Phishing: Addressing Malicious Domain Names
Domain registrars are obligated under the Registrar Accreditation Agreement (RAA) to suspend domain names that are specifically set up for phishing purposes. However, our research indicates that brands experience varying levels of success in getting phishing domains suspended, with bad actors strategically choosing registrars known for non-compliance to make suspensions more challenging. Brandsec’s enforcement product and service, Unphish, is a proactive platform that aggressively targets bad actors and non-compliant registrars, ensuring that malicious domains are swiftly suspended to protect brands and consumers.
Shortly after signing our first major enforcement programme, we undertook a phishing enforcement study to understand processes,timeframe and obstacles to feed how we might be able to build a tool that simplifies the reporting process, irrespective of the platform where the abuse was identified. We undertook an exercise to map all of the major domain name Registrars, Web hosts, Social Media / IM Platforms and Search Engines abuse processes for addressing phishing, impersonatio and copyright issues. This included documenting their Terms of Service, processing mapping their reporting processes, documenting the engagement and tracking the time it took for each platform to remove different types of phishing content.
Digging a little deeper we also wanted to understand the ease or difficulty the average brand experiences when navigating the processes of reporting abuse to domain name registrars, web hosts, social media platforms and search engines to address clear-cut phishing cases. This blog addresses a summary of findings when dealing, specifically with domain name Registrars.
Domain Name Registrars are obliged to address case of abuse, specifically where a domain name is registered for malicious purposes. However, our research has indicated that the major domain name Registrars often ignore their obligations to review and respond to clear cases of phishing abuse. Some Registrars offer APIs, while others provide web forms and some just email communication. In terms of acknowledged issues, some provide case numbers while other Registrars do not provide an issue reference number, making it challenging to engage with customer support. In terms of customer support for abuse, almost all Registrars CS teams defer any abuse related matters to their compliance and abuse teams (who 100% of the time are not client facing) and offer little in terms of support or updates. Many Registrars provide an abuse phone number and email as a part of their obligations under the RAA. Still, often these email accounts are not monitored (many have auto-responses saying as much) and refer complaints to their web forms. Registrars are obliged to provide abuse phone numbers, but in the majority of situations where phone numbers were called, they either rang out or were answered by customer support who in turn directed the complainant to their abuse form or reporting process, making the point of providing an abuse phone number, irrelevant.
Domain Name Pricing Wars hurts Domain Abuse Responsiveness
The intensifying price wars among major domain name registrars have significantly altered the landscape of domain registrations. Driven by fierce competition, registrars have increasingly offered domains at steep discounts or even at cost. This strategy has successfully attracted a surge of new registrations but also a notable rise in registrations for malicious purposes. The proliferation of these low-cost domains has made it easier for malicious actors to acquire multiple domains quickly and inexpensively, using them to launch phishing attacks, spread malware, and engage in other fraudulent activities. This uptick in malicious domain registrations has, in turn, placed a significant burden on the compliance teams of these registrars.
The attractiveness of major platforms offering free or low-cost services has inadvertently made them hotbeds for malicious activities. The minimal financial barrier to entry allows bad actors to easily create domain names, set up websites, or fabricate social media profiles. However, because these services are priced at a bare minimum—often just covering operational costs—allocating additional resources to handle abuse and compliance is seen as a financial strain. Consequently, teams dedicated to managing abuse are frequently under-resourced and over-worked leading to huge backlogs and significant delays. Managing abuse is a cost-exercise and when margins are razor thin, these teams are rationalized at times at the cost of their effectiveness.
Domain Name Registrars Responsiveness Varies Greatly
Domain Name Registrars varied the most in terms of resolving clear cases of domain name abuse as defined by the Registry-Registrar Agreement.
Domain Name Registrars play a pivotal role in maintaining the integrity of the internet by managing domain names and ensuring that their services are not exploited by bad actors. Registrars ranged widely in their effectiveness and responsiveness to domain name abuse complaints, including phishing, which is clearly delineated under obligations set by the updated Registry-Registrar Agreement (RAA) that requires them to “to take prompt action when receiving actionable evidence”. This spectrum of responsiveness can essentially categorize registrars into two distinct groups: those that are “Cooperative” and those that are “Non-Cooperative”
Cooperative Registrars: These registrars exemplify how commitment to customer safety and proactive measures can lead to effective management of domain name abuse. They were quick to respond to phishing cases, and seemed to understand of the impact of such threats on consumers. Key characteristics of a cooperative registrar included a proactive approach to domain abuse, responsiveness to updates in the regulatory framework, and a senior management that prioritizes these issues. Generally, the average takedown time for phishing sites with these registrars is between 24-48 hours. A prime example of such commitment is seen with NameCheap, which has consistently demonstrated rapid response times and a high level of engagement with issues of domain name abuse. Another, highly cooperative Registrar is the fight against abuse was NameSilo – to demonstrate senior level commitment to addressing abuse – they were highly cooperative and engaged positively with our strategic engagement regarding abuse.
Challenging Registrars: On the other end of the spectrum, large registrars often deal with high volumes of abuse cases. Unfortunately, they seem to lack the resources or systems to thoroughly review each case. This deficiency results in significant backlogs and lengthy delays in resolving phishing incidents. Those submitting urgent cases of domain name abuse frequently feel “lost in the queue.” The average takedown time for these ‘Challenging Registrars’ ranges from 10 to 21 days. Such delays are unacceptable for live phishing domains that are actively scamming consumers. There were few opportunities for recourse, no defined escalation process, and in cases deemed severe in impact, we only managed to garner attention by reaching out to our senior contacts.
Common Issues Across Registrars: A prevalent issue across most Registrars was the disconnect between customer support and the governance or enforcement teams responsible for the removal of phishing content. Furthermore, the variance in reporting mechanisms — ranging from APIs to web forms and email addresses — added unnecessary layers of complexity. Many registrars lack sufficient support, escalation options, or clear communications about resolution timelines, which complicates the process for those reporting abuse. Notably, some platforms do not provide reference numbers or notifications upon the removal of phishing content, leaving complainants uncertain about the status of their reports.
In summary, while some registrars exemplify best practices in domain name management and abuse mitigation, others fall dramatically short, compromising the safety of internet users. As the digital landscape continues to evolve, it is imperative that all registrars enhance their responsiveness and adherence to regulatory obligations to protect consumers from the escalating threats of phishing and other forms of cyber abuse.
DNS Abuse Mitigation and Resolution Timeframes
According to NetBeacon’s MAP industry report, in the six months from July to December 2023 there were 132,225 phishing cases identified. Over 72% of cases were mitigated, however 22% were not mitigated. Our assumption for this non-mitigation is because Registrars do not generally address compromised websites that are often reported.
Case resolution timeframes for this period was as follows:
– 0-24 hours: 36.62% of all reported cases
– 24-48 hours: 15.16% of all reported cases
– 48 hours – 7 days: 29.00% of all reported cases
– More than 7 days: 19.24% of all reported cases
The average resolution time frame for a Registrar to remove phishing sites is around 91 hours or just under 4 days.
Cyber Criminal Shop around for the Domain Registrars
Cyber criminals are smart and select Registrars that don’t typically comply with their obligations under the RAA. The recent Fakeshop scams saw organized syndicate registering dropped domain names with ‘non-compliant registrars’. The reason that they register expired domain names is for the SERP/SEO value, meaning they get instant SEO points on the domain name.
Escalating Domain Abuse to ICANN
When domain name registrars fail to act on phishing domains, escalating the case becomes necessary. According to ICANN’s Domain Abuse Activity Reporting (DAAR) project, tracking and reporting security threats such as phishing are critical in understanding the scope of the problem. Despite these efforts, registrars sometimes ignore abuse complaints. In such cases, escalating the issue to ICANN’s Contractual Compliance team is an effective strategy. ICANN has the authority to enforce the Registrar Accreditation Agreement (RAA) which mandates that registrars address domain name abuse. If a registrar is non-compliant, ICANN can initiate an investigation and demand evidence of compliance with their obligations.
Unphish fights for suspension of domain name abuse
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.