Studies on DNS Abuse – reality check or industry incentive?

The study examines phishing attacks across various top-level domains, as well as among different registrars and hosting providers.  It also reports on brands most targeted by phishers, the role of subdomain resellers in phishing, and how phishers have added cryptocurrencies to their financial fraud target lists.

The study maintains that phishing remains a profitable and expanding industry, with the number of phishing attacks reported each month doubling since 2020. The trendline shows a 52% growth in phishing attacks over the 24-month period, and a 61% increase in phishing attacks from 2021. According to the study, the number of maliciously registered domain names that are purposely registered by a phisher to perpetrate a phishing attack increased by 82% since 2021.

Though these numbers, if correct, are concerning, the study also finds wide differences among individual sectors and service providers. According to the authors of the study only 34% of all domains reported for phishing were in .com and .net, whose combined market share is 48% of all TLDs, whereas new gTLDs (like .shop, .club, .info, etc.) were used disproportionately often for phishing. 36% of domains used for phishing were in ccTLDs, which is roughly in line with the 39% of the domain name market share represented by ccTLDs. However, the study does elaborate, that phishing in the ccTLD category is artificially swollen by phishing domains reported in five commercialized ccTLDs run by the domain provider Freenom (.tk, .ml, .ga, .cf, .gq), which offers free domain name registrations, whereas the other ccTLDs suffer far less phishing than might be expected based on market share (according to the study roughly 22%). An earlier study on DNS abuse, commissioned by the European Commission, found that European ccTLDs are by far the least abused, relative to their overall market share, as only 0.8% of all abused domain names were registered under EU ccTLDs.

The results of both studies show clearly, that the European ccTLD landscape is by far the healthiest sector among top-level domains with regard to DNS abuse practices (such as phishing, spamming, malware, CSAM, botnets, etc.). Even though these results are reassuring and indicate, that European service providers offering ccTLD registrations have established good practices in maintaining a safe domain environment, these findings are not properly reflected in the recommendations of either of the studies.

Both studies suggest that registries and registrars across the board should monitor, identify, block or suspend domains reported for DNS abuse, as they are “in an excellent position” to do so. They also possess key information – contact data and billing data, which is highly useful to identify malicious customers, and have terms of service that allow them to suspend domains for illegal activity. Both studies also claim that obliging operators to validate the identity of users, coupled with providing lawful access to dedicated access seekers could reduce DNS abuse, even though there is hardly any data clearly showing that user identity validation contributes to reduced cybercrime.

The authors of both studies encourage internet service providers to be more responsive to abuse complaints and promote the role that the private sector plays in combatting cybercrime, seemingly ignoring, that there is as of yet no uniform definition of “cybercrime” or that most private entities lack legal expertise to discern legal from illegal behaviour, thus being forced into overblocking legal content from fear of being held liable for crimes committed by the users of their services.

In their response to the EC DNS Abuse Study the Council of European National Top-Level Domain Registries (CENTR) highlights that the definition of DNS abuse provided by the study is too broad and seems to encompass all current forms of cybercrime, thus being inconsistent with its accompanying explanation that only targets a limited number of technical intermediaries, whereby it disregards the proportionate resolution path targeting the intermediary that is closest to the content. The study also disregards the fundamental difference between the governance of ccTLDs and gTLDs and demonstrates incoherent analysis by adopting a “one-size-fits-all” approach with measures targeted at both ccTLDs and gTLDs despite finding that ccTLDs are by far less abused. As a result, any measures targeted solely at ccTLDs will have a limited impact on effectively reducing abuse online. The study also recommends harmonised Know-Your-Business-Customer practices across ccTLDs, despite the lack of proof of abuse.

Both studies will most probably be embraced by national governments, who lack resources and specific knowledge for tackling cybercrime and thus encourage preventive measures taken by the private sector, as well as big right-holders (such as holders of trademarks and copyrights) who are much more successful in enforcing their rights against neutral internet gatekeepers than against individual infringers.