Skip to main content
Studies on DNS Abuse

Studies on DNS Abuse – reality check or industry incentive?


In July 2022 the Interisle Consulting Group published their annual study on the prevalence of phishing attacks. Interisle, a private consulting firm consisting of industry experts, some of which have held positions at ICANN, analysed over three million phishing reports from 1 May 2021 to 30 April 2022 from multiple intelligence providers, but also took into account data from 2020 to create an biennial overview of phishing attacks – fraudulent practices of sending emails or setting up websites purporting to be from reputable companies in order to induce internet users to reveal personal information, such as passwords and credit card numbers.

The study examines phishing attacks across various top-level domains, as well as among different registrars and hosting providers.  It also reports on brands most targeted by phishers, the role of subdomain resellers in phishing, and how phishers have added cryptocurrencies to their financial fraud target lists.

The study maintains that phishing remains a profitable and expanding industry, with the number of phishing attacks reported each month doubling since 2020. The trendline shows a 52% growth in phishing attacks over the 24-month period, and a 61% increase in phishing attacks from 2021. According to the study, the number of maliciously registered domain names that are purposely registered by a phisher to perpetrate a phishing attack increased by 82% since 2021.

Though these numbers, if correct, are concerning, the study also finds wide differences among individual sectors and service providers. According to the authors of the study only 34% of all domains reported for phishing were in .com and .net, whose combined market share is 48% of all TLDs, whereas new gTLDs (like .shop, .club, .info, etc.) were used disproportionately often for phishing. 36% of domains used for phishing were in ccTLDs, which is roughly in line with the 39% of the domain name market share represented by ccTLDs. However, the study does elaborate, that phishing in the ccTLD category is artificially swollen by phishing domains reported in five commercialized ccTLDs run by the domain provider Freenom (.tk, .ml, .ga, .cf, .gq), which offers free domain name registrations, whereas the other ccTLDs suffer far less phishing than might be expected based on market share (according to the study roughly 22%). An earlier study on DNS abuse, commissioned by the European Commission, found that European ccTLDs are by far the least abused, relative to their overall market share, as only 0.8% of all abused domain names were registered under EU ccTLDs.

The results of both studies show clearly, that the European ccTLD landscape is by far the healthiest sector among top-level domains with regard to DNS abuse practices (such as phishing, spamming, malware, CSAM, botnets, etc.). Even though these results are reassuring and indicate, that European service providers offering ccTLD registrations have established good practices in maintaining a safe domain environment, these findings are not properly reflected in the recommendations of either of the studies.

Both studies suggest that registries and registrars across the board should monitor, identify, block or suspend domains reported for DNS abuse, as they are “in an excellent position” to do so. They also possess key information – contact data and billing data, which is highly useful to identify malicious customers, and have terms of service that allow them to suspend domains for illegal activity. Both studies also claim that obliging operators to validate the identity of users, coupled with providing lawful access to dedicated access seekers could reduce DNS abuse, even though there is hardly any data clearly showing that user identity validation contributes to reduced cybercrime.

The authors of both studies encourage internet service providers to be more responsive to abuse complaints and promote the role that the private sector plays in combatting cybercrime, seemingly ignoring, that there is as of yet no uniform definition of “cybercrime” or that most private entities lack legal expertise to discern legal from illegal behaviour, thus being forced into overblocking legal content from fear of being held liable for crimes committed by the users of their services.

In their response to the EC DNS Abuse Study the Council of European National Top-Level Domain Registries (CENTR) highlights that the definition of DNS abuse provided by the study is too broad and seems to encompass all current forms of cybercrime, thus being inconsistent with its accompanying explanation that only targets a limited number of technical intermediaries, whereby it disregards the proportionate resolution path targeting the intermediary that is closest to the content. The study also disregards the fundamental difference between the governance of ccTLDs and gTLDs and demonstrates incoherent analysis by adopting a “one-size-fits-all” approach with measures targeted at both ccTLDs and gTLDs despite finding that ccTLDs are by far less abused. As a result, any measures targeted solely at ccTLDs will have a limited impact on effectively reducing abuse online. The study also recommends harmonised Know-Your-Business-Customer practices across ccTLDs, despite the lack of proof of abuse.

Both studies will most probably be embraced by national governments, who lack resources and specific knowledge for tackling cybercrime and thus encourage preventive measures taken by the private sector, as well as big right-holders (such as holders of trademarks and copyrights) who are much more successful in enforcing their rights against neutral internet gatekeepers than against individual infringers.

Similar articles

Trademarks, geographical indications and internet domains

Trademarks, geographical indications and internet domains

Trademarks, geographical indications and internet domains are three separate rights, but due to their similar use on the internet, they are often interconnected and therefore easily confused. Trademarks and geographical indication designate the origin of the goods or services and the connection between these goods/services and a specific provider. A domain can also have the same function.

More …

Employee photo

Klara Herman, Communications and Public Relations

I joined Register.si at the end of 2020 when the COVID-19 epidemic was at its peak. Even though I have been employed at Arnes for more than 15 years, taking on new work tasks, getting to know new colleagues and adjusting to team dynamics felt challenging

More …

man holding a laptop

My constant goal is: to manufacture something, to create something

Andrej Bagon, technical engineer at Registry .si

I have been interested in computer science since I was a child. We had a printing house at home and around ’85 the first computers started to appear in our office. If I remember correctly, my father was the first in our area to have a 286 – this meant Windows 3.0, CorelDraw 2.0 and a dot matrix printer. This caught my attention and it was in this way that I came across first text programming languages ​​- Basic and Pascal.

More …