Mark Webb-Johnson‘s Asia Times article, ‘The problem of Internet domain abuse‘, reviewed the impact of the number of top-level domains growing from five to today’s 1,509 and thousands of secondary-level domains. Webb-Johnson writes:
Under the stewardship of ICANN, the number of top-level domains has exploded in the past 10-20 years. Today, the root name servers serve 1,509 top-level domains – each with its own sub-assigned registrars, registration mechanisms, name servers, whois servers, and support infrastructure.
Webb-Johnson discusses factors that have led to malicious actors such as hackers, spammers, and phishers being able to easily obtain and use domain names for nefarious purposes:
- Each country can sub-delegate and can create secondary-level domains under its own top-level country code, or ccTLD (such as “.com.hk”)
- Differences in legal and privacy protection systems across the hundreds of countries with ccTLDs and hundreds of registrars in those countries result in disparate approaches to security as each is subject to their operating countries’ unique legal and privacy protection systems
- Competition between so many registrars and TLDs led to drastically reduced costs and pricing making throwaway domains attainable for even the most unsophisticated malicious actors
- After decades operating without strict uniform regulations, it would be extremely difficult for ICANN to impose strict regulations on how registrars conduct business
- There seems to be insufficient time and focus toward improving security policies and enforcement practices of existing top-level domains prior to each introduction of new top-level domains
- Introduction of the Punycode standard allowed non-roman characters in domain names, leading to more convincing lookalike domain names
ICANN’s Steps to Combat Domain Name System Abuse
Imposing strict regulations on registrars is unlikely but ICANN took a significant step in 2017 towards combatting domain name system abuse by implementing its Domain Abuse Activity Reporting (DAAR) project addressing:
- Public outcry about widespread exploitation of the domain name system for brand infringement, identity theft, financial fraud, malware delivery, extortion, phishing, spamming, criminal infrastructure operation, and other types of abuse
- Difficulty involved in imposing and enforcing strict regulations on how registrars conduct business
- Limitations of prior domain name abuse studies:
- failure to incorporate large numbers of reputation data sets
- failure to store data over sufficient time periods to facilitate historical analysis
- pertinent data exclusion and biases in prioritized abuse sources due to focus on abuse of specific products or services
- failure to disclose methodologies and data sources making study replication impossible
DAAR gives the ICANN community, “ reliable, persistent data that can be used to make informed decisions” and provides ICANN with monthly awareness of any registrar becoming responsible for a disproportionate amount of domain abuse so ICANN can follow up with responsible registrars and provide them with their data and findings, policy suggestions, and enforcement strategies. More detail about the ICANN DAAR project is available in the DAAR methodology paper.
Automation of Domain Fuzzing (Transmogrification) Makes Abuse Even More Accessible
One of Webb-Johnson’s conclusions was, “Brand-name protection became impossible for all but the largest of companies with teams of lawyers on staff.” Given thousands of TLDs and secondary domains, it is no longer reasonable to register your trademarks, brand names, product names, and/or service names across every possible TLD and secondary domain. This is exponentially complicated when you consider domain fuzzing, or transmogrification, techniques used to find available domain names that look very much like the victimized domain name, such as:
- lookalike punycode characters,
- subdomain takeovers, and/or
- replacement/substitute characters, or character addition/removal
Tools such as dnstwist make it extremely easy for malicious actors to uncover unregistered domain names that look like their victims’ domain names. A brand executive, his or her team, or even a 3rd party domain management service simply is not able to register all possible variations of a domain name across all possible TLDs and secondary domains. Registering key variations including the most impactful lookalike domains across the most popular TLDs may still provide a reasonable ROI and help customers differentiate between official brand domains and abuse domains. However, this approach alone is insufficient will notnearly prevent all brand infringement.
Solution for Brand Executives to Effectively Combat Domain Abuse
Brand executives need to be able to rapidly detect and execute enforcement actions to combat domain abuse involving their brands.
iThreat offers CleanDNS to help brand executives (and registries and registrars) detect and combat domain abuse.
CleanDNS is a premiere domain abuse monitoring and reporting tool incorporating many sources of abuse data to help brand protection teams find and act on domains using brands for malicious purposes, help registrars get compliant with ICANN requirements and registry agreements, and help registries understand which registrars are bringing malicious activity into their zones.
Over two decades of Internet and physical security threat intelligence experience provides iThreat with unique perspective on addressing DNS threats. CleanDNS reflects this experience and goes beyond simply capturing and forwarding reported domain abuse; it:
- Can be used to capture additional supporting evidence of abuse.
- Can help analysts make inferences based on detected abuse to identify related domains and infrastructure and reveal larger patterns of abuse.
- Allows analysts to take actions against batches of pertinent domains instead of one by one.
- Considers the realities and entire ecosystem of infrastructure associated with DNS abuse to uncover important supporting intelligence and artifacts.
- Is backed by iThreat’s experienced cyber investigators standing by to help users investigate, identify, and document instances and patterns of TOS violations and related infringement to augment victimization reports.
- Can support program goals that go beyond ICANN compliance and guideline topics by easily incorporating data sources for additional types of abuse.
- Allows comprehensive review of activities, actions, and remediation over time, allowing true measurement of the impact of policy changes, initiatives, and programs.
- Provides visualizations of data related to program measurement and objectives allowing quick insights for analysts working in your program.