The Daily Scam has documented hundreds of malicious and fraudulent attempts by criminal gangs to take advantage of citizens the world over, seemingly without impunity. The simple fact that a criminal, for example, in Russia can hack a website in India and host a phishing scam or set a malware trap designed to infect computers in the UK or US, and then exercises control over the infected computers or stolen accounts through shill computers in four other countries makes it crystal clear why it is so difficult to identify, arrest and prosecute these crimes.
Adding insult to injury is the fact that ICANN, the world’s governing body for making and overseeing the rules regarding Internet domain names, completely ignores their stated responsibility to “preserve and enhance… security” (Taken from ICANN’s Mission statement Core Value [a]: “Preserve and enhance… security.”) We cannot find any evidence anywhere on the ICANN website, or in their actions, that demonstrates any effort to improve security and make it harder for criminals to operate against us. ICANN’s poor effort demonstrates no willingness to police the Registrar industry that they have created and license. Criminal gangs misuse the domain name system at will and ICANN does nothing. What misuse do we mean? Here are some of the key problems we’ve indentified with our current domain governance:
1. Domain registrants (the people who register a domain) enter little information or completely fraudulent information to identify themselves. In our experience, we often find that it is easy to expose fraudulent registration information.
2. Registrants who are found to register malicious domains are still able to register dozens, and sometimes hundreds of domains with the same fake information over months.
3. Registrants are allowed to register domain names that are extremely suspicious because the name strongly suggests that it is misleading and pretending to be something it is not.
4. Some Registrars appear to turn a blind eye while criminals use their services to register hundreds of suspicious domains. Many of these domains later turn up as malicious according to online security services and yet the same registrants continue signing up more domains over the course of months.
5. There is no centralized, easy system for reporting suspicious domains and Registrars are not held to any reasonable standard for investigating domains that are reported as malicious. The Daily Scam has reported malicious domains to Registrars along with proof of their malicious use and the Registrars have sometimes taken weeks to investigate or even reply.
6. The domain name selling business if anything but clear and direct. It is obfuscated and easy to hide domain ownership and even which Registrar is reponsible for responding to a reported misuse of a domain.
7. Proxy services offer protection to criminals and the general public alike and there appears to be no means to separate one from the other or even conduct an investigation or supoena information should evidence of misuse become available.
What If ICANN Served to Protect Citizens of the World?
Suppose for a moment that ICANN sincerely wanted to preserve and enhance the security of the world’s domains to make it harder for criminals to misuse the system to target us. What could they do to make the Internet safer? We have some suggestions for them though we will be the first to admit that these suggestions may have flaws or details to be worked out. But this is a start and we invite ICANN, or anyone to improve upon them.
1. Domain Registration Should be Verified and Rated
It is unacceptable that anyone can register a domain using fake or incomplete information. There should be a system put in place that rates registrants on a small simple scale based on verification of information. For example, if a registrant enters information that is easily verified to be completely accurate he or she might receive a rating of 5. If, on the other hand, a registrant’s information is incomplete or completely unverifiable, the rating is 1. Ratings below a certain value should be flagged for investigation and clearly displayed to the world as unverified and therefore untrusted.
2. Domain Risk Assessment Database (DRAD):
ICANN should create a central database that all Registrars are required to send Registrant data to within minutes after a domain is registered. If Registrars do not provide this information, or continually delay in providing it, they risk losing their license. It would be an incentive to legitimate businesses and domain owners to make sure that their information was correct and accurate. This database would be available to the public, searchable and display the following information in a plain and simple manner so it is easy to understand and available in multiple languages:
a. Domain name.
b. Registrant name (or Proxy service clearly identified if used and information about the proxy service provided).
c. Registrant address.
d. Registrant contact information, if provided.
e. Registrant Information Rating (see #1 above).
f. From what country was the domain registered. If the country or IP address is “unknown” that fact should clearly be displayed.
g. Date and time of registration; expiration date of domain lease.
h. Registrar service through which domain was registered.
i. Whether or not a website has been detected at the domain and, if so, a screenshot of the website at the time a visitor requests the record.
j. Identify if the domain name includes the names of other company domains or includes very similar names that have previously been registered BUT this current domain is not registered by those other companies e.g. icloud-assist.com is not registered by Apple, paypalsupport.com is not registered by Paypal, AmricanExpress.com is not registered to AmericanExpress.com.
k. Whether or not approved and trusted online services such as VirusTotal.com have identified the domain as malicious/phishing. If so, provide links back to the service who have made that assessment.
l. Whether or not people have reported that the website is malicious or have filed complaints against the domain by filling out an online short form that requires verifiable information, including call-back number and whether or not they have demonstrated authority to report online threats, fraud, scams because they have been included/vetted by an ICANN Security group.
m. Whether or not there is any evidence that the Registrant has previously registered domains that have been identified as malicious or fraudulent by approved and trusted online services, such as VirusTotal.com.
n. A History of the domain should be kept and all registrant information as well as dates related to renewals and new registrants.
o. ICANN’s database should give a risk score based on all the information available including the Registrant’s history registering other domains that have been found to be suspicious.
3. Rescind Domains:
The DRAD described above should be monitored by a security team created by ICANN for the sole purpose of evaluating the likelyhood of domains being legitimate or malicious. Those that have a higher risk of being malicious are recommended for review by an administrative group that has the authority to revoke the use of the domain immediately. An appeals process will be available to this ICANN authority.
If a Licensed Registrar is found to allow the registration of many malicious domains from the same Registrant because they did not check DRAD, the Registrar should be at risk of losing their license for registering domains. Warnings to Registrars should be published for all to see.
4. Legitimate But Hacked Domains Database:
ICANN should also keep a database of legitimate domains that are reported as likely hacked and hosting malicious content. These reports should come by way of vetted and registered Internet security organizations/companies e.g. Google’s analysis that says “This site may be hacked.” This database should include a simple form for people to report a legitimate but hacked domain and provide their evidence to support their report, including screenshots of mouse-over links and URLs to malicious files. The ICANN security team should give immediate attention to verify or refute the information provided.
5. Create a Trusted Independent Web Authority
ICANN should pay to create an independent web authority whose sole purpose is to evaluate and verify the authenticity of a domain registrant. A system should be put in place that is fool-proof but does allow for proxy services. Individuals, organizations, and companies who wish to win the public trust can submit their domain and information to this authority to be independently verified. This is similar to the way in which Educause verifies and authenticates .edu domains.
In addition to the five strategies described above for ICANN, there are additional improvements that should be demanded of companies who create the tools that the world uses to access the Internet…
Responsibilities of Companies Who Create Web Browsers and Email Services:
Web Browser and email services should include the following features into their browsers and email programs:
1. When a user mouses-over a link, a popup tells the user the following:
a. The name of the fully qualified domain name (FQDN) that the link points to and whether or not that FQDN is on the global ICANN list for being high risk
b. The date that the FQDN was registered
c. The country where the FQDN is being hosted; or inform the user that the country cannot be determined if no information is available
2. Display the country from which the email was sent or the country hosting the web page content; or inform the user that the country of origin cannot be determined.
3. Have a simple button that automatically enables users to unshorten any shortened link to determine where the link leads them to before clicking.
We at The Daily Scam don’t believe for a moment that these efforts will prevent all Internet crime. But we do believe that these steps will reduce crime and make it easier for people to evaluate their risk better before clicking a link or visiting a website. It’s time for people of the world to demand more from the few elite individuals who have somehow come to control the very foundation of our digital lives.