Can registrars put a lid on fraudulent domain registrations? You bet!

Written by Rod Rasmussen Monday, 07 June 2010 07:00

While the overall percentage of garden-variety phishing using fraudulent domains has gone down in recent years, criminals still employ this tactic enough for it to be a thorn in the side of the industry. Criminals also use fraudulent domains extensively for distributing malware and surreptitiously controlling their botnets.  Many registrars have put measures in place to prevent abuse, yet fraudulent registrations continue, even against industry leaders.  What can we learn from the best registrars and other industries facing similar fraud activities?

Surveying the registration industry and e-commerce in general, there are several practical abuse prevention measures that a domain name registrar can employ – without spending a lot of time or money on the effort. It starts with a belief that, as a law-abiding member of the Internet Infrastructure community, you can absolutely minimize fraudulent activity on your systems, and make your business unattractive to the criminal element.

 

Fortunately registrars looking to reduce fraudulent domain registrations can validate transactions, registrants, and domain names in several ways, some "free" and others commercial.  Practices required to be PCI compliant (and thus able to store credit card data) are straightforward to implement, with plenty of plug-in modules available in open source and commercially. Other solutions that are widely available in software and services include checks for nonsense whois data, blocking of suspect credit cards, flagging of registrations from suspicious IPs, including registrations made using anonymizing servers (e.g. TOR), and "fraud fingerprinted" devices.

If one requirement set by a registrar is a verifiable address (and why wouldn’t it be?), there are services that can check to make sure that a listed address actually exists. If there’s a doubt, it’s pretty quick and easy to see if almost any street address in the world actually exists with a Google search.  Furthermore, the universe of countries you can't do good verification within is actually pretty small these days. Such a search may even turn up the fact that address has been used many times for fraud (bad guys are lazy too!). Registrars can throw some other check or verification process, such as an out-of-band confirmation, at that point. If someone registers a domain and claims they're in the US, uses a US credit card, but is doing it out of Belarus, well, that's easy to see and do something about. GeoIP software/services can tell you if that’s the case.  Similar services can immediately inform you whether an IP is on the TOR node list or some other proxy or if the IP is on a botnet or some other suspicious location.

Taking it even further, credit rating services can even do a light background check to see if the person submitting the credentials actually lives or works at the address specified.  While not perfect, these kinds of services can certainly let registrars know which registration attempts are more likely to be risky or fraudulent -- which is why they are used by e-commerce companies, gambling sites, and other high-risk merchants in order to reduce fraud as a de-facto standard. Credit card companies are more than happy to get registrars set-up with them! Credit card companies also offer programs like Verified by Visa and Mastercard SecureCode for web merchants as well.

If a registrar has a suspicious transaction, but still wants to capture a possible customer, further verification steps—like going through an e-mail verification process (full automation), calling into a call center to answer questions, faxing copies of ID/Credit Card, or other higher touch confirmations—can be employed.  Most fraudsters won't bother to jump through such hoops, and while a few legit customers may bail out, most who would get such scrutiny probably have to do the same kinds of things regularly for e-commerce sites and know the drill.  So the only real issue is cost to implement, and that can be controlled by making sure to only use such measures when they matter.

Instead of applying a bunch of "costly" anti-fraud measures every time someone registers a new domain name, registrars seeking to reduce cost may simply use stricter measures on brand-new account set-ups and customers with whom they don't have a long history.

Chances are that if a customer proves to be "real" within 90 days, they're good to go.  Just apply the hard-core checks to new guys.  That keeps costs down while catching the bulk of fraudulent registration attempts. Domain registration providers will probably never eliminate fraud completely, but can definitely make it MUCH harder for the bad guys to set-up fake domains than current industry practices allow.