How cybercriminals play the domain game

How cybercriminals play the domain game

Sponsored Conventional email security tools are losing the battle against phishing attacks. The cause? Instead of registering a handful of domains from which to conduct their phishing campaigns, many cybercriminals now buy them by the thousand. This approach makes it harder for traditional email protection tools to spot phishing emails among the ‘noise’. Thanks to bulk domain registration services, malicious spammers can tip the balance in their favour through sheer volume.


Domain blocklists have traditionally been one of the most important assets in the war against phishing and spam. If a domain is on a blocklist then there's a high probability that it has been used in a malicious campaign such as ransomware or credential phishing in the past. The exact process for blocklisting a domain is often opaque, but it's a gradual process involving a measurable reputation for each domain that changes over time.


Factors such as a domain's age, its links to particular IP addresses, and its known use in malicious emails will all affect its standing. Blocklist organisers research domains via reports of malicious campaigns, and also through honeypots that vacuum up and analyse malicious emails. There are many such blocklists. Spamhaus runs the domain blocklist (DBL). Other organizations like PhishTank, Stopbadware, the Anti-Phishing Working Group, and SURBL all list domains of ill repute.


So far, so good, but several developments have made it more difficult to build and use blocklists. One of these, bizarrely, was GDPR. It caused ICANN, the organisation responsible for governing domain registrars, to introduce a Temporary Specification ('temp spec' that redacted much of the data that would normally turn up in a WHOIS request. Researchers needed that data to help them research the bad actors behind malicious domains. That temp spec has since expired, but its ..