[gnso-dnsabuse-smallteam] Bulk registrations and the struggle.

Tue Apr 18 10:13:58 UTC 2023

Hi Theo,

Thanks for sharing here and on the last small team call.

I (too) am very keen to take you up on your offer of a demonstration made
during the call (even though I didn't verbalize my interest then). In fact
I would like to ask a select handful of my ALAC/At-Large colleagues to
attend the call as observers when you present your demonstration, and hope
there will be no objections to this request from the small team.

Kind regards,
Justine

On Tue, 18 Apr 2023 at 17:35, Theo Geurts <gnso at dcx.nl> wrote:

> Hi all,
>
> As mentioned on the call, an outline of a registrar who tried to fix the
> issue of malicious bulk registrations at somewhat the back of the process
> rather than in the front.
>
> Again, most bulk registrations are legit; a small percentage turns
> malicious/criminal and is usually expensive for registrars and resellers.
> Good KYC controls, and more are vital in combatting such criminals.
>
> The registrar got hit earlier this year with 1000 domain name
> registrations from a registrant whose country code was from Thailand.
> So the registrar blocked the country code and registrants who used the
> country code from Thailand could no longer register domain names.
>
> So the criminals started to switch to other countries. Long story short,
> the registrar started to block almost all country codes.
>
>
> So the criminals now only use country codes from the EU.
> Then the registrar started to use limits.
> New registrants could only register up to 100 domain names each day. Later
> that limit got set to 10, and a few weeks later, the limit became 1.
>
> The criminals started to create new accounts in bulk. They registered one
> domain name per account and used unique data for each account. Detection
> became much more complicated.
>
> At some point, the criminals became aware that established accounts of
> existing customers had no limits. So they started to hack into those
> accounts, and the registrar was back to square one. Hacking into those
> accounts is relatively easy. The dark web contains many combo lists with
> millions of records of people, including passwords, which usually still
> works. Most of the combo lists are free to download.
>
>
> In summary, the registrar lost around 300.000$ in registrations. The
> dissatisfaction of new and current customers was significant, and the
> registrar lost a good chunk of business.
>
> The lesson here is that you need to invest in anti-fraud controls if you
> want legit registrations in bulk or not.
> Utilize the info from a payment provider;
> https://docs.adyen.com/risk-management
> Block unwanted traffic https://www.blocked.com/; it's inexpensive and can
> be easily integrated into an account sign-up form.
>
>
> Do we want to codify this into policy? Cybercrime is a moving target, and
> you must constantly deploy new solutions.
>
> https://www.theguardian.com/technology/2023/apr/05/international-sting-takes-down-online-marketplace-of-stolen-identities
> Stolen identities gained more traction over the last 12 months and are
> pretty hard to detect.
>
> Best,
> Theo
> _______________________________________________
> gnso-dnsabuse-smallteam mailing list
> gnso-dnsabuse-smallteam at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-dnsabuse-smallteam
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-dnsabuse-smallteam/attachments/20230418/42dd38de/attachment-0001.html>