« New TLDs are coming #Dangerclose. | Main | Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices »

Monday, 14 March 2022

A 5-minute stakeholder intervention before the EU HLIG on #DNSabuse

I was invited to participate in an 11 March 2022 meeting of the EU High Level Internet Governance expert group to discuss domain name abuse. Following a presentation of a Study on Domain Name System (DNS) Abuse commissioned by the European Commission, I gave a 5-minute intervention. This EC study is comprehensive and well worth reading. My Interisle colleagues are proud to have our Phishing Landscape 2021 Study and other related studies mentioned in the EC study. 

The transcript follows. 

Interisle intervention to EC HLIG on DNS Abuse

Opening Remarks

Thank you for the opportunity to address you today.

My name is David Piscitello. I am a partner and researcher at Interisle Consulting Group.

Interisle studies domain name abuse; more precisely, we study how criminal uses domain names and Internet addresses in cyberattacks and cybercrimes. We work to identify where criminals obtain the resources that they need to conduct attacks or perpetrate crimes and to identify and observe where criminal activity is occurring on the Internet.

Specifically, we provide measurements of abuse at TLD, registrar and hosting networks in annual studies and quarterly reports at the Cybercrime Information Center.

Since May 2020, we have collected over 12 million phishing and malware reports. These allow us to perform historical or longitudinal analyses which can identify systemic abuses of the DNS. The Study on Domain Name System (DNS) Abuse commissioned by the European Commission cites several of our measurements and findings from our Phishing Landscape 2021 Study. Our methodologies are similar to those used by our fellow European researchers who contributed to that study. Our data corroborate the Study’s finding that criminals acquire domain names with the specific purpose of perpetrating an abuse or cybercrime.

We also find that criminals acquire large numbers of domains to construct criminal infrastructures that they use or lease to others to launch cyberattacks or to host harmful content such as malware or phishing web pages.

Particularly in the generic Top level domain name space, we observe that criminals exploit or benefit from characteristics of domain registration services.

Focus on domain registration

The EC’s DNS Abuse study is comprehensive, so I will summarize the domain name registration services “problem space”.

Registration contact data is critically important to investigators when they are attempting to identify criminal actors, but also because it can be used to identify all the domain names that a criminal uses for a given attack.

Today, much of the contact data that can be used to identify perpetrators of abuse or crimes is unavailable. Our January 2021 study (Whois Contact Data Availability) revealed that

  • Registration contact data is redacted for 57% of all generic Top-level Domain (gTLD) names,

and that

  • Only around 11.5% of domains may belong to natural persons who are subject to GDPR.

Including ‘proxy-protected’ domains, for which the identity of the domain owner is deliberately concealed,

  • 85% of gTLD domain registrants can no longer be identified.

Since the data are redacted, we cannot determine whether the data are accurate.

Access to redacted contact data for lawful purposes, in the timely and uniform manner that would help mitigate abuse, is essentially non-existent and this situation worsens every day.

The inability to reconcile these issues to the satisfaction of legislators, ICANN policy makers, and the public sector-private sector actors who need registration data greatly impairs efforts to mitigate DNS abuse or crime.

Weaponizing Domains

To close, I want to call attention to features of domain registration services that allow rapid registrations of domain names in large numbers.Cybercriminals take advantage of bulk registration services to weaponize large numbers of domain names.We use the term “weaponize” to refer to an act of adapting something nominally benign to serve as a tool in the pursuit of some malignant (criminal) activity.

  • When terrorists misuse fertilizers to construct improvised explosive devices, they are “weaponizing” ammonium nitrate.
  • When criminals divert pseudoephedrine to the manufacture of methamphetamine, they inflict harm or loss of life by weaponizing a medication intended to relieve suffering.

I ask you to consider,

  • When cybercriminals acquire and employ thousands of internet domain names to conduct cybercrimes, they are misusing domain names to cause financial loss or harm. In the extreme cases of ransomware attacks against healthcare or emergency systems or critical infrastructures, the potential harms include loss of life

The EC may wish to consider whether measures similar to those employed to control other “weaponizable” commodities are necessary and appropriate. Our October 2019 study on criminal abuse of domain registration services suggests measures that might be adopted. The study is available at Interisle.net.

On behalf of my colleagues at Interisle I want to again thank you for the opportunity to speak to the EU High Level Internet Governance Expert Group on the subject of DNS Abuse.We hope that we can assist you in further deliberations.

Posted at 09:22 AM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Find me on Mastodon and Facebook

Spotlight Posts

  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories