Domain Name Security Threat Information Collection & Reporting (DNSTICR)
DNSTICR is an ongoing project of the ICANN Office of the Chief Technology Officer (OCTO) that looks at registrations related to the COVID-19 pandemic to find evidence of any activity related to malware or phishing. Where sufficient evidence of malicious activity is found, the ICANN organization sends a report to the responsible registry or registrar so that they can determine the appropriate action, such as suspending or deleting the domain name.
For a more information, read our latest blogs on this project:
Frequently Asked Questions (FAQ)
What is the Background?
In response to reports of COVID-19-related Domain Name Security (DNS) security threats, ICANN began to study COVID-19-related domain registrations and identify the most clear-cut cases where domains are being used for phishing or malware distribution. ICANN then produces reports for each identified domain name. Each report includes evidence of phishing or malware campaigns and other background information that can be helpful for a responsible party (primarily registrars or registries) to determine the appropriate course of action. These reports are then provided to the responsible parties for them to determine the correct course of action, for example suspending or deleting the domain name.
It is important to recognize that ICANN is using an evidence-based approach that identifies names that appear to have been used for malicious purposes and are related to the COVID-19 pandemic. Many of the reports in the popular press and elsewhere include names that contain COVID-19-related terms and are considered, therefore, to be a risk. As a result, these reports cite case numbers of domain name abuse that are significantly higher than those we have observed and include many names that may be in use for legitimate purposes. Some reports also list hundreds of thousands more cases than the few thousands for which ICANN found evidence of problems. The number of cases ICANN finds sufficient evidence to report a problem is usually in the low hundreds. In addition, DNSTICR focuses exclusively on phishing and malware distribution, whereas other reports include counts of domains used in spam, fraud, and other content-related matters. As a result, those reports will likely have higher numbers.
Why is This Topic/issue Important to ICANN?
DNS Security threats, such as phishing and malware distribution campaigns, have been identified as within ICANN's remit and area of interest. Projects such as DNSTICR not only allow for the mitigation of these issues, but also provide ICANN with evidence-based insights into the actualities of how and at what level these threats are taking place. ICANN believes that evidence-based data and study are critical to the policy development processes and to the reduction of harm caused by DNS Security Threats.
What Are Current Terms/Words That are Presently Being Monitored?
Currently, OCTO is monitoring new terms related to COVID, stimulus payments, lockdowns, suggested treatments, vaccines, and various pharmaceutical companies. Where appropriate, we have translated terms and included Internationalized Domain Names (IDN) forms. While we have added new terms as the situation has evolved, it is quite possible that we are missing some.
How Big is the Problem?
Since we started collecting consistent, timely data in May 2020 we have detected 210,939 domains that match one or more of our keywords. Most of these domains are benign or have a neutral reputation (e.g. they are not being used). One or more of our third-party sources contained evidence on 12,860 (6.1%) of these filtered domains, but this includes low-quality reports. Limiting to just high-confidence or multiple independent pieces of evidence we see 3,791 (1.8%) of the domains being flagged.
Who Can I Contact If I Have Additional Questions About This Effort?
Please contact the OCTO team at OCTO@icann.org if you have any additional thoughts or comments about this effort.