Domain-name scams on the rise, ZADNA warns

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117

Domain-name scams on the rise, ZADNA warns​

Many legitimate businesses have been affected by an increasing number of abusive or offensive domain-name registrations. The abusive activities and offensive practices of domain-name scammers can damage a brand’s identity and reputation.


Domain-name scammers are constantly registering domain names aimed at misleading the public. In most cases, the intent is to defraud a potential customer.


In South Africa, an ongoing trend is one where fraudsters impersonate well-known brands by registering a domain name similar to that of an authentic brand.


An example: A scammer creates a website that mimics a particular government department and calls for tender submissions from unsuspecting businesses. The scammer uses government department letterheads to send fake tender documents to potential bidders.

...
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
A malicious domain name will cost R5000/domain (assuming a summary decision) to mitigate:

Meanwhile criminals pass less than R100/domain.

The solution does not scale.

The obvious problem arises when registrars in the .ZA ccTLD namespace does not do checks, allows any garbage into the registry. Registrars EPag and 1API are infamous for this. POPIA and the GDPR are now used as a shield to shirk responsibilities from data accuracy checks. In the meantime criminals are defrauding South Africans, stealing their identities.


 

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,045
POPIA and the GDPR are now used as a shield to shirk responsibilities from data accuracy checks.
That information was there for the benefit of the domain owner, it was not there for consumer protection lol.
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
That information was there for the benefit of the domain owner, it was not there for consumer protection lol.
Your argument has been made many times previously. The domain owner knows he's the domain owner and does not need WHOIS. WHOIS was an open transparent system, used to alert domain owners to issues on their domains, or to allow attribution.

Domains were not intended to be used by criminals either. See Legal/Policies at https://www.registry.net.za/
 

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,045
Your argument has been made many times previously. The domain owner knows he's the domain owner and does not need WHOIS. WHOIS was an open transparent system, used to alert domain owners to issues on their domains, or to allow attribution.

Domains were not intended to be used by criminals either. See Legal/Policies at https://www.registry.net.za/
Exactly my point, it was meant for domain owners for their benefit.
Not for consumer protection.

If used by criminals then report it, https://www.registry.net.za/downloads/u/Advisory_on_Reporting_Cybercrimes_April_2013.pdf
That is not the same thing as Domain Name Dispute Resolution
 

Genisys

Honorary Master
Joined
Jan 12, 2016
Messages
10,999

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
Exactly my point, it was meant for domain owners for their benefit.
Not for consumer protection.

If used by criminals then report it, https://www.registry.net.za/downloads/u/Advisory_on_Reporting_Cybercrimes_April_2013.pdf
That is not the same thing as Domain Name Dispute Resolution
Domain names were also not meant for the benefit of criminals. The role of WHOIS in protecting consumers has long since been acknowledged in the formative years of the internet.
There is more where that came from. Perhaps read up on the iCANN Beijing GAC Communique.

The ZACR complaint procedure works for taking down a single domain but does not scale sufficiently when a registrar allows domains into the registry with no accuracy checks. To make matters worse, they then take no responsibility for such a domain or the harm it caused despite clear evidence of malfeasance.

Something else to bear in mind is that mitigation will now take place in many cases once the harm has happened, not before. Previously we could predict domain intention based upon registrant data with up to 100% accuracy in certain cases. Consumers lost that proactive protection.

It's rather frustrating for law enforcement to jump all the hoops to receive clearly connected garbage registration details with proxy IPs. In turn that discourages things like further future MLATs where the question is asked: "Why bother if you get garbage?"
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
Yup, and also not to be confused with people having domains that is "unused". That isn't criminal, its fair game. Especially if it doesn't infringe on someone's trademark
There is no abuse or law against a domain name not being used.

Caveats:

Registering a new domain similar to that of a real known trademark, the offering it to the trademark owner at a handsome profit is a thing. It's called domain squatting.

Generically you may also find overzealous trademark lawyers if your domain appears to be similar to another domain name. Typically this would be the territory of arbitration or UDRP/URS in the gTLDs. It can and is abused sometimes for reverse domain hijacking.

Sometimes we will see domains with no web content used for SMTP purposes only spoofing. Or wildcard DNS on a domain with a subdomain hidden somewhere with content, yet no default pages.


Anything that can be abused on the internet, will be. Sadly it makes the worst the internet has to offer neighbours with the most noble.
 

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,045
Domain names were also not meant for the benefit of criminals. The role of WHOIS in protecting consumers has long since been acknowledged in the formative years of the internet.
There is more where that came from. Perhaps read up on the iCANN Beijing GAC Communique.

The ZACR complaint procedure works for taking down a single domain but does not scale sufficiently when a registrar allows domains into the registry with no accuracy checks. To make matters worse, they then take no responsibility for such a domain or the harm it caused despite clear evidence of malfeasance.

Something else to bear in mind is that mitigation will now take place in many cases once the harm has happened, not before. Previously we could predict domain intention based upon registrant data with up to 100% accuracy in certain cases. Consumers lost that proactive protection.

It's rather frustrating for law enforcement to jump all the hoops to receive clearly connected garbage registration details with proxy IPs. In turn that discourages things like further future MLATs where the question is asked: "Why bother if you get garbage?"
Still not seeing how any of your points make privacy the cause of the problems.
If the information isn't validated, that isn't a privacy issue.
If the procedure can't scale, that isn't a privacy issue.
Law enforcement isn't exempt from the laws they enforce, that isn't a privacy issue.
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
Still not seeing how any of your points make privacy the cause of the problems.
If the information isn't validated, that isn't a privacy issue.
If the procedure can't scale, that isn't a privacy issue.
Law enforcement isn't exempt from the laws they enforce, that isn't a privacy issue.
POPIA and the GDPR has an accuracy requirement. It's not being enforced. The parties not enforcing it feel themselves absolved form responsibility for the abuse. The consequences is domain abuse leading to a loss of privacy. Cause and result.

A registrant registering a domain with garbage registration details using a proxy is not seeking privacy. You seem to confuse anonymity with privacy. These are two distinctly different creatures with different outcomes.
 

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,045
POPIA and the GDPR has an accuracy requirement. It's not being enforced. The parties not enforcing it feel themselves absolved form responsibility for the abuse. The consequences is domain abuse leading to a loss of privacy. Cause and result.

A registrant registering a domain with garbage registration details using a proxy is not seeking privacy. You seem to confuse anonymity with privacy. These are two distinctly different creatures with different outcomes.
I never said they were seeking privacy.
Even before WHOIS Privacy was a feature, details were never accurately checked.

Bad actors will always exist, so what do you want to achieve in the end?
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
I never said they were seeking privacy.
Even before WHOIS Privacy was a feature, details were never accurately checked.

Bad actors will always exist, so what do you want to achieve in the end?
I'm surprised you can see it. In the past we could pivot on an email address, easily identify 200 malicious domain names used in fraud. Wilfully supplied inaccurate domain name details were a basis for a domain name termination. If the registrar did not address it you could esclate the matter as a breach to ICANN. Now you can't challenge what you can't see. A simple list of domains based with the invalid domain name identifiers in line with policies would suffice to get them suspended at best. As a courtesy you pointed out the wrongdoing and third party harm. At worst we could feed the protective infrastructure that like RBLs. It was your choice to use it or not. Now we can't do that anymore. Perhaps read articles from the likes of SpamHaus, APWG.

What is your solution to DNS malfeasance?
 

DA-LION-619

Honorary Master
Joined
Aug 22, 2009
Messages
13,045
I'm surprised you can see it. In the past we could pivot on an email address, easily identify 200 malicious domain names used in fraud. Wilfully supplied inaccurate domain name details were a basis for a domain name termination. If the registrar did not address it you could esclate the matter as a breach to ICANN. Now you can't challenge what you can't see. A simple list of domains based with the invalid domain name identifiers in line with policies would suffice to get them suspended at best. As a courtesy you pointed out the wrongdoing and third party harm. At worst we could feed the protective infrastructure that like RBLs. It was your choice to use it or not. Now we can't do that anymore. Perhaps read articles from the likes of SpamHaus, APWG.

What is your solution to DNS malfeasance?

I'd be lying if I said I had a solution because WHOIS Privacy is basically done by default now, I can't remember when I last paid or had to enable it. I understand what you've been able to do in the past, that's why I asked what's your end goal? Knowing Cloudflare and their stance in the past, I don't see them or the other registrars undoing things.
 

Scampup

Well-Known Member
Joined
Dec 6, 2013
Messages
117
I'd be lying if I said I had a solution because WHOIS Privacy is basically done by default now, I can't remember when I last paid or had to enable it. I understand what you've been able to do in the past, that's why I asked what's your end goal? Knowing Cloudflare and their stance in the past, I don't see them or the other registrars undoing things.

Our end goal is mitigating harm.

CloudFlare has been great in mitigating abuse given evidence. Many registrars as well. The nGTLDs have PICs and the registries have been great generally. It not uncommon for some of these folks to block and suspend upon blacklisting where the evidence exists in a trusted repository and the org has always been been able to produce it when there is a query. It comes down to trust.

Certain registrars and hosting providers simply could not care. Imagine scamming somebody with terminal cancer to ensure a graceful end.

nembutal.jpg
One such victim decided a bullet in the brain was preferable to terminal cancer and the shame of being scammed. Much of this could have been prevented.

Some ccTLDs like .US don't allow any proxy or privacy.

No business, or claimed business, should have the luxury of the GDPR, POPIA or a proxy. Vanity domains is a totally different discussion altogether.
 
Top