Home Archives Profile Subscribe

Microsoft dismantles global spam delivery infrastructure (Necurs)

Tuesday, 17 March 2020
Microsoft and partners from 35 countries recently took action to dismantle the Necurs spam infrastructure.
 
Microsoft's post calls Necurs a botnet but provides details that illustrate how much more than a botnet Necurs is:
 
  1. The Necurs infrastructure served as a spam delivery platform for spam, cryptomining and DDOS attacks.
  2. The spam campaigns contained stock scams, fake pharma, and Russian dating scams, malware and ransomware.
  3. The Necurs operators leased services to other criminal actors to perpetrate these attacks.
These are characteristics that the Counsel of Europe's Convention on Cybercrime identifies as criminal activities in its Guidance notes on Spam.
 
Many of the partners that Microsoft mentions are Top-level Domain registries. These operators are preemptively blocking the registration of the millions of algorithmically generated domains (DGA) that Necurs uses to name its command-and-control (C&C) host, to make its botnet resilient.
 
Kudos to the registries for their role. No thanks to the registrars whose business practices make it trivial and inexpensive to register millions of domains.
 
Takeaways:
 
ICANN, please note that spam is no longer "just content" and hasn't been for nearly a decade.
 
Everyone else, please note that registry operators, especially the gTLDs that are delegated by ICANN, are by policy and contract at the mercy of (ahem) accredited registrars like NameCheap, who is currently being sued by Facebook, Instagram, and LinkedIn for business practices that facilitate fraud. Facebook has also filed suit against OnlineNIC. These actions are long overdue and suits of this kind are perhaps appropriate for other targeted business or industries.
 
We can all only hope that litigation will resolve what multi-stakeholder consensus policy cannot: make it too expensive to sell millions of cheap domains annually and registrars will be forced to be more proactive in mitigating criminal use of domains.
 
New action to disrupt world’s largest online criminal network:
 
Protecting People from Domain Name Fraud
 
Fighting Domain Name Fraud
 

Posted at 09:52 AM | | Comments (0)

Spotlight Posts

  • Report: Criminal Abuse of Domain Names, Bulk Registration and Contact Information Access
    My Interisle Consulting Group colleague, Dr. Colin Strutt and I have published a report, Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access http://interisle.net/criminaldomainabuse.html In this report, we study "bulk registration misuse" by criminal actors. Bulk registrations refers to the practice of rapidly acquiring domain names, using these in an attack, and abandoning them as if they were throw-away ("burner") phones. These domains are a critical resource for cyber criminals. We use reputation block list (RBL) data to reveal how the use of bulk registrations, coupled with the crippling of registration data access by the ICANN Temp Spec...
  • Facts & Figures: Whois Policy Changes Impair Blocklisting Defenses
    Two independently conducted studies demonstrate that the onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this and other security countermeasures.
  • Conservative abuse reporting throws new TLD program under the bus
    ICANN has released a January 2019 domain abuse report generated from the Domain Abuse Activity Repor...
  • APWG and M3AAWG Survey Finds ICANN WHOIS Changes Impede Cyber Investigations
    The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups. From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec...
  • What is Ransomware
    Ransomware is a cyberattack (a virus) that is used to extort money. Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware. Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated...
Next