- by David Goldstein -
Malicious activity online happens all too frequently. Cybercriminals take advantage of vulnerabilities in all aspects of the internet and the domain name system (DNS) ecosystems (protocols, computer systems, domain registration processes, users, etc). When at scale, as ICANN explains, some of these nefarious activities may threaten the security, stability and resiliency of the DNS infrastructures.
A result of DNS abuse is people and businesses lose money, criminals can steal identities and it puts the aforementioned stability, security and resiliency of the DNS is at risk. It is a topic that ICANN and the domain name community has been grappling with for over a decade. One of the difficulties in implementing mitigation approaches industry-wide is developing an approach that is effective, quick, simple, precise, proportional and cost-effective.
To coordinate an approach the Public Interest Registry, the organisation behind a number of top-level domains including .org, initiated the DNS Abuse Institute. The Institute has a goal of developing mitigation approaches that has the support of a wide section of the domain name industry – mostly registries and registrars, but also internet service providers, content delivery networks, webhosts and platforms.
Five broad categories of harmful activity have been defined as DNS Abuse, these being: malware, botnets, phishing, pharming, and spam (when it serves as a delivery mechanism for the other forms of DNS Abuse). The Internet and Jurisdiction Policy Network’s Operational Approaches, Norms, Criteria, Mechanisms provides the following definitions for each of these activities:
Malware is malicious software, installed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.
Botnets are collections of Internet-connected computers that have been infected with malware and commanded to perform activities under the control of a remote administrator.
Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g. account numbers, login IDs, passwords), whether through sending fraudulent or ‘look-alike’ emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install software, which is in fact malware.
Pharming is the redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking occurs when attackers use malware to redirect victims to [the attacker’s] site instead of the one initially requested. DNS poisoning causes a DNS server [or resolver] to respond with a false IP address bearing malicious code. Phishing differs from pharming in that the latter involves modifying DNS entries, while the former tricks users into entering personal information.
Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message was sent as part of a larger collection of messages, all having substantively identical content.
While Spam alone is not DNS Abuse, it is included as one of the key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.
A DNS Abuse Study commissioned by the European Commission that reported to the ICANN73 meeting this month found new gTLDs are “the most abused group of TLDs” in relative terms (contrary to ccTLDs) accounting for 41% of all abused names in gTLDs. Among registrars the top 5 most abused registrars account for 48% of all maliciously registered domain names. The report notes there is evidence that registrars and service providers being abused can be very responsive to reports of abuse and can take rapid and decisive action, which reduces the impact and harm of the abuse. One of the problems identified is “registrar hopping” where registrants who maliciously register domain names transfer the same domain names from one registrar to another.
The DNS Abuse Institute has developed a tool that is intended to take a large step in tackling the abuse. They have developed a centralised mechanism to report abuse that occurs across the domain name ecosystem. While timelines are speculative, the DNS Abuse Institute is working towards a registrar-only beta in late March 2022, and a public launch at the end of May or early June.
Currently the tool is called Centralized Abuse Reporting Tool (CART), an acronym that is described as handy for the domain name industry but makes no sense to anyone outside of ICANN. There are also a myriad of name-collisions with dozens of other things.
Please feel free to contact the Brandshelter team to learn how you can protect your business from DNS abuse.