How post-GDPR rules are making it harder for investigators to shut down cybercriminals using bulk registration tactics to perpetuate online crimes
When it comes to perpetuating digital crimes using domains, cybercriminals are turning to bulk domain registration to cover their tracks and to “weaponize” their attacks. These domains, acquired quickly and cheaply through bulk registration services, allow criminals to register thousands if not hundreds of thousands of domains in just minutes. These massive swathes of domains are then used in spam and ransomware campaigns, phishing, and malware distribution as well as for criminal infrastructure operations like botnets and brand-based attacks on consumers. Cybercriminals use these domains to widely distribute their attacks and then abandon the domains just as quickly.
Prior to GDPR and the redaction of WHOIS information for registrants, gaining access to registrant identifying information including names and contact information, even in cases when it was incomplete or incorrect, made rapid responses to these sorts of attacks possible. Now, in a post-GDPR world, with domain name registrant contact information severely limited and hidden behind registries and registrars who are reluctant to respond to WHOIS requests, cybercriminals are finding themselves able to operate with relative impunity. In situations where time is critical, especially in the face of cyberattacks where every second results in more victims, investigators are finding themselves stymied by a system that has slowed the enforcement process down to a virtual crawl.
Interisle Consulting Group recently released a comprehensive study of this issue, examining both the ease in which criminals could bulk register and distribute attacks across hundreds of thousands of domain names as well as the result that the restricted registration data access had on the cybercrime investigators tasked with shutting these types of operations down. They concluded that the ability for cybercriminals to register these domains with impunity and the difficulty investigators faced in trying to obtain critical registrant information resulted in an overwhelming increase in the likelihood of substantial harm to the victims of these cyberattacks.
As a result of their study and findings, they came up with nine policy recommendations to help curtail this egregious loophole:
- Validate domain name registration data.
- Define “bulk registrant” as a new element of registration data for Whois.
- Define an Acceptable Use Policy (AUP) that applies specifically to parties that register large numbers of domains.
- Require registrants to apply for bulk registration services.
- Distinguish domain names registered by legal entities from those registered by natural persons, classify parties that use bulk registration services as legal entities, and require unredacted access to the registration data of legal entities.
- Maintain and publish a current list of validated bulk registrants.
- Disallow registration transactions that involve large numbers of random-looking algorithmic domain names.
- Disallow, for a period of one year, the re-registration of any bulk-registered domain name that has been used in a criminal cyberattack.
- Provide the ICANN DAAR project with access to unredacted Whois data without rate limiting.
Implementing these recommendations will require a concerted and collaborative effort of participants in the domain name registration community: ICANN, registries and registrars, government regulators, individual and institutional registrants, and cybercrime investigators.
As one of ICANN’s key roles is to operate “for the benefit of the Internet community as a whole” (See section 1.2 Commitments and Core Values), ICANN must evaluate ways to protect privacy while enabling attribution and abatement of malicious behavior. The suggested changes recommended by Interisle, along with centralized pseudonymization of registrant contact information in lieu of wholescale redaction could be an option for the identification of bulk abusers.
Allowing cybercriminals to weaponize domains for their benefit at the expense of all Internet users twists the intent of the GDPR and cannot be allowed to continue unchecked.