TurnCommerce acquired another 299 registrar accreditations from ICANN over Christmas week.
The company, which is behind domain properties including DropCatch.com, now has at least 452 registrars in its stable. That’s over 31% of the 1,456 total currently reported by Internic.
Each of the new accreditations is named “DropCatch”, followed by a number from 446 to 751. Each has a matching .com domain as its nominal base of operations and an associated LLC shell company.
At $4,000 a year for the base accreditation fee, TurnCommerce must be spending close to $2 million a year in ICANN fees alone.
Companies in the drop-catching business acquire large numbers of registrars in order to control more batches of connections with which to spam gTLD registries with “add” requests when potentially valuable domains expire and are deleted.
With almost a third of all accredited registrars now operating under the same control, one imagines TurnCommerce’s chances of securing the names it wants have been significantly improved.
As well as DropCatch, TurnCommerce runs retail registrar NameBright and premium sales site HugeDomains. It has plans to launch additional services at Expire.com and PremiumDomains.com shortly.
Its latest crop of registrars means ICANN has accredited over 2,200 companies since the gTLD registrar market was opened for competition 15 year ago, though many have allowed their contracts to lapse or, less frequently, have been terminated by ICANN compliance efforts.
ICANN and Power Auctions have completed December’s mini-batch of “last resort” new gTLD auctions, adding a total of $6.4 million to its mysterious auction cash pile.
Johnson & Johnson won .baby, fighting off five portfolio applicants and paying a winning bid of $3,088,888.
Meanwhile, the Canadian Real Estate Association beat Afilias to .mls, paying $3,359,000.
I called it for CREA earlier this week, noting that the organization wanted .mls enough that it filed two applications, a failed Community Priority Evaluation, and an unsuccessful Legal Rights Objection against Afilias.
ICANN has now raised over $34 million selling off 10 strings at last resort auctions, with prices ranging from $600,000 (.信息) to $6.7 million (.tech).
The money has been set aside for purposes currently undecided. At least one applicant wants ICANN to redistribute the cash to losing bidders, which I don’t think is particularly likely.
It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
ICANN’s fifth set of last-resort new gTLD auctions is set for tomorrow and it’s another small batch.
Just two contention sets — .baby and .mls — are set to be resolved, with ICANN stashing the winning bids into its special fund.
.baby is hotly contested with no fewer than six applicants — five portfolio applicants and one big brand.
Will Johnson & Johnson get what was once a single-registrant “closed generic”, or will Donuts, Google, Radix, Famous Four or Minds & Machines prevail?
Meanwhile, .mls (for “multiple listing service”, a type of real estate listings aggregation service popular in North America) is a two-horse race between Afilias and the Canadian Real Estate Association.
I’m tempted to call this one for CREA. The organization is so desperate for the .mls gTLD that it filed two applications, one “community” and one vanilla.
The community application was withdrawn earlier this year when CREA scored 11 out of 16 points on its Community Priority Evaluation, failing to pass the 14-point threshold.
The organization even filed a Legal Rights Objection against Afilias in attempt to kill off the competition, which also failed.
Having fought off these challenges, Afilias is either going to get the gTLD or walk away empty-handed. The last resort auction does not compensate unsuccessful bidders for their investments.
Amazon is now the proud owner of the .secure new gTLD, after much smaller competing applicant Artemis Internet withdrew its bid.
Coincidentally, the settlement of the contention set came just yesterday, the day before Artemis took its .trust — which I’ve described as a “backup plan” — to sunrise.
I assume .secure was settled with a private deal. I’ve long suspected Artemis — affiliated with data escrow provider NCC Group — had its work cut out to win an auction against Amazon.
It’s a shame, in a way. Artemis was one of the few new gTLD applicants that had actually sketched out plans for something quite technologically innovative.
Artemis’ .secure was to be a “trust mark” for a high-priced managed security service. It wasn’t really about selling domain names in volume at all.
The company had done a fair bit of outreach work, too. As long ago as July 2013, around 30 companies had expressed their interest in signing up as anchor tenants.
But, after ICANN gave Amazon a get-out-of-jail-free card by allowing it to amend its “closed generic” gTLD applications, it looked increasingly unlikely Artemis would wind up owning the gTLD it was essentially already pre-selling.
In February this year, it emerged that it had acquired the rights to .trust from Deutsche Post, which had applied for the gTLD unopposed.
This Plan B was realized today when .trust began its contractually mandated sunrise period.
Don’t expect many brands to apply for their names during sunrise, however — .trust’s standard registration policies are going to make cybersquatting non-existent.
Not only will .trust registrants have their identities manually vetted, but there’s also a hefty set of security standards — 123 pages (pdf) of them at the current count — that registrants will have to abide by on an ongoing basis in order to keep their names.
As for Amazon, its .secure application, as amended, is just as vague as all of its other former bids for closed, single-registrant generic strings (to the point where I often wonder if they’re basically still just closed generics).
It’s planning to deploy a small number of names to start with, managed by its own intellectually property department. After that, its application all gets a bit hand-wavey.