My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks. Continue reading

I was invited to participate in an 11 March 2022 meeting of the EU High Level Internet Governance expert group to discuss domain name abuse. Following a presentation of a Study on Domain Name System (DNS) Abuse commissioned by the European Commission, I gave a 5-minute intervention. This EC study is comprehensive and well worth reading. My Interisle colleagues are proud to have our Phishing Landscape 2021 Study and other related studies mentioned in the EC study. The transcript follows. Interisle intervention to EC HLIG on DNS Abuse Opening Remarks Thank you for the opportunity to address you today. My... Continue reading

A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory... Continue reading

Dave Piscitello and Dr. Colin Strutt As part of the US Covid-19 virus tax relief effort (American Rescue Plan Act of 2021, H.R.1319), the US Internal Revenue Service (IRS) issued a series of Economic Impact Payments to millions of eligible citizens. The third payment was authorized in March 2021. Criminals took note of this well-publicized program and put a phishing campaign together to profit by stealing and subsequently exploiting personal information of US citizens. Like many phishing campaigns, EIP phishing emails and text messages mimic correspondence to convince US citizens to submit personal information or an advance fee payment at... Continue reading

My Interisle colleagues, together with Greg Aaron of Illumintel, have published a study of the scope and distribution of phishing. From 1 May 2020 through 30 April 2021, we collected nearly 1.5 million phishing reports. Our analyses found ~700,000 phishing attacks among the reports collected. Highlights from the study: Phishing increased by nearly 70% over the yearly period. Most phishing is concentrated at small numbers of domain registrars, domain registries, and hosting providers. The top 10 brands targeted accounted for 46% of the phishing attacks associated with specific brands. Phishing attacks are disproportionately concentrated in new Top-level Domains (TLD). We... Continue reading

My Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized,... Continue reading

My colleagues Greg Aaron, Dr. Colin Strutt, Lyman Chapin and I have published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing. The report can be found at http://www.interisle.net/PhishingLandscape2020.html Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain... Continue reading

I attended (remotely) a Council of Europe cybercrime webinar on the impact of COVID on cybercrime last week. One of the most disturbing criminal activities discussed was the rise in reports of online predation. The National Center for Missing and Exploited Children (NCMEC) has received 4.2 million reports in April. That’s up 2 million from March 2020 and nearly 3 million from April 2019. (Forbes, 9 May 2020). This is not surprising - nearly everyone who is connected is spending more time on the Internet - but it's still terrifying. Look to the many government agencies have parental guidelines to... Continue reading

My Interisle partners and colleague Greg Aaron have published a detailed study that measures the effectiveness and impact of ICANN's registration data access policies and procedures. This study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS). These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic. In our Press Release I make the comment that, “The COVID-19 pandemic has led to a recent explosion of cybercrime, with thousands of new domain names using terms like ‘covid’ or ‘corona’ being used to perpetrate... Continue reading

Microsoft and partners from 35 countries recently took action to dismantle the Necurs spam infrastructure. Microsoft's post calls Necurs a botnet but provides details that illustrate how much more than a botnet Necurs is: The Necurs infrastructure served as a spam delivery platform for spam, cryptomining and DDOS attacks. The spam campaigns contained stock scams, fake pharma, and Russian dating scams, malware and ransomware. The Necurs operators leased services to other criminal actors to perpetrate these attacks. These are characteristics that the Counsel of Europe's Convention on Cybercrime identifies as criminal activities in its Guidance notes on Spam. Many of... Continue reading

My Interisle Consulting Group colleague, Dr. Colin Strutt and I have published a report, Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access http://interisle.net/criminaldomainabuse.html In this report, we study "bulk registration misuse" by criminal actors. Bulk registrations refers to the practice of rapidly acquiring domain names, using these in an attack, and abandoning them as if they were throw-away ("burner") phones. These domains are a critical resource for cyber criminals. We use reputation block list (RBL) data to reveal how the use of bulk registrations, coupled with the crippling of registration data access by the ICANN Temp Spec... Continue reading

ICANN organization has published a memorandum that describes its Readiness to Support Future Rounds of New gTLDs. The last time I looked, new TLD registrations from the 2012 round constituted around 12 percent of the total gTLD registrations. Despite justifications most commonly cited for expansion - for example, "all the good names are taken" - COM, NET, and many country code TLDs continue to prosper and grow. We should ask, "What benefits other than brand- and geo-TLDs does ICANN use to justify this new round?" More importantly, What's the hurry, and has enough been done to study and rectify the... Continue reading

by John Adams Regardless of the type of business, it is virtually inevitable that that your business will be targeted by cyber-attackers. However, while nearly 81% of cyber-attacks occur to small and medium-sized businesses, 97% of these attacks are preventable with the help of outsourcing cybersecurity services or by implementing recommended security practices and raising security awareness among employees. The businesses across the globe are ready to spend more on the security of their business against cybercriminals. According to research conducted by the research firm Cybersecurity Ventures, by 2021, the cost of cyber-crime will cross $6 trillion annually, worldwide. Most... Continue reading

After reading yet another round of complaints regarding the approvals process for ICANN's Centralize... Continue reading

In the aftermath of the adoption of the EU GDPR, ICANN’s policies for access to domain registration data (Whois) have created adverse consequences for investigations into terrorist activities, political influence campaigns and cybercrimes, creating serious threats to public safety. In this APWG monograph, I explain how Whois data is employed during preventative and forensic cyber investigations – and how ICANN’s interpretation of GDPR in particular delays development of programmatic machine-driven responses that are widely used to maintain public safety and are vital to the long-term viability of the Internet as a governable domain. Image by https://www.flickr.com/photos/carbonnyc/ Continue reading

Peter Cassidy, on behalf of APWG and APWG EU APWG.EU is holding its fourth annual Symposium on Global Cybersecurity Awareness in partnership with the European Commission and the Council of Europe (Convention on Cybercrime) on June 26 - 27, to be held at the European Commission Representation Office in Bucharest with the theme of Considering Behavioral Interventions at Global Scale. The objectives of the Symposium, inaugurated by APWG.EU in 2016, are the establishment of global strategies for cybersecurity awareness development – and the cultivation of research, measurement tools and awareness assets deployed as instruments of cybercrime prevention regimens subject to... Continue reading

I recently had the opportunity to preview a documentary, Pioneers in Skirts, by Ashley and Lea-Ann Berst. The film is a character-driven documentary addressing how women and girls with pioneering ambitions combat bias and sexism in our culture Through candid conversations of women who've encountered that bias, and most importantly, women have overcome bias to succeed when circumstances conspire against them, the movie seeks to encourage cultures worldwide to adopt gender parity. I watched the documentary in a male dominated ballroom during a recent security conference. It's real. I've raised a daughter to be a dreamer, to believe she can... Continue reading

Two independently conducted studies demonstrate that the onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this and other security countermeasures. Continue reading

ICANN has released a January 2019 domain abuse report generated from the Domain Abuse Activity Repor... Continue reading

My friends at Spamhaus published a fine summary of several types of network hijacking attacks, see Network hijacking: the low down. I wrote a series of posts, Internet address hijacking, spoofing and squatting attacks in 2011. This series of articles explores attacks that exploit the Internet’s routing system in this manner. The series also describes the motives for such attacks, classifies the attacks based on certain distinguishing characteristics, and suggests measures that can be taken to mitigate attacks of these kinds. Mine is a good complement to Spamhaus' assessment of the current hijacking landscape if you're interested in digging deeper.... Continue reading

The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups. From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec... Continue reading

I remain skeptical of all the Whois studies that I’ve reviewed (FTC, SSAC, ICANN), including studies where I was a party to the research. I’ll apologize for failing to contribute to a satisfactory Whois study. I’ll also admit that my understanding of how to study a problem scientifically has greatly expanded over the past ten years. A truly scientific Whois study should meet scientific must meet certain common criteria. The purpose should be clearly defined; in particular, the researchers or parties who commission the research should make certain that they are asking the right question. Before I raise anyone’s brows... Continue reading

One of the most memorable lyrics of For What It’s Worth (Buffalo Springfield, 1967) aptly describes the current condition of the post-GDPR debate over domain registration data access: There’s battle lines being drawn… nobody’s right if everybody’s wrong. Cybersecurity and policy pundits are heatedly engaged over the impact of the EU General Data Protection Regulation (GDPR). Both sides have done a poor job of articulating the problem space, overlooking key aspects of the regulation and ICANN’s attempt to comply to GDPR in a Temporary Specification For Whois. As difficult as it is to engage in this discussion dispassionately, it’s both... Continue reading

Domain Incite reports that Famous Four Media’s portfolio of top-level domains is now under the control of Global Registry Services Ltd. The new company has promised to "abandon its failed penny-domain strategy and crack down on spam". Time will tell whether new ownership cleans up arguably the spammiest neighborhoods in the DNS. Famous Four's portfolio includes .loan, .win, .men, .bid, .stream, .review, .trade, .date, .party, .download, .science, .racing, .accountant, .faith, .webcam and .cricket. Historically, nearly all of these have at some point been egregiously spammy. How spammy? Check SURBL's Most Abused TLD list: .date, .loan, .men, .review, .stream, .trade currently... Continue reading

ICANN publishes the Domain Abuse Activity Reporting System (DAAR) methodology white paper and reviews... Reviews of the Domain Abuse Activity Reporting #DAAR by Marcus Ranum and John Bambenek are now available, along with the initial draft of the DAAR Methodology white paper. Spoiler Alert! Some excerpts from the reviews: "the DAAR system is a straightforward implementation of a good idea" " The way DAAR is described is good; it is very neutral, informative, and non-threatening." "having such a system to analyze abuse data at a per-capita level for TLDs and Registrars is exciting" "The description is thorough and complete, so... Continue reading