Widespread Issues with Domain Registration Accountability Have a COVID Nexus

My Interisle partners and colleague Greg Aaron have published a detailed study that measures the effectiveness and impact of ICANN's registration data access policies and procedures. This study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS).

These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic.

In our Press Release I make the comment that, “The COVID-19 pandemic has led to a recent explosion of cybercrime, with thousands of new domain names using terms like ‘covid’ or ‘corona’ being used to perpetrate spam, phishing, malware campaigns and to peddle fake products,” and

“Investigators need quick, unencumbered access to domain registration data to disrupt COVID-themed attacks before they cause losses and harm. The problems our study exposes have made that all but impossible.”

COVID-themed attacks are current events that call attention to problems that have persistently interfered with efforts to mitigate cyberattacks. 

Greg Aaron, author of the work, also quoted in the press release, adds, “Domain registration data is supposed to be available in guaranteed, reliable ways. Unfortunately, we documented widespread failures, both technical and legal,” said Greg Aaron, the author of the study. “These problems make it hard to distinguish bad Internet actors from good, severely impacting public security. And they make it harder to communicate and solve a range of other problems, eroding trust on the Internet.”

We examined the practices of 23 registrars, which collectively sponsor more than two-thirds of the registrations in the generic top-level domains (gTLDs) to determine whether they comply with ICANN's policies and related contractual obligations, and also to the European Union's General Data Protection Regulation (EU GDPR).

The study found widespread problems: most notably,

  • Registrars fail to meet their contractual obligations. A significant portion of the registrar industry is still not running reliable and compliant WHOIS services.
  • After one-and-a-half years, a significant percentage of registrars do not fully comply with ICANN's Temporary Specification.
  • A number of registrars mis-handle their obligations under GDPR.
  • Some registrars prevent people from reaching out to domain owners for any purpose. Some registrars do not make the required contactability information available as required. Others have deployed procedures that make it unnecessarily difficult for people to contact their registrants. In some cases, the contactability mechanisms provided by registrars literally fail to deliver.
  • Some registrars even constrain access to non-sensitive domain registration data (the “public data set”). This set contains no personally identifiable information, so there is no need to protect it, and restricting access to it prevents its use for important and legal purposes, such as cybersecurity.
  • RDAP services are not yet technically reliable enough for use. RDAP became mandatory for registrars and registry operators to provide in August 2019, but as of March 2020 the rollout is moving very slowly, and there are notable operational and noncompliance problems.

These and other findings show that access to critical registration data has been significantly curtailed over the past two years, and ICANN compliance problems. The report also recommends actions that can be taken to ensure a healthy Internet and naming system. The full report can be found at: http://interisle.net/sub/DomainRegistrationData.pdf .

Microsoft dismantles global spam delivery infrastructure (Necurs)

Microsoft and partners from 35 countries recently took action to dismantle the Necurs spam infrastructure.
Microsoft's post calls Necurs a botnet but provides details that illustrate how much more than a botnet Necurs is:
  1. The Necurs infrastructure served as a spam delivery platform for spam, cryptomining and DDOS attacks.
  2. The spam campaigns contained stock scams, fake pharma, and Russian dating scams, malware and ransomware.
  3. The Necurs operators leased services to other criminal actors to perpetrate these attacks.
These are characteristics that the Counsel of Europe's Convention on Cybercrime identifies as criminal activities in its Guidance notes on Spam.
Many of the partners that Microsoft mentions are Top-level Domain registries. These operators are preemptively blocking the registration of the millions of algorithmically generated domains (DGA) that Necurs uses to name its command-and-control (C&C) host, to make its botnet resilient.
Kudos to the registries for their role. No thanks to the registrars whose business practices make it trivial and inexpensive to register millions of domains.
ICANN, please note that spam is no longer "just content" and hasn't been for nearly a decade.
Everyone else, please note that registry operators, especially the gTLDs that are delegated by ICANN, are by policy and contract at the mercy of (ahem) accredited registrars like NameCheap, who is currently being sued by Facebook, Instagram, and LinkedIn for business practices that facilitate fraud. Facebook has also filed suit against OnlineNIC. These actions are long overdue and suits of this kind are perhaps appropriate for other targeted business or industries.
We can all only hope that litigation will resolve what multi-stakeholder consensus policy cannot: make it too expensive to sell millions of cheap domains annually and registrars will be forced to be more proactive in mitigating criminal use of domains.
New action to disrupt world’s largest online criminal network:
Protecting People from Domain Name Fraud
Fighting Domain Name Fraud