criminal use of domain names
play

Criminal Use of Domain Names Greg Aaron, Illumintel Colin Strutt, - PowerPoint PPT Presentation

Oct 13, 2022 •105 likes •251 views

Criminal Use of Domain Names Greg Aaron, Illumintel Colin Strutt, Interisle Consulting Group 1 Maliciously Registered Domain Names Domain names registered to perpetrate cybercrime. Scope of the problem? 197,876,195 gTLD domain names

  1. Criminal Use of Domain Names Greg Aaron, Illumintel Colin Strutt, Interisle Consulting Group 1

  2. Maliciously Registered Domain Names • Domain names registered to perpetrate cybercrime. • Scope of the problem? • 197,876,195 gTLD domain names in zone files. • Over the course of a year, about 6 million gTLD domains appear on major blocklists. And that 3% is the floor . • Harms: cybercrime impacts reliability and trust on the Internet. More specifically, it has very human costs: theft of money and personal information. • “harm” vs. “crime” vs. “abuse” • Here’s an example of what you can do with data… 2

  3. Study: “Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access” by Dave Piscitello and Dr. Colin Strutt Interisle Consulting Group http://interisle.net/criminaldomainabuse.html 3

  4. Hypothesis • Cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domains for their attacks. • Bad domains get recognized and blocked • Some criminals need to rapidly, cheaply, and repeatedly acquire domain names 4

  5. Methodology • Assembled composite blocklist and reputation data from a variety of threat intelligence and reputation lists. • Including APWG, SURBL, Spamhaus, Abuse.CH • Indicate a variety of criminal activities, including malware, phishing, spamming • Found where thousands of such domains were blocklisted in short time frames. Selected batches in five TLDs. • Documented when those domains were registered, and at what registrars. This required domain registration data (WHOIS). Studied the registrars with these high concentrations of blocklisted • domains. Did they offer domains cheaply and in bulk? • Studied the behaviors of the registrants who made those bulk registrations. 5

  6. Example: Blocklisted domains in .TOKYO • Blocklisted in .TOKYO from Registrar IANA ID Abuse Domains December 12-25, 2018 = GMO Internet, Inc. 49 8,713 (100%) d/b/a Onamae.com • 8,715 blocklisted domain 1068 2 (0%) NameCheap, Inc. names Nearly all of these were registered using a single registrar 6

  7. Blocklistings corresponded with spike in registrations Above: # of domains in .TOKYO registry. Source: ntldstats.com The blocklisted domains represented 7% of the domains in the TLD 7

  8. Most of the blocklistings occurred on Dec 17, 2018 8

  9. Web site will create Customers random can upload names a file of 1 ¥ = names €0.0083 Why this registrar, GMO? - Very cheap domain registrations - Offers tools to register in volume 9 - Customers can generate random domain strings

  10. Finding Criminal Actors and Assets: Search • SEARCH historical WHOIS records for registrant Name, registrant Street Address, registrant Email address. • Suspect provided a registrant address in Japan • Also registered domains in .INFO, .CLUB, .ONLINE, .XYZ, .BIZ, .SPACE, and .WORK • Assume that criminals submit inaccurate/fraudulent contact data • Only some WHOIS records contain contact data (post-GDPR) • PIVOT to other databases or social media to identify related records and the criminal actors. 10

  11. Finding Criminal Actors and Assets: Pivot • Triangulate against additional data sources: IP address data, passive DNS records (nameservers), malware data, spamples, etc. Each is a different specialty. • Suspect hosted phishing sites and malware, at three hosting providers: InterQ GMO Internet, Inc.; IDC Frontier, Inc.; Sakura Internet, Inc. • Heatmap of phishing and malware activity at INTERQ GMO, AS 7506: • Examining what’s on that hosting often leads to yet more domains, additional bogus pseudonyms, etc. • Conclusion: Japanese criminals, using Japanese registrar, Japanese IP space, 11 targeting Japanese citizens.

  12. General Findings • Study confirms the hypothesis that cybercriminals take advantage of bulk registration services to use large numbers of domains for their attacks • The findings corroborate those of others (2017 ICANN report Statistical Analysis of DNS Abuse in gTLDs (SADAG) • [Disparate data sources are necessary.] • [This is where you can stop play whack-a-mole and where you can make a difference with one intervention.] 12

  13. Recommendations • The report offers nine recommendations. • Some could become binding policy through ICANN. • Others could be implemented by registrars and registry operators themselves. • Others are requests to make better data available. • http://interisle.net/criminaldomainabuse.html 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names

Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names

Web Hosting and Domain Names Introduction to Web Design Web Hosting and Domain Names Introduction to Web Design Domain names serve as a more memorable reference to Domain Names Internet resources. Domain names are used to identify Internet

288 views • 11 slides
Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and

Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and

Web Development Web Hosting and Domain Names CSCI-GA 1122 Web Development Web Hosting and Domain Names CSCI-GA 1122 Domain names serve as a more Domain Names memorable reference to Internet resources Domain names are used to identify

319 views • 13 slides
Geographic Top-level Domain Names NCUC Fellowship Programme Bruna Martins dos Santos

Geographic Top-level Domain Names NCUC Fellowship Programme Bruna Martins dos Santos

Geographic Top-level Domain Names NCUC Fellowship Programme Bruna Martins dos Santos Geographical Top-level Domain Names: Use of Country, territory or place names and references to language or people descriptions as a generic Top-level Domain

322 views • 5 slides
Recent Developments in the Domain Name Space Interna'onalized

Recent Developments in the Domain Name Space Interna'onalized

Recent Developments in the Domain Name Space Interna'onalized Domain Names and New Generic Top-Level Domains Agenda Overview of domain names Internationalized

244 views • 23 slides
The development of IDN .vn domain names PHAN Nguyen Ngoc Anh | VNNIC | 15 Mars 2017 Overview

The development of IDN .vn domain names PHAN Nguyen Ngoc Anh | VNNIC | 15 Mars 2017 Overview

The development of IDN .vn domain names PHAN Nguyen Ngoc Anh | VNNIC | 15 Mars 2017 Overview The Vietnamese internationalized domain names (IDN) are second level IDN under ccTLD .VN Registry: Vietnam Internet Network Information Center (VNNIC)

403 views • 7 slides
. ) (.jo & National Information Technology Center (NITC) Ahlam Abu-Jadallah

. ) (.jo & National Information Technology Center (NITC) Ahlam Abu-Jadallah

Jordanian Domain Names . ) (.jo & National Information Technology Center (NITC) Ahlam Abu-Jadallah .jo ccTLD Manager History of Jordanian Domain Names The .jo Domain names had been activated in November 23, 1994 NITC

929 views • 11 slides
The Universal Acceptance (UA) of Domain Names and Email Address Internationalization (EAI) Africa

The Universal Acceptance (UA) of Domain Names and Email Address Internationalization (EAI) Africa

The Universal Acceptance (UA) of Domain Names and Email Address Internationalization (EAI) Africa GAC Members Webinar 10 November 2020 | 1 Universal Acceptance of Domain Names and Email Addresses Mohamed Elbashir Universal Acceptance Program

938 views • 29 slides
Summary Internet, domain names & cybersquatting ADRs UDRP URS UDRP+

Summary Internet, domain names & cybersquatting ADRs UDRP URS UDRP+

W ILSON P INHEIRO J ABUR ADR S IN DOMAIN NAME DISPUTES : FAST , EFFICIENT AND COST - EFFECTIVE TOOLS AGAINST CYBERSQUATTING Summary Internet, domain names & cybersquatting ADRs UDRP URS UDRP+ Conclusion The Creation of

695 views • 48 slides
Welcome! Org. Names Org. Names Org. Names Org. Names Technical Set-up Denver Art

Welcome! Org. Names Org. Names Org. Names Org. Names Technical Set-up Denver Art

Digital Tools to Support Contact Tracing (DT4CT) Meeting Welcome! Org. Names Org. Names Org. Names Org. Names Technical Set-up Denver Art Davidson APHL Scott Becker HHS Sharon Sartin CDC Mark Stenger Interactive polling Iowa

581 views • 39 slides
More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers or services Arranged

974 views • 60 slides
The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names (www.cs.bham.ac.uk) and viceversa Nice properties: distributed, coherent, reliable, autonomous, and hierarchical DNS namespace has tree

180 views • 5 slides
CSE 336 Internet Programming Why You Need CSE336 Concepts like bits and bytes, domain names,

CSE 336 Internet Programming Why You Need CSE336 Concepts like bits and bytes, domain names,

Session 1 - Introduction CSE 336 Internet Programming Why You Need CSE336 Concepts like bits and bytes, domain names, ISPs, IPAs, RPCs, P2P protocols, infinite loops, and cloud computing are strictly the province of geeks or nerds who

511 views • 13 slides
A Reexamination of Internationalized Domain Names: the Good, the Bad and the Ugly Baojun Liu 1 ,

A Reexamination of Internationalized Domain Names: the Good, the Bad and the Ugly Baojun Liu 1 ,

A Reexamination of Internationalized Domain Names: the Good, the Bad and the Ugly Baojun Liu 1 , Chaoyi Lu 1 , Zhou Li 2 , Ying Liu 1 , Haixin Duan 1 , Shuang Hao 3 and Zaifeng Zhang 4 1 Tsinghua University, 2 IEEE Member, 3 University of Texas at

452 views • 31 slides
Improving Domain Names Utilization Ning Kong June 27, 2017 Content Status Quo of Chinese

Improving Domain Names Utilization Ning Kong June 27, 2017 Content Status Quo of Chinese

Improving Domain Names Utilization Ning Kong June 27, 2017 Content Status Quo of Chinese Phishing Websites Anti-Phishing Alliance of China (APAC) Suggestions for Improving Domain Names Utilization Q & A Status Quo of Chinese Phishing

367 views • 18 slides
faster c&c detection - strategies for finding algorithmically generated domain names

faster c&c detection - strategies for finding algorithmically generated domain names

. Malgorzata Debska September 22, 2015 CERT Polska faster c&c detection - strategies for finding algorithmically generated domain names Introduction - what is DGA? Malicious usage in botnets Benign DGA - false alarms in detection

1.38k views • 99 slides
DOMAINS AND HOSTING Web Application Development AGENDA A bit about domain names A bit

DOMAINS AND HOSTING Web Application Development AGENDA A bit about domain names A bit

DOMAINS AND HOSTING Web Application Development AGENDA A bit about domain names A bit about web hosting A bit about DNS info used in web hosting DOMAIN NAMES Web Application Development Duh WHAT IS A DOMAIN NAME? The

696 views • 42 slides
Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long

Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long

Bridging Theory and Algorithm for Domain Adaptation Yuchen Zhang Tianle Liu Mingsheng Long Michael I. Jordan School of Software, Tsinghua University National Engineering Lab for Big Data Software University of California, Berkeley 36th

421 views • 30 slides
Matrix Inequalities and Convexity Harry Dym Weitzman Institute Jeremy Greene UC San Diego

Matrix Inequalities and Convexity Harry Dym Weitzman Institute Jeremy Greene UC San Diego

Matrix Inequalities and Convexity Harry Dym Weitzman Institute Jeremy Greene UC San Diego Damon Hay University of North Florida Bill Helton UC San Diego Igor Klep Slovenia (everywhere) Adrian Lim Cornell Mihai Putinar UC Santa Barbara

246 views • 12 slides
345($.4+6 -#%*(.')%(+/.#2'0'()#% ! "#$%&'()#%*+#,+-#%*(.')%(+/.#0.'11)%0

345($.4+6 -#%*(.')%(+/.#2'0'()#% ! "#$%&'()#%*+#,+-#%*(.')%(+/.#0.'11)%0

345($.4+6 -#%*(.')%(+/.#2'0'()#% ! "#$%&'()#%*+#,+-#%*(.')%(+/.#0.'11)%0 -#%*(.')%(+/.#2'0'()#% 8$(9)%4 :;29')%+5#%*(.')%(+2.#2'0'()#%+'90#.)(<1*+,#.+='.)#$*+9#5'9+ 5#%*)*(4%5>+%#()#%*

597 views • 33 slides
Constraint sat. prob. (Ch. 6) Announcements Midterm regrades: due Nov. 7 th Types of constraints

Constraint sat. prob. (Ch. 6) Announcements Midterm regrades: due Nov. 7 th Types of constraints

Constraint sat. prob. (Ch. 6) Announcements Midterm regrades: due Nov. 7 th Types of constraints Try to do this job problem with: J1, J2 and J3 Jobs cannot overlap J3 takes 3 time units J2 takes 2 time units J1 takes 1 time unit J1 must

656 views • 62 slides
Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 , Ji Huang 1,2 , and Tianning Zang 2 1.School of Cyber Security, UCAS 2.Institute of Information Engineering, CAS Existing Techniques Used by Malware

638 views • 30 slides
Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster

Monitoring the Initial DNS Behavior of Malicious Domains Shuang Hao (Gatech) , Nick Feamster (Gatech) , Ramakant Pandrangi (Verisign, Inc.) Motivation DNS: A Critical Internet Service A distributed database mapping host names to IPs Most

377 views • 16 slides
Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 ,

Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 ,

Partial Transfer Learning with Selective Adversarial Networks Zhangjie Cao 1 , Mingsheng Long 1 , Jianmin Wang 1 , and Michael I. Jordan 2 1 KLiss, MOE; School of Software, Tsinghua University, China 1 National Engineering Laboratory for Big Data

422 views • 16 slides
Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Prez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application

555 views • 9 slides

More recommend