The Spamhaus Project


Trends, policy and cheap TLDs - an interview with Dave Piscitello (Part 1)

by The Spamhaus TeamMarch 06, 20246 minutes reading time

Jump to


Cybercrime supply chains are central to today’s intricate web of cyber threats. Without them, malicious actors wouldn’t have access to the tools, resources, and expertise necessary to execute their attacks. In October 2023, Interisle Consulting Group LLC conducted a study that sheds light on the supply chains used by cybercriminals to acquire resources for malware, spam, and phishing attacks.

We met with Dave Piscitello, Partner at Interisle and renowned security expert, for this two-part interview to discuss the study's findings and implications for cybersecurity.

Before diving into that interview, here is an overview of the top level-findings from the study:

  • Nearly 5 million domain names identified as resources for cybercrime.

  • Over 1 million new gTLD domain names reported for spam activity.

  • Over 500,000 subdomain hostnames reported as cybercrime resources at 229 subdomain resellers.

  • Bulk domain registration behavior was detected in over 1.5 million domains.

  • Exact matches of well-known brand names used in over 200,000 cybercrime attacks.

  • The United States, China, India, Australia, and Hong Kong had the most IPv4 addresses used for cybercrime.

Now, without further delay, let's hear from Dave on some of the learnings from the study...

Spamhaus: According to the study, most IPv4 addresses used in cybercrimes appear to be located in large countries. However, are there any small countries that stand out in the study, that carry more than their fair share?

Dave: My colleague, Dr. Colin Strutt, took this as a challenge! He collected population and land area data for countries where we observed cybercrime activity. When we judge cybercrime activity based on population, then VG (British Virgin Islands), SC (Seychelles), and HK (Hong Kong) appear to carry more than their share. When we judge cybercrime activity based on land area, then Hong Kong, SG (Singapore) and GI (Gibraltar) stand out.

Spamhaus: From your experience, is this a trend that you would expect to see?

Dave: Cybercrime resources are often acquired opportunistically: a cybercriminal identifies a service offering or practice that can be used advantageously and misuses that operator or service to acquire what they need to conduct attacks. For example, the ability to register domains or use hostnames that contain brands without interference or to create hosting accounts virtually anonymously most often influence where attacks are hosted.

While this set of small countries has been exploited most recently, other ccTLDs, for example, HK, have been similarly exploited in the past, and it’s quite possible that criminals will take advantage of other small countries in the future.

Spamhaus: But… where did they go?

Dave: Many turned to the new TLDs, and in particular, to 20 new TLDs that accounted for 80% of all blocklisted domains in the new TLD space. Others turned to free or cheap web or blog hosting service providers, where criminals created user accounts, used the account names as host names and uploaded fake or malicious content to the hosting resources of the reseller.

Spamhaus: As you’ve highlighted, Spamhaus researchers consistently see the most abuse with cheap TLDs. In the cybercrime supply chain, how important is price?

Dave: Criminals run campaigns or attacks as businesses. Free or cheap resources – domain names and hosting – maximize profit. We only have anecdotal data, but we have an AWFUL lot of it at the Cybercrime Information Center and in our report. In our supply chain study, we identified five new TLDs – TOP, LIVE, ONLINE, SITE and SHOP – with extraordinary numbers of cybercrime domains reported. Visit any registrar we list in our report, and you’ll find at least one of them is offering these or other new TLDs for less than $1 USD.

Spamhaus: The study points out that European ccTLDs suffer far less abuse than gTLDs, with registries and registrars enforcing stricter ownership policies. How can the entities that provide these abused TLDs learn from the policies of ccTLDs?

Dave: Our supply chain study data show that criminals took most advantage of top-level domains that offered open registrations. By contrast, we observed little or few blocklisted domains among European ccTLDs that require registrants to have a verifiable connection (nexus) to the country, such as proof of residence or evidence of incorporation, as a pre-requisite for domain registration.

These TLDs demonstrate that requiring proof of identity or evidence of incorporation as part of the registration process reduces abuse or crime. If all registrant data were validated, that data would be sufficiently accurate to discriminate natural persons from legal entities for the purpose of publishing Whois where legal entities are registrants, and enabling privacy for natural persons where the regulations of their country of residence requires. Criminals would have to work harder to register domains in such a transparent system.

Spamhaus: Regarding Whois data, how many domains were identifiable to an owner in the study?

Dave: The number is too small to make owner identification via WHOIS or RDAP useful or practical for investigative purposes. In January 2021, we published a study of gTLD contact data availability and found that including ‘proxy-protected’ domains, for which the identity of the domain owner is deliberately concealed, 86.5% of registrants can no longer be identified via WHOIS. We’re repeating this study and expect that percentage will increase.

Spamhaus: Why does this present a problem?

Dave: The policies that were adopted ostensibly to satisfy GDPR were overkill. The domain industry policy makers didn’t appreciate – or ignored – the urgency associated with suspending a domain that’s causing harm or loss. While they eventually provide a means to request owner identity, the processes, and times to respond, especially for investigators who are not law enforcement, are neither timely nor uniformly enforced.

Policy makers generally don’t seem to appreciate that most damage is inflicted within a few hours of the onset of a cyberattack. Prior to the wholesale redaction of domain contact data, one of the most important uses of WHOIS while investigating a cyberattack was to query for a malicious domain, grab the contact data, and then use the contact data to identify any other domains that might also be employed in the attack. This is harder to do now, it takes longer, and the criminals enjoy a longer attack window as a result.

Carel Bitter, Spamhaus' Head of Data, recently wrote about this exact issue, and the degradation of correlation as a research tool.

From the lure of cheap TLDs to policy facades, the Internet naming and addressing elements of the supply chain face a myriad of problems. Read part two, where Dave discusses the crucial role of registries, registrars and other organizations and the changes necessary to fight cybercrime in the supply chain.

The Interisle’s Cybercrime Supply Chain study 2023 was sponsored by the AntiPhishing Working Group (APWG), CAUCE, and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).