake E-Commerce & Investment Scams: Cyber crooks clone legitimate e-commerce or investment sites, place ad campaigns, and trick victims into "purchasing" goods or investing in scams. The domain vanishes when the scam runs out.

4. Spam and Botnets: Disposable domains assist in botnet command-and-control activities. They make it more difficult for defenders to block static IPs or trace the attacker's infrastructure.

5. Disinformation and Influence Campaigns: State-sponsored actors and coordinated troll networks use disposable domains to host fabricated news articles, fake government documents, and manipulated videos. When these sites are detected and taken down, they are quickly replaced with new domains, allowing the disinformation cycle to continue uninterrupted.

Why Are They Hard to Stop?

Registering a domain is inexpensive and quick, often requiring no more than an email address and payment. The difficulty is the easy domain registrations and the absence of worldwide enforcement. Domain registrars differ in enforcing Know-Your-Customer (KYC) standards stringently. ICANN (Internet Corporation for Assigned Names and Numbers) has certain regulations in place but enforcement is inconsistent. ICANN does require registrars to maintain accurate Who is information (the “Registrant Data Accuracy Policy”) and to act on abuse complaints. However, ICANN is not an enforcement agency. It oversees contracts with registrars but cannot directly police every registration. Cybercriminals exploit services such as:

• Privacy protection shields that conceal actual WHOIS information.
• Bulletproof hosting that evades takedown notices.
• Fast-flux DNS methods to rapidly alter IP addresses

Additionally, utilisation of IDNs ( Internationalised Domain Names) and homoglyph attacks enables the attackers to register visually similar domains to legitimate ones (e.g., using Cyrillic characters to represent Latin ones).

Real-World Example: India and the Rise of Fake Investment Sites

India has witnessed a wave of monetary scams that are connected with disposable domains. Over hundreds of false websites impersonating government loan schemes, banks or investment websites, and crypto-exchanges were found on disposable domains such as gov-loans-apply[.]xyz, indiabonds-secure[.]top, or rbi-invest[.]store. Most of them placed paid advertisements on sites such as Facebook or Google and harvested user information and payments, only to vanish in 48–72 hours. Victims had no avenue of proper recourse, and the authorities were left with a digital ghost trail.

How Disposable Domains Undermine Cybersecurity

• Bypass Blacklists: Dynamic domains constantly shifting evade static blacklists.
• Delay Attribution: Time is wasted pursuing non-existent owners or takedowns.
• Mass Targeting: One actor can register thousands of domains and attack at scale.
• Undermine Trust: Frequent users become targets when genuine sites are duplicated and it looks realistic.

Recommendations Addressing Legal and Policy Gaps in India

1. There is a need to establish a formal coordination mechanism between domain registrars and national CERTs such as CERT-In to enable effective communication and timely response to domain-based threats.

2. There is a need to strengthen the investigative and enforcement capabilities of law enforcement agencies through dedicated resources, training, and technical support to effectively tackle domain-based scams.

3. There is a need to leverage the provisions of the Digital Personal Data Protection Act, 2023 to take action against phishing websites and malicious domains that collect personal data without consent.

4. There is a need to draft and implement specific regulations or guidelines to address the misuse of digital infrastructure, particularly disposable and fraudulent domains, and close existing regulatory gaps.

What Can Be Done: CyberPeace View

1. Stronger KYC for Domain Registrations: Registrars selling domains to Indian users or based in India should conduct verified KYC processes, with legal repercussions for carelessness.

2. Real-Time Domain Blacklists: CERT-In, along with ISPs and hosting companies, should operate and enforce a real-time blacklist of scam domains known.

3. Public Reporting Tools: Observers or victims should be capable of reporting suspicious domains through an easy interface (tied to cybercrime.gov.in).

4. Collaboration with Tech Platforms: Social media services and online ad platforms should filter out ads associated with disposable or spurious domains and report abuse data to CERT-In.

5. User Awareness: Netizens should be educated to check URLs thoroughly, not click on unsolicited links and they must verify the authenticity of websites.

Conclusion

Disposable domains have silently become the foundation of contemporary cybercrime. They are inexpensive, highly anonymous, and short-lived, which makes them a darling weapon for cybercriminals ranging from solo spammers to nation-state operators. In an increasingly connected Indian society where the penetration rate of internet users is high, this poses an expanding threat to economic security, public confidence, and national resilience. Combating this problem will need a combination of technical defences, policy changes, public-private alliances, and end-user sensitisation. As India develops a Cyber Secure Bharat, monitoring and addressing disposable domain abuse must be the utmost concern.

References

• https://www.bitcot.com/disposable-domains
• https://atdata.com/blog/evolution-of-email-fraud-rise-of-hyper-disposable-domains/
• https://www.cyfirma.com/research/scamonomics-the-dark-side-of-stock-crypto-investments-in-india/
• https://knowledgebase.constantcontact.com/lead-gen-crm/articles/KnowledgeBase/50330-Understanding-Blocked-Forbidden-and-Disposable-Domains?lang=en_US
• https://www.meity.gov.in/
• https://intel471.com/blog/bulletproof-hosting-fast-flux-dns-double-flux-vps

‍

‍

Starting on 16th February 2025, Google changed its advertisement platform program policy. It will permit advertisers to employ device fingerprinting techniques for user tracking. Organizations that use their advertising services are now permitted to use fingerprinting techniques for tracking their users' data. Originally announced on 18th December 2024, this rule change has sparked yet another debate regarding privacy and profits.

The Issue

Fingerprinting is a technique that allows for the collection of information about a user’s device and browser details, ultimately enabling the creation of a profile of the user. Not only used for or limited to targeting advertisements, data procured in such a manner can be used by private entities and even government organizations to identify individuals who access their services. If information on customization options, such as language settings and a user’s screen size, is collected, it becomes easier to identify an individual when combined with data points like browser type, time zone, battery status, and even IP address.

What makes this technique contentious at the moment is the lack of awareness regarding the information being collected from the user and the inability to opt out once permissions are granted.

This is unlike Google’s standard system of data collection through permission requests, such as accepting website cookies—small text files sent to the browser when a user visits a particular website. While contextual and first-party cookies limit data collection to enhance user experience, third-party cookies enable the display of irrelevant advertisements while users browse different platforms. Due to this functionality, companies can engage in targeted advertising.

This issue has been addressed in laws like the General Data Protection Regulation (GDPR) of the European Union (EU) and the Digital Personal Data Protection (DPDP) Act, 2023 (India), which mandate strict rules and regulations regarding advertising, data collection, and consent, among other things. One of the major requirements in both laws is obtaining clear, unambiguous consent. This also includes the option to opt out of previously granted permissions for cookies.

However, in the case of fingerprinting, the mechanism of data collection relies on signals that users cannot easily erase. While clearing all data from the browser or refusing cookies might seem like appropriate steps to take, they do not prevent tracking through fingerprinting, as users can still be identified using system details that a website has already collected. This applies to all IoT products as well. People usually do not frequently change the devices they use, and once a system is identified, there are no available options to stop tracking, as fingerprinting relies on device characteristics rather than data-collecting text files that could otherwise be blocked.

Google’s Changing Stance

According to Statista, Google’s revenue is largely made up of the advertisement services it provides (amounting to 264.59 billion U.S. dollars in 2024). Any change in its advertisement program policies draws significant attention due to its economic impact.

In 2019, Google claimed in a blog post that fingerprinting was a technique that “subverts user choice and is wrong.” It is in this context that the recent policy shift comes as a surprise. In response, the ICO (Information Commissioner’s Office), the UK’s data privacy watchdog, has stated that this change is irresponsible. Google, however, is eager to have further discussions with the ICO regarding the policy change.

Conclusion

The debate regarding privacy in targeted advertising has been ongoing for quite some time. Concerns about digital data collection and storage have led to new and evolving laws that mandate strict fines for non-compliance.

Google’s shift in policy raises pressing concerns about user privacy and transparency. Fingerprinting, unlike cookies, offers no opt-out mechanism, leaving users vulnerable to continuous tracking without consent. This move contradicts Google’s previous stance and challenges global regulations like the GDPR and DPDP Act, which emphasize clear user consent.

With regulators like the ICO expressing disapproval, the debate between corporate profits and individual privacy intensifies. As digital footprints become harder to erase, users, lawmakers, and watchdogs must scrutinize such changes to ensure that innovation does not come at the cost of fundamental privacy rights

References

• https://www.techradar.com/pro/security/profit-over-privacy-google-gives-advertisers-more-personal-info-in-major-fingerprinting-u-turn
• https://www.ccn.com/news/technology/googles-new-fingerprinting-policy-sparks-privacy-backlash-as-ads-become-harder-to-avoid/
• https://www.emarketer.com/content/google-pivot-digital-fingerprinting-enable-better-cross-device-measurement
• https://www.lewissilkin.com/insights/2025/01/16/google-adopts-new-stance-on-device-fingerprinting-102ju7b
• https://www.lewissilkin.com/insights/2025/01/16/ico-consults-on-storage-and-access-cookies-guidance-102ju62
• https://www.bbc.com/news/articles/cm21g0052dno 
• https://www.techradar.com/features/browser-fingerprinting-explained
• https://fingerprint.com/blog/canvas-fingerprinting/
• https://www.statista.com/statistics/266206/googles-annual-global-revenue/#:~:text=In%20the%20most%20recently%20reported,billion%20U.S.%20dollars%20in%202024

‍

Introduction

The hospitality industry is noted to be one of the industries most influenced by technology. Hotels, restaurants, and travel services are increasingly reliant on digital technologies to automate core operations and customer interactions. The shift to electronic modes of conducting business has made the industry a popular target for cyber threats. In light of increasing cyber threats, safeguarding personal and sensitive personal data on the part of the hospitality industry becomes significant not only from a customer standpoint but also from an organisational and legal perspective.

Role of cybersecurity in the hospitality industry

A hospitality industry-based entity (“HI entity”) deploys several technologies not only to automate operations but to also deliver excellent customer experiences. Technologies such as IoTs that enable smart controls in rooms, Point-of-Sale systems that manage reservations, Call Accounting Systems that track and record customer calls, keyless entry systems, and mobile apps that facilitate easy booking and service requests are popularly used in addition to operative technologies such as Property Management Systems, Hotel Accounting Systems, Local Area Networks (LAN).{1} These technologies collect vast volumes of data daily due to the nature of operations. Such data necessarily includes personal information such as names, addresses, phone numbers, email IDs etc. and sensitive information such as gender, bank account and payment details, health information pertaining to food allergens etc. Resultantly, the breach and loss of such critical data impacts customer trust and loyalty and in turn, their retention within the business. Lack of adequate cybersecurity measures also impacts the reputation and goodwill of an HI entity since customers are more likely to opt for establishments that prioritise the protection of their data. In 2022, cybercriminals syphoned 20GB of internal documents and customer data from Marriott Hotels, which included credit card information and staff information such as wage data, corporate card number and even a personnel assessment file. A much larger breach was seen in 2018, where 383 million booking records and 5.3 million unencrypted passport numbers were stolen from Marriott’s servers.{2}

Cybersecurity is also central to safeguarding trade secrets and key confidential trade information. An estimate of US $6 trillion per year on average amounts to losses generated from cybercrimes.{3} The figure, however, does not include the cost of breach, expenses related to incident response, legal fees, regulatory fines etc which may be significantly higher for a HI entity when loss of potential profits is factored in.

Cybersecurity is also central from a legal standpoint. Legal provisions in various jurisdictions mandate the protection of guest data. In India, the Digital Personal Data Protection Act 2023, imposes a penalty of up to Rs. 50 Crores on a breach in observing obligations to take reasonable security safeguards to prevent personal data breach.{4} Similarly, the General Data Protection Regulation (GDPR) of the European Union also has guidelines for protecting personal data. Several other industry-specific rules, such as those pertaining to consumer protection,  may also be applicable.

Breaches and Mitigation

There are several kinds of cyber security threats faced by an HI entity. “Fake Booking” is a popular method of cyber attack, whereby attackers build and design a website that is modelled exactly after the hotel’s legitimate website. Many customers end up using such malicious phishing websites thereby exposing their personal and sensitive personal data to threats. Additionally, the provision of free wifi within hotel premises, usually accessible freely to the public, implies that a malicious actor may introduce viruses and updates bearing malware. Other common cyber threats include denial of service (DoS) attacks, supply chain attacks, ransomware threats, SQL injection attacks (a type of attack where malicious code is inserted into a database to manipulate data and gain access to information), buffer overflow or buffer overrun (when the amount of data exceeds its storage capacity, implying that the excess data overflows into other memory locations and corrupt or overwrites data in those locations). 

One of the best ways to manage data breaches is to leverage newer technologies that operate on a “privacy by design” model. An HI entity must deploy web application firewalls (WAF) that differ from regular firewalls since they can filter the content of specific web applications and prevent cyber attacks. Another method to safeguard data is by deploying a digital certificate which binds a message/instruction to the owner/generator of the message. This is useful in preventing any false claims fraud by customers. Digital certificates may be deployed on distributed ledger technologies such as blockchain, that are noted for their immutability, transparency and security. Self-sovereign identities or Identifiers (SSI) are also a security use-concept of blockchain whereby individuals own and control their personal data, thereby eliminating reliance on central authorities.{5} In the hospitality industry, SSIs enhance cybersecurity by securely storing identity-related information on a decentralised network, thereby reducing the risk of data breaches. Users can selectively share their information, ensuring privacy and minimising data exposure. This approach not only protects guests' personal details but also streamlines authentication processes, making interactions safer and more efficient.

From a less technical standpoint, cybersecurity insurance may be opted for by a hotel to secure themselves and customer information against breach. Through such insurance, a hotel may cover the liability that arises from breaches caused by both first- and third-party actions.{6} Additionally, Payment Cards Industry Data Security Standards should be adhered to, since these standards ensure that businesses should apply best practices when processing credit card data through optimised security. Employee training and upskilling in basic, practical cybersecurity measures and good practices is also a critical component of a comprehensive cybersecurity strategy.

References:

• [1]  The Growing Importance of Cybersecurity in the Hospitality Industry”, Alfatec, 11 September 2023 https://www.alfatec.ai/academy/resource-library/the-growing-importance-of-cybersecurity-in-the-hospitality-industry
• [2]  Vigliarolo, Brandon, “Marriott Hotels admit to third data breach in 4 years”, 6 July 2022 https://www.theregister.com/2022/07/06/marriott_hotels_suffer_yet_another/#:~:text=In%20the%20case%20of%20the,of%20an%20individual%20organization%20ever. 

• [3] Shabani, Neda & Munir, Arslan. (2020). A Review of Cyber Security Issues in the Hospitality Industry. 10.1007/978-3-030-52243-8_35. https://www.researchgate.net/publication/342683038_A_Review_of_Cyber_Security_Issues_in_Hospitality_Industry/citation/download    
• [4] The Digital Personal Data Protection Act 2023 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf 
• [5]  “What is self-sovereign identity?”, Sovrin, 6 December 2018 https://sovrin.org/faq/what-is-self-sovereign-identity/ 
• [6] Yasar, Kinza, “Cyber Insurance”, Tech Target https://www.techtarget.com/searchsecurity/definition/cybersecurity-insurance-cybersecurity-liability-insurance