Wednesday, April 18, 2018

(UPDATE) Phishing: let's be frank

I just finished a procedure which consisted in declaring a domain name hosting a phishing operation and it took one month "for the procedure to end". The domain name is still active and, according to the ICANN, the Registrar hosting the website "demonstrated that it took reasonable and prompt steps to investigate and respond appropriately to the report of abuse". I won't verify that because I already wasted too much time sending emails and checking answers to follow procedures.

The ICANN "does things"
Something that I have to admit is that the ICANN did something and without the ICANN taking my complaint into account, nothing would have probably happened. The reason why I write this is that the Registrar to which I complained...never answered me in return. It seems that ICANN had to be involved for my complaint to be considered by this Registrar.

This is not enough
There are procedures: they exist and according to the agreement that all accredited Registrars sign with the ICANN, they have to act but in my case...the Registrar incriminated did not. Let's say that he did but long after my complaint was sent and after I complained to the ICANN. I suspect that such situations must happen often. Also, I have been long enough in this industry to know that these procedures exist only to exist: who knows where to write and who writes to an accredited Registrar to complain about a domain name used for phishing?

The problem
Dealing with phishing is a problem and this is not going to change:
  1. We have useless procedures to declare domain names used for phishing operations:
    1. it is unclear: where do you declare? At the ICANN, the Registrar, the Registry or the totally useless Anti-Phishing Working Group (APWG)?
    2. procedures are difficult to find.
    3. what happens when a lazy Registrar just does not answer: do you...wait for him to take the lead? (believe me I tried)
  2. The volume of new gTLDs is increasing and - unless I am the only one in the world - I receive more phishing attempts, they are industrialized and more sophisticated: with such procedures, are we solving the problem? No.
In the hands of Registrars
I asked Verisign the question about "what is it that I should do in the case of phishing". The Verisign support was very fast answering me:

My question:
What should I do when I have identified a ".com" domain name hosting a phishing operation?
Their answer:
You can report phishing domain names to the sponsoring Registrar of the domain name.
You may use the WHOIS service on our homepage to identify the Registrar of the domain name:
So I had another question:
I did already but it took more than one month (as you can read here: and the only results were issued from the ICANN, the Registrar did nothing. My question is more simple: isn't there a form at the ".com" Registry (Verisign) where I can complain so a domain name can be investigated faster and taken down?
Their kind answer:
No, unfortunately we do not have such service.
In order for Verisign to take down any domains, Verisign will need a valid Court Order in which our Legal needs to review and accept before we can take any further action.
The Registry is the legal entity to allow the creation of domain names and, in the case of ".com" domain names, it has to go through the Registrar. At least, the answer is clear.

I asked the same question to what I call "a Multiple Registry" It is an operator, Donuts Inc. here, which is operating several new domain name extensions.

My question:
Can you take a domain name down if operated by a Donuts registry in the case of phishing?
Their answer:
Donuts takes reports of abuse seriously. If you need to report a domain name that is being used for an abusive or malicious purpose, please fill in the fields below, and submit to us.
My understanding of this is that the registry for ".com" domain names won't act directly and will direct you to the accredited registrar in charge of the domain name; or it will act if there is a court order. On the other hand, this multiple registry I asked the question to would probably act without a court order. The problem dealing with Registrars is that they don't necessarily act and when they do, they can be very slow. I will take the Donuts Answer for granted here and will consider that I might have found another good reason to promote new gTLDs.
End of the update

My "have balls" solution: responsibility and rudeness
Registrants (owners of domain names) are responsible for what they publish, shouldn't the problem be considered differently and the responsibility of a phishing operation transferred to the Registrant?

Changing the status of a domain name can be done faster at the Registry level, not at the Registrar. If the Registry were to receive the complaint and the one to investigate, it could act faster. That means:
  • Identify if a domain name is in use for a phishing operation;
  • Change the status of the domain to one informing users in the Whois;
  • Change the DNS to a parked page that is not hurting consumers:
    • advertise the reason for this change of front page ("ongoing phishing operation" or "domain name used for a phishing operation", ...);
    • advertise the name of the accredited Registrar (so he is faster contacting his client to get rid of this status and front page ;-)
  • Registry to contact the famous "abuse" email at the Registrar (that one they don't particularly pay attention to) to inform him about this change of status. 
  • Change the DNS back to the previous one when the Registrant/Registrar have done some cleaning.
Rude isn't it? The problem with rules is that few follow them on Internet. I am referring here to the agreement that registrars sign with the ICANN: it shouldn't take one month and so many emails shared for a phishing operation to be taken down. Also, many working groups probably work very hard but ... some problems like phishing and spam are not decreasing at all...the opposite is happening. Isn't it time to set up solutions that work?

"Consumers first".

No comments:

.BRAND new gTLD Reports are updated once a month: CLICK HERE !