Case study: collateral damage from Freenom phishing attacks

Dave Piscitello

Brian Krebs recently reported that sued by Meta, registry operator Freenom halted domain registrations. According to Krebs, Meta alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.

Meta’s actions come as no surprise to us. We have been collecting phishing data since May 2020, and Freenom’s commercialized ccTLDs have been among the TLDs with the most phishing domains and highest phishing scores.

In our November – January 2023 Phishing Activity, we saw that phishing attacks decreased by 1% from the prior quarter, but unique domain names reported for hosting phishing increased by 44%. When we studied the phishing domain names reported during this period, we observed some suspicious domain registration behaviors. We noted dramatic upticks in raw numbers of domains reported in certain Top-level Domains (TLDs) over the prior quarter, in the gTLD Registrars of the domains reported for phishing, and in the hosting networks where phishing web sites were hosted. What we can show from these behaviors is that while brands and individuals of victims of phishing attacks are the most obvious harmed parties, other parties such as hosting operators received collateral damage from phishing attacks. Here we look at domain names registered through Freenom and hosted at A2 Hosting.

Case study: A2 Hosting

A2 Hosting offers a diverse set of hosting solutions. In our records repository, we found that A2 Hosting typically had fewer than 2000 IP addresses reported for hosting phishing since we began measuring and reporting in May 2020. But they appeared in the 20 hosting networks (ASNs) with most phishing attacks reported in our August – October 2022 period. Then, in the November – January 2023 period, A2 Hosting’s reported phishing attacks grew to nearly 30,000, ranking them 3rd in phishing attacks.

What’s responsible for A2 Hosting’s sudden uptick in phishing attacks reported?

Reviewing the phishing data more closely, we found that:

  1. 13,000 of IP addresses reported as hosting phishing attacks were in the prefix 200.69.20.0/22 and 9,000 were in 103.204.130.0/23.

  2. The domain names that resolved to nearly all of IP addresses reported for phishing in these prefixes were registered in commercialized ccTLDs operated by Freenom (CF, GA, GQ, TK but mostly ML).

  3. The domains were pseudo-randomly generated names containing 10 or more numeric characters. Some sets of these domains were entirely composed of numbers, e.g., 10000000000259638[.]ml. In others, English language words or hyphen(s) were prepended to the numeric string, e.g.,  attention-42423428857201[.]ml.

  4. Sequentially ascending sets of numeric strings appear in most of the domain name compositions, suggesting that they were registered by the same actor, at the same time. Freenom does not make domain creation dates publicly available, so we were unable to confirm this speculation, but over 20,000 reported phishing domains in our data match these pattern.

  5. If we look at phishing activity reported in the ML TLD over time, we see a corresponding uptick in phishing attacks reported in the ML ccTLD in the November – January 2023 period to what we see in A2 Hosting.

We also see that there’s a near 1:1 correspondence between phishing attacks reported and unique domains reported for phishing.

From these observations, we believe that

  1. tens of thousands of pseudo-randomly generated domains were purposely registered in Freenom’s commercialized ccTLDs by phishers, for phishing, each hosting an unique attack, and,

  2. a tenfold increase in phishing attacks at A2 Hosting coincided with these registrations.

Coincidence or not, it is likely that A2 Hosting had to deal with issues that most hosting operator must when confronted with a large-scale phishing event:

  • The abuse desk staff must contend with an more complaints than typical of the past.

  • The site admins must invest time and manpower to mitigate the phishing content and optimally, identify the means by which the phishers exploited hosting account(s).

  • Relationships management staff must request de-listing from multiple blocklist operators.

  • Public relations staff must triage the organization’s tarnished reputation.

  • Customer relations staff must reconcile discontent or frustration of legitimate customers experience harms or losses if the prefixes or perhaps entire ASN of their hosting provider are blocklisted by orgs and ISPs worldwide.

From our data alone, we can’t speculate that some of these consequences are perhaps on A2 Hosting. What we can observe is that if Freenom – or generally, any registry or registrar – had applied lexical features checks of for suspicious registration behaviors that we identified above and had preemptively blocked these automated registrations, they would have made a substantial contribution to mitigating phishing attacks and reducing phishing victimization. The most basic of lexical feature checks we used – look for domains with an excessive number of numeric characters – was discussed in an academic article in 2020. It’s one of several that registrars and registries could implement to reduce the number of malicious registrations under their management.

Observations

Proactive measures that can prevent collateral damage to 3rd parties as well, including hosting and cloud operators and their legitimate customers ought to be a recommended practice for domain registries and registrars. We know that some TLD registries have adopted such measures and we applaud them.

Policy communities for gTLD and ccTLD registries and registrars - or regulatory oversight - would serve all parties well by defining, adopting and enforcing a uniform set of proactive measures to prevent large-scale weaponizing of domain names based on the same research that cyber investigators and researchers use.