Insights | White Papers
Cybercrime Supply Chain 2023:
Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them
Interisle researchers, using data from the Cybercrime Information Center, analyzed more than 10 million cybercrime records and found distinct, persistent patterns of exploitation and abuse
covering a 365-day period from September 2022 to August 2023.
The study examines malware, spam, and phishing together because they are so often used in combination or sequence.
Suppliers form an online cybercrime supply chain where everything from phishing kits and malicious software, email lists and mobile numbers, domain names and Internet addresses,
and places to host attacks are readily and cheaply available. The study measures the Internet naming and addressing elements of this supply chain.
The goal? To focus attention on the links in the supply chain where disruption can have meaningful impact.
The major findings of the study are:
- Nearly 5 million domain names were identified as serving as a resource for cybercrime.
- Over 1 million domain names reported for spam activity were registered in the new gTLDs.
- Over 500,000 subdomain hostnames were reported for serving as resources for cybercrime at 229 subdomain resellers.
- Criminals acquire domain names in volume: over 1.5 million domains exhibited characteristics of malicious bulk domain registration behavior.
- Brand infringement is commonplace in domains registered purposely by criminals to perpetrate cybercrimes. Exact matches of a well-known brand name were used in over 200,000 cybercrime attacks.
- The United States had the most IPv4 addresses serving as resources for cybercrime activity. China, India, Australia, and Hong Kong rounded out the top 5.
The report's findings illustrate that the reactive efforts currently employed by the domain name and hosting industries, governments, and private sector organizations cannot curtail cybercrime and the harms it inflicts on Internet users. Interisle believes that adopting the well-known strategy of disrupting supply lines can be effective in mitigating cybercrime.
Interisle recommends measures that policy regimes, governments, service providers, and private sector working together can implement to disrupt the cybercrime supply chain. These recommendations include:
- Require registrars and registries to promptly (within 24 hours) investigate and suspend or cancel domain names that are purposely registered by criminals to commit online crimes, especially for cases where these registrants have amassed large batches of domain names.
- Review the practice of bulk registration and develop policy to prevent abuse.
- Adopt and enforce policies that protect Internet users from deceptive domain registrations, e.g., domains that contain exact matches of recognized brands.
- Adopt policy to ensure that additional new TLDs do not result in a more abundant supply chain.
- Develop a common supply chain disruption strategy for ccTLDs and gTLDs.
The study was sponsored by the AntiPhishing Working Group (APWG),
the Coalition Against Unsolicited Commercial Email (CAUCE),
and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).
Collectively, these organizations represent thousands of cybersecurity, public advocacy, service providers, and industry professionals worldwide.
You may read an Executive Summary of the Report or
the complete Report.
Comments can be submitted to firstname.lastname@example.org
The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by
Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.
World class expertise
in Internet technology
and network strategy