HOME | ABOUT US | INSIGHTS | WHITE PAPERS | CLIENT SERVICES | OUR ASSOCIATES | CONTACT US

HOME

ABOUT US

INSIGHTS

WHITE PAPERS

It's Not About the Internet

Criminal Abuse of Domain Names

Protecting and Promoting the Open Internet

Interconnection and Peering among ISPs

Authentication Issues for Financial Services

Fostering Business Resilience

CLIENT SERVICES

OUR ASSOCIATES

CONTACT US

Insights | White Papers

Interisle releases report on criminal domain name abuse

Domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced are a critical resource for cybercriminals. Some attacks, including spam and ransomware campaigns and criminal infrastructure operation (e.g., “botnets”), benefit particularly from the ability to rapidly and cheaply acquire very large numbers of domain names-a tactic known as bulk registration.

The use of bulk registration to distribute attacks across hundreds or thousands of domain names in matters of minutes, coupled with the crippling of registration data access by the Temp Spec, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals.

For this report, Interisle researchers studied both aspects of this impediment:

  • We studied samples of security events during which many thousands of domains were blocklisted in relatively short time frames.
  • We identified registrars that offer bulk registration services and have large concentrations of blocklisted domains.
  • We characterized the behavior of domain name registrants who engage in bulk registrations that are detected and blocklisted as criminal activities.
  • We studied the way in which domain name registrants' use of privacy protection services or the redaction of Whois point-of-contact information inhibits or delays cybercrime investigation.

Our study confirms the hypothesis that cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domain names for their attacks.

The study identifies four specific registrars at which abusive registration activity appears to be concentrated.

Our study also confirms that ICANN's Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation.

Based on these findings, we recommend that the ICANN organization and community consider several Consensus Policies which, if adopted and incorporated into contracts, would contribute to reducing cybercrime and mitigating its effects on victims.

An Executive Summary of the Report can be downloaded here
The complete report, with Executive Summary, can be downloaded here

Comments can be submitted to criminaldomainabuse@interisle.net

 

World class expertise
in Internet technology
and network strategy




Privacy Statement

© Interisle Consulting Group