Phishing still on the decline, despite Whois privacy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.
There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.
That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.
The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.
But the data may be slightly misleading.
APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.
The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.
The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.
But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.
Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.
After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.
Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.
Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.
According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.
That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.
The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.
ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.
This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Scottish registry dumps the pound over Brexit fears

The .scot gTLD registry has decided to dump the British pound as its currency of choice, due to fears over Brexit.
DotScot’s back-end, CORE, told registrars this week that it will start billing in euros from March 29.
The switch is being made due to “the expected volatility in currency exchange rates between GBP and other main currencies post-Brexit”.
March 29 is currently enshrined in UK law as the date we will formally leave the European Union, though the interminable political machinations at Westminster are making it appear decreasingly unlikely that this date could be extended.
CORE said that the prices for .scot registrations, renewals and transfers will be set at €1.14 for each £1 it currently charges. That’s the average exchange rate over the last 12 months, registrars were told.
.scot is a geographic gTLD, rather than a ccTLD, which was approved in ICANN’s 2012 application round. It has about 11,000 domains under management.
Its largest registrar, 1&1 Ionos (part of Germany’s United Internet), charges £40 a year.
Only 38% of Scots voted in favor of Brexit back in 2016, the lowest of any of the UK’s four nations, with no region of Scotland voting “Leave”.
Naturally, a great many Scots believe they’re being dragged out of the EU kicking and screaming by their ignorant, English-bastard neighbors. Which strikes me as a fair point.

.film gTLD sees spike after dropping restrictions

The .film gTLD saw a small spike in registrations this week after dropping eligibility requirements.
The Australia-based registry, Motion Picture Domain Registry, went fully unrestricted February 22 and immediately saw at least 100 new names in its zone file.
It’s a small increase, but it meant .film, which sells for roughly $70 (101domain) to $120 (GoDaddy, its biggest channel) a year, topped 4,000 names for the first time.
It has not seen seen any additional growth since the weekend, however.
.film, from its 2015 launch, was restricted to registrants that could show a nexus to the film industry and was touted as an anti-piracy measure.
It does not appear to have been particularly well-policed, however. Its most popular domains (per Alexa rank) appear today to be piracy sites.
Despite the old restrictions, and despite being more than twice the price, .film has so far actually proved more popular than Donuts’ .movie gTLD, which has been wobbling around the 2,000 to 3,000 domain mark for the last couple of years.
I expect this is probably due to the fact that the word “film” means the same thing in many languages, whereas “movie” is a distinctly American English term.

Yanks beat Aussies to accountancy gTLD

The contention set for .cpa has been resolved, clearing the way for a new accountancy-themed gTLD.
The winner is the American Institute of Certified Public Accountants, which submitted two bids for the string — one “community”, one vanilla, both overtly defensive in nature — back in 2012.
Its main rival, CPA Australia, which also applied on a community basis, withdrew its application two weeks ago.
Commercial registries Google, MMX and Donuts all have withdrawn their applications since late December, leaving only the two AICPA applications remaining.
This week, AICPA withdrew its community application, leaving its regular “single registrant” bid the winner.
AICPA is the US professional standards body for accountants, CPA Australia is the equivalent organization in Australia. ACIPA has 418,000 members, CPA Australia has 150,000.
Both groups failed their Community Priority Evaluations back in 2015 on the basis that their communities were tightly restricted to their own membership, and therefore too restrictive.
AICPA later amended its community application to permit CPAs belonging to non-US trade groups to register.
Both organizations were caught up in the CPE review that also entangled and delayed the likes of .music and .gay. They’ve also both appealed to ICANN with multiple Requests for Reconsideration and Cooperative Engagement Process engagements.
CPA Australia evidently threw in the towel after a December 14 resolution of ICANN’s Board Accountability Mechanisms Committee decision to throw out its latest RfR. It quit its CEP January 9.
It’s likely a private resolution of the set, perhaps an auction, occurred in December.
The winning application from AICPA states fairly unambiguously that the body has little appetite for actually running .cpa as a gTLD:

The main reasons for which AICPA submits this application for the .cpa gTLD is that it wants to prevent third parties from securing the TLD that is identical to AICPA’s highly distinctive and reputable trademark

So don’t get too excited if you’re an accountant champing at the bit for a .cpa domain. It’s going to be an unbelievably restrictive TLD, according to the application, with AICPA likely owning all the domains for years after delegation.

The internet is about to get a lot gayer

Seven years after four companies applied for the .gay top-level domain, we finally have a winner.
Three applicants, including the community-driven bid that has been fighting ICANN for exclusive recognition for years, this week withdrew their applications, leaving Top Level Design the prevailing bidder.
Top Level Design is the Portland, Oregon registry that already runs .ink, .design and .wiki.
The withdrawing applicants are fellow portfolio registries Donuts and MMX, and community applicant dotgay LLC, which had been the main holdout preventing the contention set being resolved.
I do not yet know how the settlement was reached, but it smells very much like a private auction.
As a contention set only goes to auction with consent of all the applicants, it seems rather like it came about after dotgay finally threw in the towel.
dotgay was the only applicant to apply as a formal “community”, a special class of applicant under ICANN rules that gives a no-auction path to delegation if a rigorous set of tests can be surmounted.
Under dotgay’s plan, registrants would have to have been verified gay or gay-friendly before they could register a .gay domain, which never sat right with me.
The other applicants, Top Level Design included, all proposed open, unrestricted TLDs.
dotgay, which had huge amounts of support from gay rights groups, failed its Community Priority Evaluation in late 2014. The panel of Economist Intelligence Unit experts awarded it 10 out the 16 available points, short of the 14-point prevailing threshold.
Basically, the EIU said dotgay’s applicant wasn’t gay enough, largely because its definition of “gay” was considered overly broad, comprising the entire LGBTQIA+ community, including non-gay people.
After dotgay appealed, ICANN a few months later overturned the CPE ruling on a technicality.
A rerun of the CPE in October 2015 led to dotgay’s bid being awarded exactly the same failing score as a year earlier, leading to more dotgay appeals.
The .gay set was also held up by an ICANN investigation into the fairness of the CPE process as carried out by the EIU, which unsurprisingly found that everything was just hunky-dory.
The company in 2016 tried crowdfunding to raise $360,000 to fund its appeal, but after a few weeks had raised little more than a hundred bucks.
Since October 2017, dotgay has been in ICANN’s Cooperative Engagement Process, a form of negotiation designed to avert a formal, expensive, Independent Review Process appeal, and the contention set had been on hold.
The company evidently decided it made more sense to cut its losses by submitting to an auction it had little chance of winning, rather than spend six or seven figures on a lengthy IRP in which it had no guarantee of prevailing.
Top Level Design, in its application, says it wants to create “the most safe, secure, and prideful .gay TLD possible” and that it is largely targeting “gay and queer people as well as those individuals that are involved in supporting gay cultures, such as advocacy, outreach, and civil rights.”
But, let’s face it, there’s going to be a hell of a lot of porn in there too.
There’s no mention in the winning bid of any specific policies to counter the abuse, such as cyberbullying or overt homophobia, that .gay is very likely to attract.
Top Level Design is likely to take .gay to launch in the back end of the year.
The settlement of the contention set is also good news for two publicly traded London companies.
MMX presumably stands to get a one-off revenue boost (I’m guessing in seven figures) from losing another auction, while CentralNic, Top Level Design’s chosen back-end registry provider, will see the benefits on an ongoing basis.

After ICANN knockback, Amazon countries agree to .amazon talks

Talks that could lead to Amazon finally getting its long-sought .amazon gTLD are back on, after a dispute between ICANN and eight South American governments.
The Amazon Cooperation Treaty Organization last week invited ICANN CEO Goran Marby to meet ACTO members in Brasilia, any day next week.
It’s not clear whether Amazon representatives have also been invited.
The outreach came despite, or possibly because of, ICANN’s recent rejection of an ACTO demand that the .amazon gTLD applications be returned to their old “Will Not Proceed” status.
In rejecting ACTO’s Request for Reconsideration, ICANN’s board of directors had stressed that putting .amazon back in the evaluation stream was necessary in order to negotiate contractual concessions that would benefit ACTO.
Amazon is said to have agreed to some Public Interest Commitments that ACTO would be able to enforce via ICANN’s PIC Dispute Resolution Process.
The e-commerce giant is also known to have offered ACTO cultural safeguards and financial sweeteners.
ACTO’s decision to return to the negotiating table may have been made politically less uncomfortable due to a recent change in its leadership.
Secretary-general Jacqueline Mendoza, who had held the pen on a series of hard-line letters to Marby, was in January replaced by Bolivian politician Alexandra Moreira after her three-year term naturally came to an end.
ICANN’s board has said it will look at .amazon again at its meetings in Kobe, Japan, in March.

Operation September Thrust leads to another million-domain Radix gTLD

Radix has become the first new gTLD portfolio registry to hit over one million domains in more than one TLD.
It said today that .site has crossed the seven-digit threshold, joining .online, which hit a million names in 2018.
It’s huge recent growth for .site, which had around 561,000 domains under management at the end of September.
Radix CEO Sandeep Ramchandani told DI today that the rapid uptick comes as a result of a marketing program internally code-named “September Thrust”.
This involved promotional pricing — Ramchandani said the cheapest a .site could have been obtained would be about $0.99 — and joint-marketing efforts with multiple registrars.
This mostly involved plugs on registrar home pages, email shots, and promotion in the “check availability” part of registrar storefronts, he said.
The latest transaction reports filed with ICANN show .site grew by about 120,000 DUM in October, with West.cn, NameCheap and Network Solutions (Web.com) the biggest beneficiaries.
NetSol’s .site DUM actually grew by about 10x in the month.
The $1 retail pricing was apparently available at some registrars prior to September, and continues to exist on storefronts today.

Pay up or sell up, ICANN tells failing new gTLD

ICANN has responded to a request for it to reduce the $25,000 annual fee it charges gTLD registries.
The answer is no.
That wholly unsurprising reply came in a letter from registry services director Russ Weinstein to John McCabe, CEO of failing new gTLD operator Who’s Who Registry.
McCabe, in November, had asked ICANN to reduce its fees for TLDs, such as its own .whoswho, that have zero levels of abuse. ICANN fees are the “single biggest item” in the company’s budget, he said.
His request coincided with ICANN commencing compliance proceedings against the company for failure to pay these fees
Weinstein wrote, in a letter (pdf) published today:

We sympathize with the financial challenges that some new gTLD registry operators may be facing in the early periods of these new businesses. New gTLD operators face a challenging task of building consumer awareness and this can and may take significant time and effort.

But he goes on to point out that the $25,000-a-year fee was known to all applicants before they applied, and had been subject to numerous rounds of public comment before the Applicant Guidebook was finalized.
Weinstein writes:

The AGB made clear that evaluation phase was to determine whether an applicant had the requisite technical, operation and financial capabilities to operate a registry, and was not a assessment nor an endorsement of a particular business plan.

It’s pretty clear that the .whoswho business plan has failed. It’s sold no more than a handful of non-defensive domains over the four years it has been available.
Weinstein concludes his letter by pointing out that all new gTLD registries are free to terminate their contracts for any reason, and that it’s perfectly permissible under ICANN rules to sell your contract to another registry.
ICANN told Who’s Who earlier this month that it has until February 10 to pay its overdue fees or risk having its contract terminated.

ICANN puts deadline on .amazon talks

ICANN’s board of directors has voted to put a March deadline on talks over the future of the .amazon gTLD.
Late last week, the board formally resolved to “make a decision” on .amazon at ICANN 64, which runs in Kobe, Japan from March 9 to March 14.
It would only do so if Amazon the e-commerce giant and the eight governments of the Amazon Cooperation Treaty Organization fail to come to a “mutually agreed solution” on their differences before then.
CEO Goran Marby is instructed to facilitate these talks.
Here are the relevant resolved clauses from the resolution:

Resolved (2019.01.16.03), the Board hereby reiterates that Resolution 2018.10.25.18 was taken with the clear intention to grant the President and CEO the authority to progress the facilitation process between the ACTO member states and the Amazon corporation with the goal of helping the involved parties reach a mutually agreed solution, but in the event they are unable to do so, the Board will make a decision at ICANN 64 on the next steps regarding the potential delegation of .AMAZON and related top-level domains.
Resolved (2019.01.16.04), the Board encourages a high level of communication between the President and CEO and the relevant stakeholders, including the representatives of the Amazonian countries and the Amazon corporation, between now and ICANN 64, and directs the President and CEO to provide the Board with updates on the facilitation process in anticipation of revisiting the status of the .AMAZON applications at its meeting at ICANN64.

The vote came following ACTO’s demand that ICANN reverse its decision to take .amazon, and Chinese and Japanese translations, off their “Will Not Proceed” status, which heavily implied they will ultimately end up in the root.
ACTO, which claims its members have a greater right to the string due to its geographical and cultural significance, says it has not yet agreed to Amazon’s peace offering, which includes safeguards, financial support for future gTLD applications, and free Kindles.
The ICANN board has now formally rejected the demand — so .amazon is still officially on the path to delegation — but has published mountains of clarification explaining that ACTO misinterpreted what the status change implied.
The board now says that the status change was necessary in order for ICANN to negotiate the inclusion of Public Interest Commitments — PICs, which would give ACTO the right to challenge Amazon if it breaches any of its cultural safeguards — in the .amazon contracts.
With ACTO’s Request for Reconsideration now dealt with, the ball moves into ACTO’s court.
Will ACTO come back to the negotiating table, or will it retain the hard line it has been adopting for the last few months? We’ll find out before long.

Another failing gTLD not paying its “onerous” dues

ICANN has sent out its first public contract breach notice of the year, and it’s going to another new gTLD registry that’s allegedly not paying its fees.
The dishonor goes to Who’s Who Registry, manager of the spectacularly failing gTLD .whoswho.
According to ICANN, the registry hasn’t paid its registry fees for several months and hasn’t been responding to private compliance outreach.
The company has a month to pay up or risk suspension or termination.
CEO John McCabe actually wrote to ICANN (pdf) the day after one of its requests for payment in November, complaining that its fees were too “onerous” and should be reduced for registries that are “good actors” with no abuse.
ICANN’s annual $25,000 fee is “the single largest item in .whoswho’s budget”, McCabe wrote, “the weight of which suppresses development of the gTLD”.
Whether ICANN fees are to blame is debatable, but all the data shows that .whoswho, which has been in general availability for almost four years, has failed hard.
It had 100 domains under management at the last count, once you ignore all the domains owned by the registry itself. This probably explains the lack of abuse.
Well over half of these names were registered through brand-protection registrars. ICANN statistics show 44 names were registered during its sunrise period.
A Google search suggests that only four people are currently using .whoswho for its intended purpose and one of those is McCabe himself.
The original intent of .whoswho was to mimic the once-popular Who’s Who? books, which contain brief biographies of notable public figures.
The gTLD was originally restricted to registrants who had actually appeared in one of these books, but the registry scrapped that rule and slashed prices from $70 to $20 a year in 2016 after poor uptake.
I’d venture the opinion that, in a world of LinkedIn and Wikipedia, Who’s Who? is an idea that might have had its day.