First registry gets breach notice over new abuse rules
.TOP Registry allegedly ignored reports about phishing attacks and has become the first ICANN contracted party to get put on the naughty step over DNS abuse rules that came into effect a few months ago.
ICANN has issued a public breach notice claiming that the registry, which runs .top, has also been ignoring the results of Uniform Rapid Suspension cases, enabling cybersquatting to take place.
The notice says that .TOP breached new rules, which came into effect April 5, that require it to act on reports of DNS abuse (such as malware or phishing attacks) by suspending the domains or referring them to the responsible registrar.
The registry didn’t do this with respect to a report of April 18, concerning “multiple .top domain names allegedly used to conduct phishing attacks”. It didn’t even read the report until contacted by ICANN, according to the notice.
As of yesterday, only 33% of the phishing domains have been suspended by their registrars, some three months after the attacks were reported, ICANN says.
Compliance is also concerned that .TOP seems to be ignoring notices from Forum, the company that processes URS cases, requiring domains to be locked within 24 hours when they’ve been hit with a charge of cybersquatting.
The registry “blatantly and repeatedly violated” these rules, according to ICANN.
.TOP has been given until August 15 to get its act together or risk having its Registry Agreement suspended or terminated.
The registry has about three million .top domains under management, having long been one of the most successful new gTLDs of the 2012 round in volume terms. It typically sells domains very cheaply, which of course attracts bad actors.
Police .uk domain takedowns dive in 2023
The number of .uk domain names taken down as a result of requests from law enforcement shrank substantially last year, according to the latest stats from Nominet.
The registry said today that it suspended 1,193 domains in the 12 months to October 31, down from 2,106 in the previous period. It’s a record low since Nominet started tracking the data, for the second year in a row.
As usual, alleged intellectual property violations were the biggest cause of action. The Police Intellectual Property Crime Unit had 717 names taken down, with the National Fraud Intelligence Bureau suspending 321 and the Financial Conduct Authority 116.
While police takedowns were low, domains suspended by Nominet’s proactive Domain Watch anti-phishing technology were up about 20%, from 5,005 to 5,911. Nominet said this is because the tech, which flags possible phishing domains for human review at point of registration, is getting better.
The number of domains suspended because they appeared on threat feeds doubled, from 1,108 in the 2022 period to 2,230 last year, the company said.
Cybersquatting cases in .uk have also been declining, Nominet reported earlier this month.
While correlation does not equal causation, it might be worth noting that .uk registrations overall have been on the decline for some time. There were 10.68 million .uk domains at the end of January, down from 11.04 million a year earlier.
Dueling domain blocking services to launch at ICANN 79
Norwegian startup NameBlock is set to launch its suite of brand protection and domain security services later this week, with a somewhat different take on the market to its primary competitor.
Recently appointed CEO Pinky Brand tells me the company plans to formally launch March 1, the day before the ICANN 79 public meeting begins in Puerto Rico.
The company is coming out with two services to begin with — BrandLock, which allows trademark owners to block their marks across multiple TLDs, and AbuseShield, which blocks hundreds of variant domains that are considered at the most risk of abuse.
BrandLock is perhaps most directly comparable to the DPML service offered by Identity Digital, GoDaddy’s AdultBlock, and the multi-registry GlobalBlock service that is also due to formally launch in San Juan next week.
The service requires the buyer to own a verified trademark, and the exact match of that mark will be blocked over a multitude of ccTLDs and gTLDs. Brand said reseller partners may choose to bundle different TLDs thematically or offer them as one-offs.
He said he expects it to retail for $40 to $50 per domain per year, so presumably makes the most sense for the more-expensive TLDs or for buyers who have other reasons to want a block rather than a defensive registration.
The value proposition seems a lot clearer for AbuseShield, which is notable for not requiring a trademark to get protection — it’s more of a security pitch than a brand-protection story.
Under AbuseShield, when a registrant buys a name in a participating TLD, they will be given the option to pay to block a couple hundred potentially abusive variant domains in that same TLD, for a far lower cost than they’d pay to defensively register them individually.
Using data from NameBlock’s majority shareholder iQ Global, the company identifies homographic variants and common “abuse prefixes” — strings such as “login” and “https” — to compile a list of domains to be blocked. A feature called VariantCatcher will automatically block already-registered risky domains at the registry when they expire, for no extra cost.
“We want to make the abuse prevention market much, much wider than it has been before,” Brand said. “You’d pay $89 to $129 a year the block the 100 to 250 variations that we know are most likely to be used by someone to do you harm.”
At first, the service will be available through NameBlock resellers, currently those registrars focused on corporate services, but the company plans to make an API available in a few months that will let retail registrars offer the service as an up-sell in their storefront.
At launch, NameBlock has around 15 resellers, such as MarkMonitor, CSC, 101Domain, Encirca and Gandi, Brand said. Registries for about a dozen TLDs will be on board, but Brand said he expects this to grow to 40 to 50 in a couple months.
CoCCA which makes registry software used by 57 ccTLDs, has already announced its support for NameBlock’s services.
Elsewhere at ICANN 79, you’ll find the Brand Safety Alliance, a GoDaddy-led initiative purveying the new GlobalBlock service, which is more of brand-protection play
As I’ve previously blogged, because portfolio registries GoDaddy and Identity Digital are involved, GlobalBlock can provide blocking coverage in hundreds of TLDs — over 560 at the current count — with prices starting at about $6,000 a year retail.
While GlobalBlock and NameBlock are certainly operating in the same space, there appears to be enough variation between the two services that the market might be able to support both.
Newly launched .zip already looks dodgy
A trawl through the latest zone file for Google’s newly launched .zip gTLD reveals that it is likely to be used in malware and phishing attacks.
.zip is of course also a filename extension used by the ZIP archive format, often used to compress and email multiple files at once, and many domains registered in the .zip gTLD in the last few days seem ready to capitalize on that potential for confusion.
I counted 3,286 domains in the May 14 zone file, and a great many of them appear to relate to email attachments, financial documents, software updates and employment information.
I found 133 instances of the word “update”, with sub-strings such as “attach”, “statement”, “download” and “install” also quite common.
Some domains are named after US tax and SEC forms, and some appear to be targeting employees at their first day of work.
I don’t know the intent of any of these registrants, of course. It’s perfectly possible some of their domains could be put to benign use or have been registered defensively by those with security concerns. But my gut says at least some of these names are dodgy.
Google went into general availability with eight new TLDs last Wednesday, and as of yesterday .zip was the only one to rack up more than a thousand names in its zone file.
The others were .dad (913 domains), .prof (264), .phd (605), .mov (463), .esq (979), .foo (665) and .nexus (330).
Facebook sues free domains registry for cybersquatting
Facebook parent Meta has sued Freenom, the registry behind multiple free-to-register ccTLDs including .tk, claiming the company engages in cybersquatting.
Meta alleges that Freenom infringes its Facebook, Instagram and WhatsApp trademarks over 5,000 domain names in the TLDs it operates.
While best-known for Tokelau’s .tk, which had almost 25 million registrations when Verisign stopped counting them a year ago, Freenom also operates .gq for Equatorial Guinea, .cf for the Central African Republic, .ml for Mali, and .ga for Gabon.
Apart from some reserved “premiums”, the company gives domains away for free then monetizes, with parking, residual traffic when the domains expire or, one suspects more commonly, are suspended for engaging in abuse.
Naturally enough, it therefore has registered, to itself, a great many domains previously used for phishing.
Meta lists these names as examples of infringers: faceb00k.ga, fb-lnstagram.cf, facebook-applogin.ga, instagrams-help.cf, instaqram.ml, chat-whatsaap.gq, chat-whatsaap-com.tk, and supportservice-lnstagram.cf, though these do not appear to be monetized right now.
It accuses the registry of cybersquatting, phishing and trademark infringement and seeks over half a billion dollars in damages (at $100,000 domain).
Today, Freenom is not accepting new registrations, but it’s blaming “technical issues” and says it hopes to resume operations “shortly”.
Facebook is one of the most prolific and aggressive enforcers of its trademarks in the domain space, having previously sued OnlineNIC, Namecheap and Web.com. OnlineNIC had to shut up shop due to its lawsuit.
(Via Krebs on Security)
ICANN extends Covid-19 abuse monitoring to Ukraine war
ICANN has started monitoring domains related to the war in Ukraine for potential abuse, expanding an ongoing project related to the Covid-19 pandemic.
CEO Göran Marby has during multiple sessions at ICANN 73 this week said that the Org will soon announce an extension of its DNSTICR project — pronounced “DNS Ticker” and standing for Domain Name Security Threat Information Collection & Reporting.
The plan is to alert registrars about Ukraine-related domain names being used to scam people or drop malware.
“There will be coming up more information about this very soon, but we have decided to also add names in relationship to the conflict in Ukraine,” Marby said during a session with the Commercial Stakeholders Group.
DNSTICR was launched in March 2020, when the pandemic was in full swing, to find new domains containing keywords such as “covid”, “pandemic” and “coronavirus”, and check them against domain abuse lists.
From May 2020 to August last year, it flagged 210,939 pandemic-related domains, and found that 3,791 of them were malicious with “high confidence”.
CTO John Crain said in a session on Monday: “There’s a lot of stuff in the press and some technical papers out there that show clearly that the bad guys, as always, have, once again, pivoted to whatever is happening in the world. So if we can do a little bit to help, we will.”
GoDaddy hack exposed a million customer passwords
GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.
The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.
The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.
In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.
GoDaddy discovered the hack November 17 and disclosed it November 22.
It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.
Comes wrote in his blog post:
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection
You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.
About 500 staff reportedly failed the test.
Donuts offers name spinner to show potential attacks
Donuts has launched a tool to show off its TrueName offering, which blocks potential phishing attacks at the domain registry level.
It’s like a regular name spinner, but instead of showing you available domains it shows you visually confusingly similar domains — homographs — that it will block if you register said name in any of Donuts’ portfolio of 2xx (subs, please check) TLDs.
For example, spinning truename.domains returns results such as trʋenɑme.domains (xn--trenme-exc57b.domains) and trᵫname.domains (xn--trname-xk6b.domains), which could be used in phishing attacks.
How many strings get blocked depends largely on what characters are in your name. The letters I and O have a great many visually confusing variants in other non-Latin scripts, and each instance exponentially increases the potential attack vectors.
For example, if I were to register “domainincite” in one of Donuts’ TLDs, Donuts would block 767 homographs at the registry level, but if I were to register “kevinmurphy”, it would only need to block 119.
It only blocks the homographs in the same TLD as the original name. It’s not a replacement for brand protection in other TLDs.
Donuts doesn’t charge anything extra for this service. It’s included in the price of registration and offered as a unique perk for Donuts’ selection of gTLDs.
I gave TrueName a brief post when it launched last year, but I have to say I really like the idea. It’s a rare example of true innovation, rather than simple money-grubbing, that has come from the new gTLD program.
If Verisign were to roll out something similar in .com, it would eliminate a bunch of phishing and cut down on legal fees for big brands chasing phishers and typosquatters through UDRP or the courts.
It was born out of Donuts’ Domain Protected Marks List product, which allows trademark owners to block their brands and homographs across the whole Donuts stable for less money than defensively registering the names individually.
The downside of the spinner tool is of course that, if you’re a bad guy, it simplifies the process of generating samples of homograph Punycode (the ASCII “xn--” string) that can be used in any non-Donuts TLD that supports internationalized domain names.
The tool is limited to 10 domains per spin, however, which limits the potential harm.
Try it out here.
Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.
Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.
Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:
Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as
, and the other Domain Names at issue in these proceedings. By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.
Employees who click the bogus links are taken to harmless web pages describing how they were duped.
The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.
In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.
He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.
Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).
It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.
GoDaddy pranks employees with “insensitive” phishing test
GoDaddy has apologized to its staff after teasing them with a $650 Christmas bonus that turned out to be nothing but a test of whether they could be duped into handing over their sensitive personal info.
Employees worldwide reportedly received emails promising the bonus December 14 from an official-looking but presumably spoofed address.
Those who clicked through and filled out a form with their personal data received a second email a few days later informing them they’d actually just failed a “phishing test” and would “need to retake the Security Awareness Social Engineering training.”
Around 500 staff reportedly failed the test.
But many were pissed off that the company would dangle a bonus, only to snatch it away, just a week before Christmas and at a time when the coronavirus pandemic has caused many to fear for their livelihoods.
While GoDaddy rode out the pandemic just fine, it laid off hundreds, regardless.
After the prank last week attracted media attention, the company apologized to its employees, saying in a statement sent to the AFP:
GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologised. While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees.
I sincerely hope nobody spent their illusory $650 in the days before the test was revealed.
Recent Comments