We are delighted to introduce Dave Piscitello as the first guest writer on the Spamhaus blog. In 2019, Dave led research with the Interisle Consulting Group investigating criminal domain name abuse, focusing on mass registrations. These results underscored the need for stricter measures within the domain name industry, which the current COVID-19 pandemic further highlights.
Cybercriminals will always profit
In their pursuit of criminals, cyber investigators need transparency when it comes to accessing domain registration data from WHOIS. Today, such concerns come from governments whose citizens are facing an avalanche of attacks exploiting the COVID-19 / Coronavirus pandemic. In recent days, the US Department of Justice has filed a temporary injunction against Registrar Namecheap to suspend a domain that has been used to host fake COVID test kits, citing that “NameCheap, Inc. plays a vital role in the program by serving as the website’s domain registrar, which allows potential victims to access the website. “
The New York Attorney General’s Office also contacted Registrar GoDaddy and others, expressing concern that “cybercriminals have registered a significant number of ‘coronavirus’-related domain names in recent weeks” and described “Measures to prevent bad actors from taking advantage of the current crisis” in their correspondence.
Here, we take a look at one of the many ways criminals exploit domain names, using mass registration services to provide them with the means to launch attacks from multiple origins.
The allure of mass domain registrations
Cyber ââcriminals rely on domain names that can be quickly acquired, used in an attack, and abandoned before they can be found. Spam and ransomware campaigns, as well as criminal infrastructure operations – botnets and Ransomware or Phishing as a Service (RAAS, PhAAS) – particularly benefit from the ability to use the mass registration services offered by the offices. domain name registration. Beast Mode, offered by Registrar NameCheap, Inc., illustrates how easily and inexpensively domains can be acquired in this way.
Figure 1: https://www.namecheap.com/domains/bulk-domain-search/
In our October 2019 study, Criminal Abuse of Domain Names, we observed and collected a sample of extraordinary daily spikes of domain names added to multiple reputation block lists, including the Spamhaus Domain Block List (DBL) . We have studied these events by studying the following:
- Creation dates
- Sponsoring Registrar
- Holder (which was generally fraudulently composed data).
We have been able to show that cybercriminals repeatedly register hundreds or thousands of domain names within minutes. These were then used to support snowshoe spam campaigns and phishing or ransomware attacks. Figure 2 gives an example of what these spikes look like at the time of registration, and Figure 3 illustrates subsequent block dates for these same criminal domains.
Figure 2: Registration dates for .TOP domains blocked in the February 2018 sample
Figure 3: Blocklist of .TOP domains in the February 2018 study sample
A context of militarization of domain names
The term “weaponry” refers to the act of adapting something nominally benign – a drug, a fertilizer, or even a space available in the market – to serve as a tool in the pursuit of malignant (criminal) activity. . The larger context is that the adaptation of these everyday objects creates security threats, including national security threats to the well-being or lives of residents, visitors and citizens.
When terrorists misuse fertilizers to build improvised explosive devices, they actually âarmâ ammonium nitrate. When criminals divert pseudoephedrine into the manufacture of methamphetamine, they inflict damage or loss of life by arming a drug intended to alleviate suffering.
When cybercriminals acquire and use thousands of Internet domain names to distribute spam emitters, they are misusing the domain names to cause financial loss or harm. In extreme cases of ransomware attacks on health or emergency systems or critical infrastructure, the potential damage includes death.
What is the return on investment for a cybercriminal?
Inexpensive, wholesale domain names contribute to a criminal market in which small investments can generate extraordinary returns. In the Interisle report, we consider the investment in a ransomware attack:
- Mailing lists can be purchased from the Dark Web, online, or created using email collectors, again available from programming repositories such as GitHub.
- Thousands of domain names can be acquired for pennies per domain from various registrars
- Malware can be purchased through RaaS for as low as $ 39.00. Similar opportunities exist to acquire a phishing kit, or these can be downloaded for free from repositories such as GitHub.
- Online tutorials for beginners are available on YouTube.
Assuming an extortion fee of US $ 200-500, a ransomware attack can pay off with less than a dozen victims. Multiple successful ransomware campaigns claiming thousands of victims are at hand, making this criminal activity a possible $ 1 million a year venture.
The domain name industry’s obligation to protect the public from harm
Other industries recognize and accept their obligation to protect the public from the misuse of potentially dangerous products through mandatory or recommended validation regimes. US pharmacies, for example, require valid proof of identity from any party attempting to purchase amounts of pseudoephedrine that exceed well-defined limits. Legitimate businesses comply with these and similar regulations in the interest of public safety.
The domain name industry could accept a similar obligation by verifying registrant payment methods as part of the validation process; for example, registrars could refuse transactions in which the cardholder’s contact data does not match the authorized user of the credit card. They could also ban anonymous or non-traceable payment methods.
In our study, we used hundreds of thousands of current and historical domain registration (Whois) records to demonstrate that criminals routinely and repeatedly militarize domain names using mass registration. When information on registrants was not available, correlation and assignment of mass registrants was much more difficult. We recommend that ICANN include a flag in the registration registrations that indicates whether or not the domain name has been registered as part of a mass registration. The âbulk registrantâ data element could be used to track or disallow an abusive registrant in delegated gTLDs.
This fits well with the ICANN Bylaws mandate of security, stability, and resiliency to protect the public. Other industries hunt down resources that can be militarized; for example, follow-up regulations apply to sellers of ammonium nitrate in the United States. These exist to protect the public from the construction of improvised explosive devices.
Most purchases of ammonium nitrate are legitimate; the same is true of most domain name registrations. But just as ammonium nitrate security measures protect the public against acts of terrorism, this policy would protect the public against the misuse of domain names for the purposes of extortion, fraud and other criminal acts. . The domain name registration system was never designed to provide criminals with thousands of domains in minutes. ICANN can and should try to adopt a policy to mitigate abusive mass registration.
About Dave Piscitello
Dave has been involved in Internet technology for over 40 years. He actively participates in the global collaborative efforts of the security, operations and law enforcement communities to mitigate domain name system abuse and malicious use of domain names. He regularly publishes articles on security, DNS, anti-phishing, malware, internet policy and privacy, and maintains a very active, insightful and entertaining news site called The Security Skeptic. Dave is an associate member of the Geneva Center for Security Policy, a board member of the Antiphishing Working Group (APWG) and the Coalition Against Unsolicited Commercial Email (CAUCE), and a former guest participant at the Organization for Economic Cooperation . Group of Experts on Operational and Development Safety (OECD). In February 2019, Dave received the M3AAWG Mary Litynski Award.