Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access

Written By David Piscitello

Domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced are a critical resource for cybercriminals. Some attacks, including spam and ransomware campaigns and criminal infrastructure operation (e.g., “botnets”), benefit particularly from the ability to rapidly and cheaply acquire very large numbers of domain names-a tactic known as bulk registration.

The use of bulk registration to distribute attacks across hundreds or thousands of domain names in matters of minutes, coupled with the crippling of registration data access by the Temp Spec, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals.

For this report, Interisle researchers studied both aspects of this impediment:

  • We studied samples of security events during which many thousands of domains were blocklisted in relatively short time frames.

  • We identified registrars that offer bulk registration services and have large concentrations of blocklisted domains.

  • We characterized the behavior of domain name registrants who engage in bulk registrations that are detected and blocklisted as criminal activities.

  • We studied the way in which domain name registrants' use of privacy protection services or the redaction of Whois point-of-contact information inhibits or delays cybercrime investigation.

Our study confirms the hypothesis that cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domain names for their attacks.

The study identifies four specific registrars at which abusive registration activity appears to be concentrated.

Our study also confirms that ICANN's Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation.

Based on these findings, we recommend that the ICANN organization and community consider several Consensus Policies which, if adopted and incorporated into contracts, would contribute to reducing cybercrime and mitigating its effects on victims.

Comments can be submitted to feedback@interisle.net

The opinions, findings, and conclusions or recommendations expressed in this report are the product of independent work conducted by Interisle Consulting Group, without direction or other influence from any outside party, including parties that may have provided funding to support the work.

David Piscitello
Previous

Domain Name Registration: Data at the Crossroads