Internet Identity

Part of IID’s Takedown Taekwondo Series

In several previous Takedown Taekwondo posts, we’ve discussed ways in which IID gets phishing and malware sites removed from hacked domains. These are websites that have legitimate business on the Internet and have been hacked by a cyber criminal to include fraudulent pages. Hacked sites belonging to victimized site owners make up a significant amount of the fraud on the Internet and are popular with cyber criminals because hacking already-existing domains allows them to bypass the step of registering their own. Using free domain registration services or stolen credit card or banking credentials though, cyber criminals might instead choose to register their own domains for phishing or malware drop sites. These domains are known as fraud domains, as they have no purpose other than the fraud the cyber criminal seeks to commit with them. Getting these fraud domains removed from the Internet requires a different set of tools than those we use to remedy hacked domains.

Flagging a Fraudulent Domain

Fraud domains are easy to spot if you know what to look for. A dead giveaway is a domain that impersonates a real brand, either by intentionally misspelling a well-known brand name or by adding keywords to the domain.

 

For instance, Google’s email platform may be spoofed with domains like gnnail.com or login-gmailaccount.net. In both instances, the domains may look close enough to the real thing to fool people. Domains that were registered very recently, especially within a few days or weeks, are also very often fraudulent. If you think about a major brand whose website you might log into - the credit union you bank with, for instance - you wouldn’t be surprised to learn that their domain has been around a long time. Their website lives on a domain that is effectively their online presence and home. A domain that was just registered yesterday, no matter how similar to the actual bank or other brand name, is very unlikely to be a legitimate extension of their online presence.

Who You Gonna Call?

When working to have a phishing page removed from a hacked domain, we contact the site owner, webhost and ISP, each of whom should be able to help in one way or another. With phish on fraud domains, our tactics are a bit different. For starters, we don’t want to contact the site owner because, of course, they are presumably a criminal. The criminal registered the particular domain to be home to the phishing site we’re trying to shut down. Certainly, our request to shut down the phish they’re trying to make money off of isn’t going to go over well, and besides, we don’t want to tip off the criminal that we’re on to them. So site owners are out on fraud domain cases. Instead, our first steps in fraud domain cases are to contact the ISP hosting the illegal site, as well as the domain’s registrar. Though the ISP can be helpful in stopping the fraud website from resolving on their IP, we ultimately want the registrar, which is the company that sold or leased the domain to the registrant, to remove the domain from the Internet completely. Otherwise the criminal can just re-point the domain to a new website when we get the first website down.

The registrar is the company or organization that sold or leased the domain to the registrant. Criminals registering domains for fraud might register a single domain or large batches of domains at once and might use bogus registrant information, like a fake name, incomplete phone number, or non-existent address. In order to be accredited by ICANN - the Internet Corporation for Assigned Names and Numbers - registrars must have and enforce policies against falsifying registrant data. Obviously fake information - like a registrant named Donald Duck residing at 1234 Anywhere Street - should be enough to at least get the attention of the registrar responsible for the domain. Knowing this, criminals will sometimes avoid suspicion by using the real credentials of the victim whose credit card they stole and used to register the fraud domain. But if other signs point to fraud, we will proceed, directing the registrar to view the phishing, malware or other criminal material on the domain in an effort to get them to shut down the domain. Even if the registrant information can’t be confirmed as fake or stolen, the presence of criminal content coupled with a relatively recent registration date is typically evidence enough to get the registrar to take action to kill the domain.

Shooting for NX Status

When a registrar kills a domain, they may simply discontinue its use by the current criminal and malicious site and return it to “available” status for re-registration. Ideally, the registrar will either suspend the domain by deleting it at the registry, causing it to respond as NXDomain (Non-eXistant Domain) when queried, or they’ll point its DNS to a server that they own so that the domain never connects to the fraud content, instead timing out or connecting to a custom warning about fraud. These are methods we prefer they use so that the domain is not at risk for falling into criminal hands again. Of course, if it were to be re-registered by the same or another criminal for malicious purposes, we would know. It’s for just that reason that IID monitors all malicious domains that we’ve had killed. Reactivations happen, and when they do, we want to be sure we get the domain removed again, and permanently. A reactivation actually makes for a good way to convince a registrar to fully NX a domain as a way to avoid further reactivations. Those reactivations just mean more work for everyone involved in killing it, so “NXing” it once and for all benefits everyone.

With hacked websites and fraud domains covered, what more is there to know about getting fraudulent sites removed from the Internet? Plenty! Next time we’ll take a look at how criminals get the word out about their fraud sites, and what we do to combat the dissemination of those links to potential victims. Stick with us for this and many more Takedown Taekwondo topics in the coming months.