Registrars Ignore Domain-Name Abuse
For legitimate businesses, a domain name is a way to hang a shingle in cyberspace. In the criminal world, domain names are a key part of botnet and phishing operations, and cyber-criminals are plundering domain-name registrars around the world to get them.
Criminals are amassing domain names by registering them under phony information, paying with stolen credit cards or hard-to-trace digital currencies like eGold, and breaking into legitimate domain-name accounts. To add to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in.
"There's absolutely a big problem," says Ben Butler, director of network abuse at Go Daddy, an Arizona-based domain-name registrar that's authorized by the Internet Corporation for Assigned Names and Numbers and the appropriate ICANN-accredited registries to sell domain names based on the generic top-level domains (gTLD) that include .com, .aero, .info, .name and .net.
Go Daddy has 36 million domain names under management for more than 6 million customers, making it one of the largest registrars around the globe. It fights a round-the-clock battle to identify domain-name abuse, and if a domain name is determined to be used for harmful purposes Go Daddy will essentially "kill the domain name," Butler says. (See related story, "How registrars tackle domain name abuse")
During the suspension process, a malicious domain is redirected to a non-resolving server that delivers an error message. That's the preferred process instead of outright cancellation, since it's not always clear who the owner of a malicious domain is. "We investigate literally thousands of complaints on domain names each week," Butler says. "And we suspend hundreds of domain names per week."
In spite of all these efforts, criminals still slip through the net, in part because registration services are highly automated, validation processes are insufficient, and the criminals are cagey, determined and technically savvy.
ScanSafe researcher Mary Landesman last month uncovered evidence that a handful of Go Daddy domains were being farmed out for use in three distinct botnet-controlled SQL injection attacks against Web sites in India, U.S. and China.
But the larger issue is not about Go Daddy, which has a good reputation for fighting domain-name abuse, Landesman says. Rather, the problem encompasses the entire domain-name registration system, along with the faulty Whois database of registrant information (overseen by ICANN) that contains fake data, even total gibberish.
"It's not intentionally designed for this kind of abuse, but it works in favor of the criminals," Landesman notes. Effective reform of the domain-name registration process would strike at the heart of Internet crime, she says.
Criminals who mastermind botnets for spam, phishing, and denial-of-service attacks have come to rely on domain names because it gives them "stability" in their controls, says Joe Stewart, a researcher at Atlanta-based SecureWorks. "All the bots can map to the new IP address when it comes up."
"It would be a lot less convenient to use an IP address," says Amichai Shulman, CTO at Imperva, since this would tend to limit criminals to a more specific set of servers.
Many note that criminals today can be seen making clever use of what's known as "fast flux" to rotate a botnet through "thousands of IP addresses using a single domain or group of domains," says Dean Turner, director of Symantec's global intelligence network. "It's designed to defeat IP blacklists."
"Domain names are easily portable," says Sam Masiello, director of threat management at McAfee. "They use fast flux for content delivery."
A report published in May highlights the role of domain names in phishing cybercrime. The Anti-Phishing Working Group's report, "Global Phishing Survey: Trends and Domain Name Use in the 2nd Half of 2008," shows that there were 56,959 phishing attacks for that period occurring on 30,454 unique domain names.
Within that number, "we identified 5,591 that we believe were registered by phishers," the report says. "These 'malicious' domains represents about 18.5% of the domain names involved in phishing. Virtually all the rest were hacked domains belonging to innocent site owners."
The report notes that the number of phishing methods based on unique IP addresses rather than domain names is steadily dropping, from the 6,336 seen in the first half of 2007 to just 2,809 unique IP addresses in the second half of last year.
Another trend, according to the report, is for phishers to use so-called "subdomain registration services" via providers that give customers subdomain "hosting accounts" beneath a domain name the provider owns. This practice can only be mitigated by the subdomain providers themselves, "and some of these services are unresponsive to complaints," the report says.
This takes the problem to another level, particularly for ICANN, which has no obvious authority outside of its direct contractual relationships with registrars and registries in the ICANN-driven domain-name world.
Subdomains now count for about 12% of all domains involved in phishing, with Russian freemail provider Pochta.ru and French hosting provider Wistee.fr said to be the worst offenders among 360 subdomain registration providers. However, the report notes the .com domain still scores as the largest single TLD favored by phishers, accounting for 46% of the phishing domains monitored for the period.