Domain-name abuse proliferates; rogue registrars turn a blind eye

For legitimate businesses, a domain name is a way to hang a shingle in cyberspace. In the criminal world, domain names are a key part of botnet and phishing operations, and cyber-criminals are plundering domain-name registrars around the world to get them.

America’s 10 most-wanted botnets

Criminals are amassing domain names by registering them under phony information, paying with stolen credit cards or hard-to-trace digital currencies like eGold, and breaking into legitimate domain-name accounts. To add to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in.

“There’s absolutely a big problem,” says Ben Butler, director of network abuse at Go Daddy, an Arizona-based domain-name registrar that’s authorized by the Internet Corporation for Assigned Names and Numbers and the appropriate ICANN-accredited registries to sell domain names based on the generic top-level domains (gTLD) that include .com, .aero, .info, .name and .net.

Go Daddy has 36 million domain names under management for more than 6 million customers, making it one of the largest registrars around the globe. It fights a round-the-clock battle to identify domain-name abuse, and if a domain name is determined to be used for harmful purposes Go Daddy will essentially “kill the domain name,” Butler says. (See related story, “How registrars tackle domain name abuse”)

During the suspension process, a malicious domain is redirected to a non-resolving server that delivers an error message. That’s the preferred process instead of outright cancellation, since it’s not always clear who the owner of a malicious domain is. “We investigate literally thousands of complaints on domain names each week,” Butler says. “And we suspend hundreds of domain names per week.”

In spite of all these efforts, criminals still slip through the net, in part because registration services are highly automated, validation processes are insufficient, and the criminals are cagey, determined and technically savvy.

ScanSafe researcher Mary Landesman last month uncovered evidence that a handful of Go Daddy domains were being farmed out for use in three distinct botnet-controlled SQL injection attacks against Web sites in India, U.S. and China.

But the larger issue is not about Go Daddy, which has a good reputation for fighting domain-name abuse, Landesman says. Rather, the problem encompasses the entire domain-name registration system, along with the faulty Whois database of registrant information (overseen by ICANN) that contains fake data, even total gibberish.

“It’s not intentionally designed for this kind of abuse, but it works in favor of the criminals,” Landesman notes. Effective reform of the domain-name registration process would strike at the heart of Internet crime, she says.

Domain-name appeal

Criminals who mastermind botnets for spam, phishing, and denial-of-service attacks have come to rely on domain names because it gives them “stability” in their controls, says Joe Stewart, a researcher at Atlanta-based SecureWorks. “All the bots can map to the new IP address when it comes up.”