Cybercriminals worldwide are amassing domain names to keep their botnet and phishing operations a step ahead of authorities.
To obscure their tracks, the criminals register the domain names using phony information, pay with stolen credit cards and hack into legitimate domain-name accounts. Adding to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in.
Today’s cosmopolitan criminals might use “a registrar in China and a Web-hosting company in Russia and a registry in Ireland,” says Ram Mohan, CTO at Dublin-based registry services provider Afilias. The target is usually “a consumer in America.”
Accredited by ICANN for the .info generic top-level domain (gTLD), Afilias helped organize the Registry Internet Safety Group to find ways to improve security.
Mohan says Afilias has seen about 250,000 domain names taken down in the past 2.5 years because they were deemed to be maliciously used. At first the registrars Afilias works with were not too happy to see domain names suspended, but many have come around to see the wisdom in taking action to stop perceived criminal activity, he says.
In the past, standard contracts between ICANN and registrars didn’t address domain-name abuse head-on. (Mohan estimates there about 2,000 registrars and retail channels for domain names globally today.) But Afilias successfully lobbied to have the standard contracts amended so that stringent actions against domain-name abuse could be taken, he says.
Registry services provider Neustar (accredited by ICANN for the .biz gTLD) is also a big believer in tackling domain-name abuse, which after all, hurts the bottom line. Three years ago, Neustar hired a legal team to handle domain abuse questions and set up an internal, isolated networking lab to make determinations to a “near certainty” about a domain name being used for objectionable purposes, says Jeff Neuman, vice president of law and policy at Neustar.
Under its contracts with registrars and ICANN, Neustar can proactively say to a registrar, with a full report, “you have 12 hours to take down that domain name or we will do it,” he says. ICANN has a more informal process for trying to curb domain-name abuse, but that may eventually change, Neuman believes.
Many security researchers today are inclined to blame a lot of domain-name abuse on “rogue registrars” around the world that are said to look the other way when dealing with criminals.
For instance, .cn, the country-code domain for the People’s Republic of China, has emerged as a popular choice for domain-name abuse. For country-code top-level domains, each country through a designated organization directly accredits registrars for the ccTLD, though those registrars may also be accredited by ICANN for gTLDs like .com and .info.
Two ICANN-accredited registrars, Beijing-based Xin Net Technology Corp. and Beijing Innovative Linkage, among other registrars based in China, have gained reputations in some circles as rogue registrars because of the large amount of malicious domains being traced to them over the past year.
ICANN says complaints it received related to inaccurate or missing Whois database information and Beijing Innovative — which initially failed to respond to ICANN inquiries in a timely manner — led ICANN to issue the Chinese registrar a “notice of breach” decision last September, and a remediation plan.
Mohan says it’s important do the analysis to understand the source of domain-name abuse, but critics should also consider evidence that Chinese registrars are being targeted because there’s a lot of growth in China and “criminals are hiding in that growth.”
Mohan was in Beijing just a month ago discussing cybercrime for three hours with Mao Wei, the director of China Internet Network Information Center, the state-run registry for .cn, which is under the control of the Ministry of Information Industry. Mohan also spent time with Chinese registrars. “The Chinese government is very strongly aware of this problem,” Mohan says.
Recently, McAfee touched on the China question in a report about e-mail spam that found high-volume, Chinese URL-based “Canadian Pharmacy” spam has started getting blocked amazingly fast, something McAfee never saw happen before.
This newsletter-looking spam has used about 1,235 domains on .cn each day in fast-flux mode, but it’s “getting black-holed as soon as they come in,” says Adam Wosotowsky, principal engineer in messaging tactical response at McAfee. This countermeasure makes the spam dead-on-arrival with no Web URL to use.
“We’re guessing it’s Chinese government influence,” Wosotowsky says, adding he thinks the pharmacy spam is being used to sell pharmaceutical knock-offs out of Hong Kong.
Nonetheless, some say it’s hard to escape the impression that around the world, there are places where registrars and others providing domain names look the other way. Even governments may be ignoring it, as money changes hands in the lucrative domain-name business.
“The moment the bad guys find out something is going on, they move from Estonia to Ukraine,’” says Mohan by way of example. “The kingpins aren’t identified. It’s big money, big business. There must be advance notice going to these criminals, or compromised law enforcement.”