The term “abusive use” is difficult to define. For example, the owner of a trademark will tend to call “abusive” any use of the brand name that they do not like, a definition that will not necessarily be shared by other stakeholders. Some terms that are widely used in domain name circles, such as “cybersquatting”, do not have a precise legal definition. What annoys one netizen may leave another indifferent, and the courts perplexed. On the other hand, the frequent confusion between the Web and other services on the Internet makes things even more complicated: for example, illegal web content is sometimes reported to the domain name registry as if that fell within its remit.
This article explains the different things that are grouped under the name of “abusive use” in domain name management, and attempts to be both exhaustive and rigorous. Next week I will review in a second article the various measures that the registry can consider taking when faced with abusive use.
Fraudulent or abusive uses in domain name management
The term does not have a precise definition. (We have seen a company that was convicted for its domain name practices congratulate itself that “the criminal status of cybersquatting was not retained”, which is normal since it does not exist in France.) Let’s say that the term groups together the cases where an entity, be it an individual or a company, buys domain names similar or identical to the name of a third party, not to use them on their behalf, but to resell them to the injured third party. For example, if there is a company named Fgxx6d and it has not reserved the domain name fgxx6d.fr, someone who buys that name and then invites
the company to buy it for € 10,000 could no doubt be called a cybersquatter. (It is because of this risk that it is highly recommended to reserve domain names before the new name of a company, brand, political party or product leaks out.)
Note that the purchase and sale of domain names is a legal activity (referred to as “domaining”) and that those who practice it (“domainers”) are not necessarily cybersquatters. For example, names purchased and sold may be generic terms, not detrimental to any particular organization (consider café.fr for example).
Cybersquatting is not intended to deceive netizens (unlike phishing), only to deprive the victim of a name they could have purchased in order to ask them for money.
Cybersquatting is not always easy to define. For example, the owner of a registered trademark will often talk about cybersquatting if someone registers a name identical to their brand. But the law is more nuanced (consider the principle of speciality, which means that a trademark is limited to certain classes of goods and services, with various exceptions), and the registration of a name identical to a brand is not necessarily illegal. A well-known example is that of “Mont Blanc” which can correspond to two brands (dessert creams and pens), as well as the mountain and a less known town of the same name.
Sometimes the name that has been filed does not exactly match the domain name, and is called “typosquatting” if the applicant acted in bad faith. If someone files labanquepostalee.fr it may be typosquatting (the duplicate final e). But this makes the analysis even more complex: from what degree of difference onwards should it be considered typosquatting?
When a domain name identical or similar to that of a third party is used in spam (mass mailing of unsolicited mail, one of the banes of email), it may be to deceive the netizen about the real issuer, or simply put the blame for the spam on someone else. For example, a spam for a blue pill that cures erectile weakness will claim to be sent from the domain pfizer-deliveries.com to try to make recipients believe that it is a genuine Pfizer pill.
The spammer can file a domain name for spamming purposes, or they can simply use someone else’s domain name. Email is not authenticated by default. If I receive a message claiming to come from email@example.com, it does not prove that Donald Trump is writing to me, or that his email inbox has been cracked. Contrary to what is sometimes seen in the media, there is no need to hack anything to send email on behalf of any organization, all you need do is take advantage of the lack of authentication.
There are of course techniques that add a certain amount of authentication to email. The problem is difficult, partly because the very definition of the “sender of an email” is not obvious (there are several identities used in a message, for example if it has been redirected, or if it has arrived via a mailing list). The protection techniques range from the most obvious (such as rejecting incoming email claiming to come from a domain that does not exist) to the most advanced ones such as SPF and DKIM, both of which rely on the DNS. These techniques are effective and it is unfortunate that they are not deployed in a more widespread fashion, but they cannot work miracles. They do not stop all types of spoofing, and are based on the assumption that the recipients check the authenticated information, which many do not.
The term malware refers to any software that a user does not want to install, and that is detrimental. For example, some malware regularly displays ads on the screen, others capture personal data, or Bitcoin keys, and send them to the person responsible for the malware. Some are used to perform denial of service attacks, by sending countless queries to a server, others encrypt a user’s files, before asking for a ransom in return.
How are these malware installed on a user’s machine? There are several forms of propagation. Some are distributed by unscrupulous vendors who deliberately infects their customers’ machines (which Sony did in 2005), others pose as being harmless and are voluntarily installed by a misled user (the Trojan horse technique, described by Homer), others finally exploit a security flaw in the Web browser, installing themselves automatically when the users visits a Web page that is infected (this is referred to as “drive-by” infection).
From the point of view of domain names, the last two categories are of greater interest. A Trojan horse seeks to inspire confidence. It pretends to be useful (“this app will allow you to download MILLIONS of photos of nude celebrities”), which helps it get around security mechanisms (“do you really want to install this program?”). A domain name that inspires confidence is therefore useful as a Trojan horse. (Note, however, that only a tiny minority of users scan the domain name before downloading.)
The third category of malware is also important. The person responsible for the malware will seek to install it on popular websites, in order to infect a maximum of users. The person will look for names with a good reputation. Sometimes the attackers target a small but crucial population for them: successfully installing the malware on the website of an official organization will allow them to infect those who are connected with this organization. This is the so-called “watering hole” technique (the predator doesn’t waste time hunting for prey: it waits at the water point).
It should be noted that in this case, the website where the malware is waiting for its victim is often innocent: it has just been hacked, a victim of its own content management software which has been poorly written and not updated. Accusing a website of malware distribution is therefore often unfair: if the hypothetical town hall of Champignac-en-Cambrousse has not updated its WordPress for five years, and the website
http://mairie-champignac.fr/ is hacked, should we accuse the town hall?
And give “bad reputation points” to the .fr TLD?
Another case of fraudulent use of domain names is that of lies. If you want to spread false information, it may be useful to have a “credible” domain name, even if few users check the domain name.
For example, in November 2016, a fake message claiming to come from the Vinci group was sent to the Bloomberg news agency which published it. The message claimed that Vinci had fired a high-level executive for embezzlement. The Vinci share dropped 20%. Contrary to what most media stated, there had been no “hacking”. The message was just a lie. The relationship with domain names? The liars had registered the name vinci.group, “close” to the real name of the group (vinci.com) and sent the messages using this name. (Note once again that without authentication, the liars could just as easily have used the “real” name, unless they wanted to receive the replies.)
Phishing involves luring victims to a website that looks like a website they know, where they have an account, to get their credentials. The phishers can create a list of accounts, with their passwords, which they can then use to access services by borrowing the identity of his victims. For example, if it’s a bank account, the phisher can take out money from it.
The phisher has to build a website that looks like the real one, which is easy, but also has to attract victims. There are several methods. The simplest and most common one is to send spam, no longer to sell a product, but to convince the victims to go to the phishing website. The methods are sometimes much more technical, such as the phishing attack on MyEtherWallet in April 2018, in which the thieves diverted the IP traffic via the BGP routing protocol, so that the DNS queries for myetherwallet.com went to its DNS servers and no longer to the legitimate servers. When these “technical” methods (DNS or BGP) are used, they are referred to as “pharming”, a term that does not add much to the classification. In this case, the domain name is the real one and even attentive users are taken in. But, most of the time, the phisher’s technique is much simpler: they rely on the lack of verification by the user who, when he receives a message “you are eligible for a tax refund, log on to your bank website” http://www.example.com/wp/refund.php clicks on the link without thinking or wondering what this example.com company is. (Commercial issuers of email make it easy for phishers by sending messages in HTML format, familiarizing users with a presentation that makes it easy to hide the real link. Some messaging software systems do not even allow you to see the text part of the message, which would have revealed the fraud.)
Another more technical case of fraudulent use of domain names is that of Domain Generation Algorithms (DGAs) by botnets. A botnet is a network of hacked computers, or zombies, which once hacked obey an outside controller or “master” and no longer the legitimate user. The master rents the botnets to delinquents to send spam, carry out denial of service attacks, and so on. One of the main problems of a botnet master is to how to control their armada. This is done via one or more C&Cs (control centers), the servers that the zombies (botnet members) will regularly poll. What address do zombies use to contact the C&C? An IP address? They are not stable: if the C&C is spotted and closed, the address will not work any more. A domain name? They are more stable, which is why we use them, but they are not invulnerable: a domain name can also be deleted. If the zombie is instructed to go and search for instructions in https://botnet.example/ what will it do on the day botnet.example is no longer be published by the registry of .example?
This is where DGAs come in. Instead of having a single domain name in memory to contact the C&C (or even a list), the zombie has an algorithm that regularly generates new names. For example, the zombie tries to connect to zcwb.example on the first day, to zzfw.example on the second and rtdz.example on the third. If the botnet master wants their machines to contact them on the third day, all they have to do is register rtdz.example and enter the necessary information. Of course, it can be expensive in terms of registering domain names, but it is much safer: since no-one else knows the algorithm, the future names cannot be predicted, and registration of the domain names cannot be prevented.
Alternative resolution systems?
It has sometimes been said that zombies do not use the DNS to find their C&C but “alternative resolution systems“. In this case, this is no longer really as case of fraudulent or abusive use of domain names.
Next week discover all the measures possible against these different types of abuses!