ICANN Org’s Multifaceted Response to DNS Abuse
While the March report from ICANN’s Domain Abuse Activity Reporting system show a general reduction in second-level gTLD domain names identified as being used in phishing, malware distribution, and botnet command and control, it has been widely reported that criminals are taking advantage of the global COVID-19 pandemic by launching malicious online campaigns. There have also been numerous reports of spikes in the use of COVID-19-related domain names for DNS Abuse.
ICANN’s response to DNS Abuse is always multifaceted, reflecting the need to address abuse within the constraints of ICANN’s Bylaws and policies as defined by the ICANN community, and by obeying local law and regulatory requirements. In general, ICANN Contractual Compliance (ICANN Compliance) enforces the contractual obligations set forth in ICANN’s policies and agreements, including the Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA), the Office of the Chief Technology Officer (OCTO) provides subject-matter expertise, and the Global Domains Division (GDD) works with the contracted parties to help support the delivery of registry and registrar services in accordance with contractual and consensus policy obligations.
In the case of COVID-19-related abuse, the same actors within the ICANN organization have prioritized handling of COVID-19-related DNS Abuse, working with their respective communities to help mitigate the new threats. These threats include phishing, business email compromise, malware distribution, scams, and many other types of attacks. In some cases, the criminals are luring Internet users into giving away their access credentials and confidential information with the promise that they are buying supposed cures for the coronavirus and personal protective equipment. In other cases, the attackers are spreading disinformation or infecting unsuspecting users’ devices with malware. Unfortunately, many of these malicious activities use or leverage domain names and some in the Internet community are reasonably asking what role ICANN has in attempting to stem these abuses.
Within OCTO, the Security, Stability, and Resiliency team has built a system that helps identify abusive domains leveraging the coronavirus pandemic. This system looks for domain names similar to or incorporating terms such as “coronavirus”, “covid”, “pandemic”, “ncov,” and others, and once identified, assesses them against multiple high-confidence threat intelligence sources to determine whether or not they are involved in phishing and/or malware distribution. If so, the domain names and the data collected by the system will be shared with parties who are in a position to take action, such as registrars and registries, and in some cases with national and international law enforcement organizations. The system is being tested internally to ensure the highest confidence levels in order to avoid false positives as much as possible, and we’re working with a number of community members to ensure that the reports generated by the system meet their reporting requirements so that appropriate action can be taken in a timely fashion.
In addition to developing this new analysis and reporting platform, team members from OCTO joined both the COVID-19 Cyber Threat Coalition (CTC) and the COVID-19 Cyber Threat Intelligence League (CTI League) along with hundreds of researchers from private companies and law enforcement officers from several countries. These groups share valuable threat information, focused on the response to the pandemic on the cyber realm. Similar to ICANN’s work with the incident response community through its Forum of Incident Response and Security Teams (FIRST) and through our engagement with the threat research and operational security communities through the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG), the Anti-Phishing Working Group (APWG) and the National Cyber-Forensics and Training Alliance (NCFTA), ICANN primarily contributes to these groups by providing subject-matter expertise and facilitating communication between the various parties interested in mitigating DNS abuse.
ICANN Compliance Efforts
As mentioned previously, ICANN Compliance enforces the contractual obligations set forth in ICANN’s policies and agreements, including the Registry Agreement (RA) and the Registrar Accreditation Agreement (RAA). ICANN Compliance also works closely with OCTO to identify DNS security threats (phishing, malware distribution, and botnet command and control) and associate those threats with the sponsoring contracted parties. ICANN Compliance uses data collected in audits (described in more detail below) to assess whether registries and registrars are adhering to their DNS security threat obligations. Outside of audits, ICANN Compliance will leverage data collected by OCTO and others to proactively engage with registries and registrars responsible for a disproportionate amount of DNS security threats. Where constructive engagement fails, ICANN Compliance will not hesitate to take enforcement action against those who refuse to comply with DNS security threat-related obligations.
In response to the current pandemic, ICANN Compliance is screening complaints for those related to COVID-19 pandemic-related terms and processing these complaints with high priority. It is important to note that ICANN org was never granted, nor was it ever intended that it be granted, authority to act as a regulator of Internet content. In that regard, when it comes to ICANN Compliance, content issues should not be confused with DNS security threat-related obligations included in the RA and RAA.
ICANN Compliance expends a considerable amount of time and effort addressing abuse complaints. From March 2019-March 2020, ICANN Compliance received more than 1,500 abuse complaints. The majority of the complaints were closed during the informal resolution process because the registrars demonstrated compliance with the RAA’s requirements to take steps to investigate and respond to the abuse reports. Of those that did not result in breaches, approximately 10% resulted in the suspension of the domain names that were included in the complaint submitted to ICANN Compliance.
In addition, from 1 January 2014 to 31 January 2020, ICANN Compliance issued 42 breach notices to registrars, which included notices either for failures to publish on the relevant registrar’s website an email address to receive abuse reports, a description of the registrar’s procedures for the receipt, handling and tracking of abuse reports, or both. In resolving these breach notices, ICANN Compliance further issued:
- Five notices of termination of the registrar’s accreditation;
- One registrar voluntarily terminated its accreditation upon receiving the notice of breach.
- Four notices of suspension of the registrar’s accreditation.
The following are examples of the abuse-related provisions enforced by ICANN Compliance:
- Registry operators have an obligation to include a provision in their agreement with registrars, for registrars’ agreements with registrants to prohibit registrants from engaging in certain activities, and requiring consequences for the registrants for such activities, including suspension of the domain. ICANN Compliance can, and does, take direct enforcement action against registry operators who fail to include the required provision in their agreements with registrars (Base Registry Agreement, specification 11 3(a)).
- Registry operators are required to periodically conduct a technical analysis to assess whether domains in their gTLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. In addition, registry operators are required to maintain statistical reports on the number of security threats identified, including the actions taken as a result of the periodic security checks for the term of the Agreement, and to provide copies of these reports to ICANN upon request (Base Registry Agreement, specification 11 3(b))
- Under section 3.18 of the RAA, registrars are required to:
- Take reasonable and prompt steps to investigate and respond appropriately to abuse reports;
- Review well-founded reports of Illegal Activity (as defined in the RAA) that are submitted by law enforcement, consumer protection, quasi-governmental or other similar authorities; and
- Publicly display abuse contact information and abuse report handling procedures for users to know how to submit abuse reports to the registrar and how those reports would be addressed.
- While investigating valid abuse complaints, ICANN Compliance requires registrars to explain how they investigated and responded to the abuse reports and to provide a link to, or a copy of, the registrar’s domain name use and abuse policies that support the registrar’s handling of the specific abuse report.
- ICANN’s Contractual Compliance Audit Program addresses abuse in some of the questions that it routinely formulates to both registries and registrars, to determine whether they are compliant with provisions that may help address different forms of abuse. ICANN Compliance has also focused its recent audits on DNS abuse.
- Last year, ICANN Compliance conducted a Registry Operator Audit for Addressing DNS Security Threats. The audit assessed registry compliance with contractual obligations including Base RA Specification 11 3(b) (described above). ICANN Compliance will conduct an audit of its accredited registrars to assess compliance with their DNS security threat obligations. In conducting these audits, ICANN Compliance relies on expertise developed by OCTO to identify DNS security threats and to associate them with the sponsoring contracted parties.
ICANN Compliance urges parties who come across domain names that appear to be used to perpetrate DNS abuse, particularly related to COVID-19, to report them to the relevant registry and registrar and to submit complaints to ICANN Compliance if they believe that the contracted parties have failed to adequately address their abuse report in a timely and reasonable manner. ICANN Compliance encourages reporters of DNS abuse to registrars to review the guidelines published by the Registrar Stakeholder Group.
Global Domains Division (GDD) maintains the business relationship with gTLD registries and ICANN’s accredited registrars, and provides services to support them in fulfilling their contractual obligations. Through these collaborative relationships, GDD helps to combat DNS security threats and other forms of DNS abuse by connecting and coordinating activities within the contracted parties to various parts of ICANN org and the community.
Earlier this month, I emailed the gTLD registries and registrars thanking them for their efforts and actions aimed at helping to mitigate and minimize the abusive domain names being used to maliciously take advantage of the coronavirus pandemic. The Registrar Stakeholder Group has recently posted a useful guide, entitled “Registrar approaches to the COVID-19 Crisis,” that provides a number of steps and resources the registrar community can use in their efforts.
GDD is closely monitoring COVID-19-related abuse and its impact on the domain industry. Specifically related to this, the GDD team recently provided guidance for how registrars can protect registrants who may have difficulty renewing their domain names in a timely manner. GDD has requested further discussions with representatives of contracted parties to better understand, combat, and mitigate the problems both the contracted parties and the registrants are facing and to develop ideas for potential solutions.
Combating abuse requires predictable and reliable access to domain name registration data for those with a legitimate interest. ICANN org continues to try to gain clarity under the European Union’s General Data Protection Regulation with regard to whether a Unified Access Model for gTLD domain name registration data is possible under EU law. Access to this registration data is critical for law enforcement and security practitioners to protect Internet users from the criminals leveraging the COVID-19 pandemic, or any other threats that emerge, for fraudulent and criminal activity. The ICANN community, through the work of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data, has spent an enormous amount of time and effort in defining the elements of a centralized access model. ICANN org and others have also spent a considerable amount of effort in seeking guidance from the European Data Protection Board on whether and, if so, how such a model can provide efficient access to registration data in compliance with the GDPR. To date, the ICANN community has not received the requested guidance.
ICANN org will continue to evaluate additional methods and tools necessary to ensure a stable and secure DNS for all Internet users. Please remember to take the necessary steps to protect your systems and stay vigilant in safeguarding yourself from possible malicious activity. Standard “cyber-hygiene” practices, such as not clicking on links in unsolicited email, verifying email “from” addresses correspond to expected senders, being wary of email that contains typos or odd grammar, never providing credentials of any kind in response to email or links contained in email, being skeptical of claims made in unsolicited email, etc., can go a long way to helping reduce the likelihood you will be victimized by attackers leveraging the DNS for abuse.
The health and safety of the community is a top priority for ICANN org. Please stay safe online and offline to help slow the spread of COVID-19 and the efforts of criminals to take advantage of a global pandemic.