I was invited to participate in an 11 March 2022 meeting of the EU High Level Internet Governance expert group to discuss domain name abuse. Following a presentation of a Study on Domain Name System (DNS) Abuse commissioned by the European Commission, I gave a 5-minute intervention. This EC study is comprehensive and well worth reading. My Interisle colleagues are proud to have our Phishing Landscape 2021 Study and other related studies mentioned in the EC study.
The transcript follows.
Interisle intervention to EC HLIG on DNS Abuse
Thank you for the opportunity to address you today.
My name is David Piscitello. I am a partner and researcher at Interisle Consulting Group.
Interisle studies domain name abuse; more precisely, we study how criminal uses domain names and Internet addresses in cyberattacks and cybercrimes. We work to identify where criminals obtain the resources that they need to conduct attacks or perpetrate crimes and to identify and observe where criminal activity is occurring on the Internet.
Specifically, we provide measurements of abuse at TLD, registrar and hosting networks in annual studies and quarterly reports at the Cybercrime Information Center.
Since May 2020, we have collected over 12 million phishing and malware reports. These allow us to perform historical or longitudinal analyses which can identify systemic abuses of the DNS. The Study on Domain Name System (DNS) Abuse commissioned by the European Commission cites several of our measurements and findings from our Phishing Landscape 2021 Study. Our methodologies are similar to those used by our fellow European researchers who contributed to that study. Our data corroborate the Study’s finding that criminals acquire domain names with the specific purpose of perpetrating an abuse or cybercrime.
We also find that criminals acquire large numbers of domains to construct criminal infrastructures that they use or lease to others to launch cyberattacks or to host harmful content such as malware or phishing web pages.
Particularly in the generic Top level domain name space, we observe that criminals exploit or benefit from characteristics of domain registration services.
Focus on domain registration
The EC’s DNS Abuse study is comprehensive, so I will summarize the domain name registration services “problem space”.
Registration contact data is critically important to investigators when they are attempting to identify criminal actors, but also because it can be used to identify all the domain names that a criminal uses for a given attack.
Today, much of the contact data that can be used to identify perpetrators of abuse or crimes is unavailable. Our January 2021 study (Whois Contact Data Availability) revealed that
Including ‘proxy-protected’ domains, for which the identity of the domain owner is deliberately concealed,
Since the data are redacted, we cannot determine whether the data are accurate.
Access to redacted contact data for lawful purposes, in the timely and uniform manner that would help mitigate abuse, is essentially non-existent and this situation worsens every day.
The inability to reconcile these issues to the satisfaction of legislators, ICANN policy makers, and the public sector-private sector actors who need registration data greatly impairs efforts to mitigate DNS abuse or crime.
To close, I want to call attention to features of domain registration services that allow rapid registrations of domain names in large numbers.Cybercriminals take advantage of bulk registration services to weaponize large numbers of domain names.We use the term “weaponize” to refer to an act of adapting something nominally benign to serve as a tool in the pursuit of some malignant (criminal) activity.
I ask you to consider,
The EC may wish to consider whether measures similar to those employed to control other “weaponizable” commodities are necessary and appropriate. Our October 2019 study on criminal abuse of domain registration services suggests measures that might be adopted. The study is available at Interisle.net.
On behalf of my colleagues at Interisle I want to again thank you for the opportunity to speak to the EU High Level Internet Governance Expert Group on the subject of DNS Abuse.We hope that we can assist you in further deliberations.
You can follow this conversation by subscribing to the comment feed for this post.