Think about the last time you started a new job. You were keen to impress your new colleagues with how quickly you could become part of the team. One day, you receive an email from “ITsupport@yourempIoyer.com” urgently asking for some information to get you connected to company systems, and you reply quickly with some personal data.
But what you didn’t notice was that that email domain name–youremployer.com–was spoofed: it was actually spelled with a capital “I” in the place of the lowercase “L”–yourempIoyer.com. (Can you easily tell the difference, even now?) You unwittingly handed over your company login, password, social security number and other personal information. You just fell victim to a homographic phishing scam!
What is DNS Abuse?
These kinds of phishing scams are abuses of the Domain Name System (DNS) that is overseen by ICANN, the Internet Corporation for Assigned Names and Numbers. ICANN recognizes five kinds of DNS abuse: phishing, malware, botnets, pharming and spam when it serves as a delivery mechanism for other forms of DNS abuse.
According to Interisle Consulting Group, the monthly number of phishing attacks more than doubled in the year before April 2022, with over 100,000 attacks reported in April alone. Its 2022 study found more than 850,000 unique domain names were reported for phishing—a 72% increase over the prior year. That adds up to millions of users put at risk of being defrauded and giving up confidential data, money, and time.
Most domain names involved in DNS abuse are “maliciously-registered”: names that were created by bad actors for the specific purpose of DNS abuse. These maliciously-registered domains usually look very similar to those of legitimate brands, like Facebook, Apple and Outlook. Perhaps they have an extra “p” in Apple.com or a zero in place of the “O” in Outlook.com. These intentional typos are designed to deceive users and get them to give up their personal information to the phishers.
Addressing DNS Abuse
The DNS abuse problem has grown serious enough that there are now initiatives to fight DNS from several ICANN stakeholders. At the ICANN meeting in Kuala Lumpur last month, a DNS Abuse team presented its investigation, concluding that DNS abuse occurs in a cycle, with steps indicated for prevention and mitigation.
Before abuse begins, ICANN’s registries and registrars can take steps to prevent malicious registration. The DNS Abuse Institute in its first Intelligence Report discusses how to identify domains being registered for malicious purposes. Maliciously-registered domains can be blocked by registrars.
When DNS abuse does happen, harmed parties need a place to report the problem.
It can be challenging for a user who has fallen victim to a phishing scam to report the problem, especially after they’ve changed passwords and account information. But reporting the abuse is an essential step to prevent future DNS abuse from occurring. The DNS Abuse Institute created NetBeacon as one such tool for reporting DNS abuse incidents, gathering actionable information to help registrars and hosting providers take action.
The anti-abuse community must come together to develop and deploy similar applications to report DNS abuse. Tracking data can inform new mitigation and prevention strategies. ICANN compliance can enforce registrar obligations to address reported abuse of domain names they’ve licensed. And if that’s not working effectively, ICANN and responsible registrars could tighten-up contract obligations so that bad actors can’t flout the rules with impunity.
More Conversations Coming
The problem of maliciously registered domains and DNS abuse will become more challenging as more domain names include non-Latin script, like Arabic, Chinese and Cyrillic. And as alternative blockchain identifiers like Ethereum seek notoriety, it will be even easier for bad actors to divert queries via collisions with existing DNS domains. When asked about taking steps to block DNS abuse and other misbehaviors, the blockchain advocates boast that their de-centralized scheme does not allow domains to be removed for any reason, claiming that is a feature; not a bug!
Looking ahead to the global Internet Governance Forum this December, there are sessions about DNS abuse as part of the theme of safety, security and accountability. This attention shows that the multistakeholder community is coming to grips with the scourge of DNS abuse. We should all play our part to encourage continued prevention measures, and scrutinize discussions and solutions coming from IGF2022, new contract obligations and enforcement by ICANN compliance, and advocacy from the internet community.