.UG Fraudulent Domain Registrations Go “Through The Roof”: Spamhaus

In the first quarter of 2019, Spamhaus Malware Labs has observed an upswing in the number of fraudulent domain name registrations in .ug (Uganda) and .ng (Nigeria).

But it is the number of fraudulent registrations in .ug that has caught their eye and they note they have “gone through the roof”. In February 2019, 35% of all domain names within .ug that Spamhaus observed were registered for the sole purpose of hosting a botnet controller (C&C).

Digging deeper Spamhaus discovered a single bulletproof hosting outfit is connected to these domain registrations which is selling its services on underground sites and the dark web.

The setup is simple: They register a .ug domain name for their customer with the operator i3c.co.ug and use a Chinese based DNS provider DNSPod (Tencent). From a cybercriminal’s perspective, Spamhaus explain this has a big advantage: Both i3c.co.ug and DNSPod are exceptionally slow to investigate abuse reports, that’s if they are investigated at all. This makes a cybercriminal’s botnet C&C infrastructure almost 100% bulletproof to takedown requests.

To sort the problem Spamhaus is trying to work together with both i3c.co.uh and DNSPod to resolve this issue. While communication between these operators can be challenging these efforts are starting to pay off, with the percentage of fraudulent .ug domain registrations has reduced to 29% from the 35%.

In the first three months of this year, Spamhaus observed significant changes in the malware that’s associated with botnet Command & Control (C&C) servers, most notably a preference for cybercriminals to utilise crimeware kits.

The 2 top-level domains leading the way when it comes to those associated with botnet C&Cs continue to be .com (2,920 domains) and .uk (United Kingdom – 1,503). Following in the first quarter was .tk (Tokelau – 448), .net (436) and .ga (Gabon – 414). .ug came in 15th place with 100 while among the new gTLDs .xyz was 13th (149) and .icu was 16th (82).

However, there’s no change when it came to the most abused hosting provider: Cloudflare. Register.com (1,137), Namecheap (757), Network Solutions/Web.com (742), India’s PDR (664), Reg.ru (315) and NameSilo (311) were easily the registrars with the most abusive domain name registrations.

When Spamhaus looked at the number of newly detected botnet Command & Controllers (C&C), as a result of fraudulent sign-ups, they found the upward trend detected in 2018 is continuing into 2019.

In 2018 the number of botnet C&Cs identified from fraudulent sign-ups lifted 176% from 276 per month in January to 762 per month in December. The monthly average across 2018 was 530 botnet controller listings (BCL) per month.

In the first quarter of 2019 Spamhaus observed another significant step-up in numbers across the first three months of this year. The number of newly detected botnet C&Cs reached 1,281 in March 2019, an additional 519 botnet C&Cs compared to December 2018’s figures. Meanwhile, the monthly average in 2019 has increased by 110% to 1,113 per month. Spamhaus found no change in the location of botnet C&C traffic. The number one geolocation for botnet C&Cs remains the United States, followed by Russia and the Netherlands.