Dave Piscitello wrote an interesting article on SPAMHAUS.org that took issue with the practice of bulk domain name registrations.
Piscitello described the allure of bulk registration for cyber criminals. He talks about the weaponizing of domain names and how ICANN and the domain registrars have a part to play in slowing it down.
He breaks down the economics for cyber criminals, from the article:
Cheap domain names, accessible in bulk, contribute to a criminal marketplace in which small investments can yield extraordinary returns. In the Interisle report, we consider the investment in a ransomware attack:
- Mailing lists can be purchased on the Dark Web, online or created using email harvesters, again available from programming repositories such as GitHub.
- 1000s of domain names can be acquired for pennies per domain from various registrars
- Malware can be purchased through RaaS as cheaply as $39.00. Similar opportunities exist for acquiring a Phishing kit, or these can be downloaded for free from repositories such as GitHub.
- Online tutorials for novices are available from YouTube.
Assuming an extortion fee of U.S. $200-500, a ransomware attack can be profitable with fewer than a dozen victims. Multiple, successful ransomware campaigns yielding thousands of victims is within reach, making this criminal activity a possible $1M/year enterprise.
The article makes some hyperbolic analogies, putting bulk domain registrations on par with tracking ammonium nitrate.
Piscitello writes:
Other industries recognize and accept their obligation to protect the public from criminal misuse of potentially dangerous products through mandatory or recommended validation regimes. U.S. pharmacies, for example, require valid proof of identity from any party that attempts to purchase quantities of pseudoephedrine that exceed well-defined limits. Legitimate businesses comply with these and like-minded regulations in the interest of public safety.
The domain name industry could accept a similar obligation by verifying registrant payment methods as part of the validation process; for example, registrars could decline transactions in which the registrant contact data does not match the authorized credit card user. They could also prohibit anonymous or non-traceable payment methods.
You can read the full article here
Rob Monster - Epik.com says
The folks who tend to buy these spam domains of the most nefarious type also tend to be the ones most likely to use unauthorized payment sources.
The domains that they buy are typically used for disposable purposes. Their expiry stream is next to zero, and the result is to damage the registrar’s reputation scores in certain lists and algorithms.
In other words, they tend to be not desirable. Long-term minded registrars have ample incentive to avoid them. The exception is those registrars who like to goose their numbers and are complicit. Those exist.
As for institutionalizing ID verification to register a domain, it is a terrible idea. There are people who need to own domains anonymously due to personal danger.
Let’s not willingly participate in handing over the namespaces to a police state. Those wheels are very much in motion and should be resisted by anyone who values private ownership of domains.