Skip to content

IP Twins

Home » Targeting bulk registrations as a source of malicious domains

Targeting bulk registrations as a source of malicious domains

A new study by Interisle Consulting Group sheds light on the link between bulk domain registrations and abusive practices like phishing and cybersquatting. By requiring identity verification for high-volume registrations, registrars can curb abuse without disrupting legitimate users. This practical solution, already in use in parts of the domain industry, offers a targeted approach to protecting brands and reducing cybercrime.

Large domain name registrars have millions of customers that expect an on-demand service.  They know that some percentage of these customers may turn out to be scammers but verifying the identity of so many customers is burdensome and intrusive. 

A new study from the Interisle Consulting Group[1] contains a realistic proposal to reduce the number of abusive domain registrations: Require identity verification as a condition to register domain names in bulk.

Scammers know that a malicious domain name has only a short window in which to operate.  Sooner or later, automated tools, such as filters from email providers, will detect the abuse and prevent the content from reaching new users.  If the domain escapes automated detection, it’s only a matter of time before it is reported by a human user.

For this reason, the execution of phishing campaigns and other cybercrimes connote the need for many “disposable” domain names to have any chance of success.  In this context, several outlets have highlighted the preference of scammers for cheap domain names [2][3], but Interisle points out something that has received less emphasis than which specific TLDs are used by scammers:

Bulk registrations are much more likely to contain malicious domains than registration orders consisting of small numbers of domains.  Among registrars examined by Interlisle, the percentage of abusive domains observed that came from bulk registrations was above 50% and in one case reached 99%!

Not all bulk registrations are abusive; An investor in generic domain names may spend time analyzing a list of possible registrations, then send a bulk registration command once they’re ready.  These users spend a lot of money at domain name registrars, which won’t want to send them away by prohibiting bulk registrations entirely.

So how does a registrar keep servicing legitimate bulk registrations, while blocking bad actors?  Interisle suggests “enhanced identity and verification checks before accessing high volume registration services.”  The study notes that this type of check is already in use by GoDaddy for its auction service, to preserve the integrity of the auctions.  The same logic applies to auction participants as to bulk registrants:  A person whose interest in investing money in domain names is legitimate will see identity verification as a necessary, or at least acceptable trade-off for accessing the registrar’s tools.  On the other hand, a cybercriminal will not want to reveal their identity and will avoid tools that require prior verification.

This reasonable proposal with a track record of implementation in the domain industry seems better suited to start a conversation, as opposed to more general calls for registrars to “do more about abuse.”  We applaud the study from Interlisle, both for its approach and the precision of its recommendations.

Brand owners can combat domain abuse by combining proactive monitoring, defensive registrations, and enforcement. IP Twins’ domain monitoring tools help detect suspicious registrations early, while securing key domain variations prevents misuse. For infringements, UDRP complaints offer a cost-effective solution to reclaim domains. Moreover, securing domains through services such as GlobalBlock ensures protection where traditional regulations fall short. Together, these measures form a comprehensive defense against cybersquatting and abuse.


Footnotes

[1] Interisle Consulting Group, Cybercrime Supply Chain 2024. Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them, 18 November 2024.

[2] New Year, New Scams – Health product scam campaigns abusing cheap TLDs | Netcraft

[3] Phishing epicenters: top 5 TLD used in today’s phishing attacks