Registration, collaboration and disruption - an interview with Dave Piscitello (Part 2)

In part one, Dave Piscitello, Partner at Interisle Consulting Group LLC discussed several key findings of the Interisle Cybercrime Supply Chain study 2023. Now, let’s explore the role of registries, registrars and other organizations that can affect change in the cybercrime supply chain.

Spamhaus: Brand impersonation is a widespread and growing threat. Should registries and registrars be held responsible for screening domain names more rigorously before publishing?

Dave: When criminals can register and then impersonate brands with impunity, they can exploit the least technical members of society, especially young and old Internet users.

For our study, we identified nearly 170,000 domain names and almost 23,000 subdomain reseller host names that contain an exact match for a brand in their name. If we can find these post hoc, the registrar can find these and delay registration pending an investigation. Some registrars are attempting to do this, and I applaud this, but if there’s no uniform policy across the domain name space, the criminals will look elsewhere.

We appreciate that “what brands? how many? and what process?” are important questions, but we and other researchers like us not only look for exact matches but for similarity matches post hoc. If registrars expressed a willingness to commit to mitigating brand impersonation, the research and investigator communities would assist them.

Spamhaus: In the study, over 1.5 million domains exhibited malicious bulk domain registration behavior characteristics. This may seem obvious, but can limiting these services reduce cybercrime?

Dave: First, let’s discuss the scale of the bulk registration problem. To determine that a domain is part of a set that we believe to be registered in bulk, and because we can’t get registrant contact data, we look for occurrences where sets of ten or more domain names were registered via the same registrar within 10 minutes of each other. Note that we found not tens but hundreds or thousands of domains in many sets. These typically have exact or similar label composition characteristics; for example, bandao101.com, bandao102.com… bandao2048.com, bandao2050.com.

We consider these purchases by a single threat actor because it’s unlikely that several unrelated (or non-conspiring) registrants would register domain names with the exact label composition characteristics, simultaneously, in volume, in a matter of minutes.

Spamhaus: What did you find?

Dave: As you highlighted, we associated 1,529,677 domains with bulk domain registration behavior. These occurred in 29,561 sets. We found occurrences of bulk domain registration in 292 registrars.” We can’t think of legitimate purposes that are served by registering several thousand domains of this kind.

Spamhaus: So, your answer is “yes”?

Dave: Absolutely. Bulk registration of the kind we identify is a criminal misuse of a dangerous product. Many governments monitor and limit the purchase of pseudoephedrine to limit the manufacture of methamphetamine or ammonium nitrate to prevent the construction of improvised explosive devices. In the extreme cases of ransomware attacks against healthcare, emergency systems or critical infrastructures, the potential harms from bulk registration abuse include loss of life. Similar measures imposed on the registration of domains can protect the public against cybercrimes, cyberattacks, or cyberterrorism.

In our study, we recommend that Registrars should refrain from offering forms of bulk registration except in circumstances where the customer acknowledges that they are a legal entity, provides credentials to corroborate their legal entity status, and provides a legitimate purpose (e.g., protection of a registered trademark or a legitimate service offering).

Starving criminals of a resource that is too easily acquired in volume isn’t a novel approach, and governments should intervene where policymakers have failed to protect the public.

Spamhaus: In the report, you also highlight potential industry failings: “Reactive efforts currently employed by the domain name and hosting industries, governments, and private sector organizations cannot curtail cybercrime and the harms it inflicts on Internet users.” What are the main reasons?

Dave: Silos. The gTLD registries and registrars essentially write their own policies. Governments develop policies for their country’s TLDs. Hosting, cloud, blog and website operators don’t have any central or coordinated global policy-making entity. Private sector organizations defend their networks, users, and brands and collaborate ad hoc with law enforcement and cooperative operators.

Spamhaus: And what changes are needed?

Dave: At a minimum, we advocate the adoption of common (uniform) acceptable use policy and conventions for uniform and timely action to strip criminals of resources associated with a cybercrime (domains, addresses, content). The domain industry, in particular, should put an end to years of trying to define DNS abuse, adopt the definitions from Council of Europe’s Convention on Cybercrime, and prioritize response and enforcement before creating a new greenfield for criminals by adding more TLDs.

Spamhaus: Finally, you state in the report, “Interisle believes that adopting the well-known strategy of disrupting supply lines can be effective in mitigating cybercrime." Can you elaborate?

Dave: Military history is full of examples of how disrupting supply lines contributes to defeating an adversary. When Japan attempted to invade China in the 16th century, Korea disrupted supply lines. Sherman’s March to the Sea secured the Union’s victory over the Confederacy in the US. Russia’s scorched earth policy broke both Napoleon’s and Hitler’s marches east.

Operators must take on roles as disruptors: make it hard for criminals to acquire domain or host names anonymously, cheaply and in volume. Make it hard for criminals to keep malicious content online. Governments must collaborate to accelerate cross-jurisdictional prosecution of cybercriminals. Ask, and law enforcement agents will acknowledge the critical role that private sector investigators play in combatting cybercrime. Operators and governments must embrace the private sector investigators’ roles in combatting cybercrime as well. This is a tall order, but cybercrime continues to worsen while everyone remains siloed.

To achieve cybercrime supply chain disruption, cross-industry collaboration is essential; with a focus on developing policies, operational practices, and technical solutions. We want to extend our gratitude to Dave and the Interisle Consulting Group LLC team for their dedication to cybercrime research and for sharing these valuable insights.

The Interisle’s Cybercrime Supply Chain study 2023 was sponsored by the AntiPhishing Working Group (APWG), CAUCE, and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).