Microsoft and partners from 35 countries recently took action to dismantle the Necurs spam infrastructure.
Microsoft's post calls Necurs a botnet but provides details that illustrate how much more than a botnet Necurs is:
- The Necurs infrastructure served as a spam delivery platform for spam, cryptomining and DDOS attacks.
- The spam campaigns contained stock scams, fake pharma, and Russian dating scams, malware and ransomware.
- The Necurs operators leased services to other criminal actors to perpetrate these attacks.
Many of the partners that Microsoft mentions are Top-level Domain registries. These operators are preemptively blocking the registration of the millions of algorithmically generated domains (DGA) that Necurs uses to name its command-and-control (C&C) host, to make its botnet resilient.
Kudos to the registries for their role. No thanks to the registrars whose business practices make it trivial and inexpensive to register millions of domains.
ICANN, please note that spam is no longer "just content" and hasn't been for nearly a decade.
Everyone else, please note that registry operators, especially the gTLDs that are delegated by ICANN, are by policy and contract at the mercy of (ahem) accredited registrars like NameCheap, who is currently being sued by Facebook, Instagram, and LinkedIn for business practices that facilitate fraud. Facebook has also filed suit against OnlineNIC. These actions are long overdue and suits of this kind are perhaps appropriate for other targeted business or industries.
We can all only hope that litigation will resolve what multi-stakeholder consensus policy cannot: make it too expensive to sell millions of cheap domains annually and registrars will be forced to be more proactive in mitigating criminal use of domains.
New action to disrupt world’s largest online criminal network:
Protecting People from Domain Name Fraud
Fighting Domain Name Fraud