[gnso-dnsabuse-smallteam] Bulk registrations and the struggle.

Tue Apr 18 09:35:31 UTC 2023

Hi all, 

As mentioned on the call, an outline of a registrar who tried to fix the issue of malicious bulk registrations at somewhat the back of the process rather than in the front. 

Again, most bulk registrations are legit; a small percentage turns malicious/criminal and is usually expensive for registrars and resellers. Good KYC controls, and more are vital in combatting such criminals. 

The registrar got hit earlier this year with 1000 domain name registrations from a registrant whose country code was from Thailand. 
So the registrar blocked the country code and registrants who used the country code from Thailand could no longer register domain names. 

So the criminals started to switch to other countries. Long story short, the registrar started to block almost all country codes. 

So the criminals now only use country codes from the EU. 
Then the registrar started to use limits. 
New registrants could only register up to 100 domain names each day. Later that limit got set to 10, and a few weeks later, the limit became 1. 

The criminals started to create new accounts in bulk. They registered one domain name per account and used unique data for each account. Detection became much more complicated. 

At some point, the criminals became aware that established accounts of existing customers had no limits. So they started to hack into those accounts, and the registrar was back to square one. Hacking into those accounts is relatively easy. The dark web contains many combo lists with millions of records of people, including passwords, which usually still works. Most of the combo lists are free to download.

In summary, the registrar lost around 300.000$ in registrations. The dissatisfaction of new and current customers was significant, and the registrar lost a good chunk of business. 

The lesson here is that you need to invest in anti-fraud controls if you want legit registrations in bulk or not. 
Utilize the info from a payment provider; https://docs.adyen.com/risk-management
Block unwanted traffic https://www.blocked.com/; it's inexpensive and can be easily integrated into an account sign-up form. 

Do we want to codify this into policy? Cybercrime is a moving target, and you must constantly deploy new solutions. 
https://www.theguardian.com/technology/2023/apr/05/international-sting-takes-down-online-marketplace-of-stolen-identities Stolen identities gained more traction over the last 12 months and are pretty hard to detect.

Best, 
Theo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-dnsabuse-smallteam/attachments/20230418/6135eba9/attachment.html>