Domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced are a critical resource for cybercriminals. Some attacks, including spam and ransomware campaigns and criminal infrastructure operation (e.g., “botnets”), benefit particularly from the ability to rapidly and cheaply acquire very large numbers of domain names-a tactic known as bulk registration.
The use of bulk registration to distribute attacks across hundreds or thousands of domain names in matters of minutes, coupled with the crippling of registration data access by the Temp Spec, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals.
For this report, Interisle researchers studied both aspects of this impediment:
We studied samples of security events during which many thousands of domains were blocklisted in relatively short time frames.
We identified registrars that offer bulk registration services and have large concentrations of blocklisted domains.
We characterized the behavior of domain name registrants who engage in bulk registrations that are detected and blocklisted as criminal activities.
We studied the way in which domain name registrants' use of privacy protection services or the redaction of Whois point-of-contact information inhibits or delays cybercrime investigation.
Our study confirms the hypothesis that cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domain names for their attacks.
The study identifies four specific registrars at which abusive registration activity appears to be concentrated.
Our suspects appear to concentrate their registration activity at registrars AlpNames Limited, Alibaba Cloud Computing Ltd. d/b/a HiChina, Chengdu West Dimension Digital Technology Co., Ltd., GMO Internet, Inc., and Namecheap, Inc.
These registrars have appeared on the Spamhaus Most
Abused Registrars list on one or more occasions; for example,
a) AlpNames was #1 on July 13, 2017, #1 on October 18, 2018, and #3 on January 13, 2019;
b) Namecheap appeared as #7 on February 9, 2017;
c) GMO Internet, Inc., was #2 on July 13, 2017, #5 on October 18, 2018, and #3 the time of writing
of this report; and
d) Chengdu West Dimension Digital Technology Co., Ltd. was #6 on January 13, 2019.
GMO Internet, Inc., Alibaba Cloud Computing Ltd. d/b/a HiChina, and Namecheap were also reported as having high concentrations of malicious domains in Domain Tools’ 2016 report Distribution of Malicious Domains. These registrars all offer bulk registration services and registration pricing that attracts criminals or attackers, who are no different from any business operator and constantly seek low cost of execution.
These findings are not novel to this study. They reinforce the Internet security industry’s widely held perception that these registrars are a locus or haven for spammers. They also corroborate findings from a report, Statistical Analysis of DNS Abuse in gTLDs (SADAG), commissioned and published by ICANN organization in 2017.
END CALLOUT - can we draw out some data from the study in tabular format for the web site?
Our study also confirms that ICANN's Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation.
Based on these findings, we recommend that the ICANN organization and community consider several Consensus Policies which, if adopted and incorporated into contracts, would contribute to reducing cybercrime and mitigating its effects on victims.