SIDN-logoAbuse is all too common in top level domains. In 2016 the Anti-Phishing Working Group reports phishing occurred in 454 TLDs, including in 228 new gTLDs. So that abuse occurs in any TLD is not surprising. But how the TLD goes about fighting it, or not, can be of interest.

Recently SIDN, the registry for .nl (Netherlands) published a blog post on abuse in .nl. “Abuse is a growing problem, according to Lilian van Mierlo, [SIDN’s] Registration & Service Manager. ‘There are some types of abuse that we used to get reports about maybe ten times a year, and now we’re getting a thousand reports about. Or more! It’s not just that there’s more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing.’”

SIDN works in partnership with registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk and others where appropriate to fight abuse.

“In recent years, anti-abuse work has been taking up more and more of my department’s time,” Lilian continues. “It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 (“support for abuse to zero”). And it means we’re able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange.”

Explaining Abuse204.nl, the article explains:
“Abuse204.nl (abuse to zero for .nl) is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn’t have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn’t happen, we ask the registrars whether we can help. Where necessary we’ll follow that up with a reminder. Since we started abuse204.nl, we’ve managed to cut the average time-to-live of phishing and malware sites substantially.”

“Fake webshops have been around for years, but recently they’ve been getting more common. Even in the .nl domain, sadly. It’s a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don’t match what they’re supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that’s been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn’t a lot that we can do about fake webshops. But that doesn’t stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don’t we cancel the registration. So the fake webshop can’t make use of the name.”

The post also explains the Abuse Information Exhange that is used to fight botnets and how it’s vital to act quickly.

As a result, .nl is “one of the most secure internet domains in the world”.

“If we can keep it that way, all the effort’s worthwhile,” van Mierlo says. “But we have to be realistic: it’s impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers.”

read the blog post in full on the SIDN website, see:
https://www.sidn.nl/a/internet-security/a-fight-on-three-fronts