Defunct AlpNames Had History As A Home For Phishing

The now defunct AlpNames, who had its Registrar
Accreditation Agreement terminated by ICANN this week after the discounted registrar
appears to have disappeared, has a history of being a home to spammers and scammers.

In a letter from the Independent Compliance Working Party to
ICANN by a number of technology companies in February 2018 it was claimed there
was a problem with ‘one particular party’: AlpNames. AlpNames it was claimed,
among other problems, was responsible for over half the “new gTLD domains that
have been blacklisted by Spamhaus.”

The members of the Independent Compliance Working Party, Adobe
Systems, DomainTools, eBay, Facebook, Microsoft and Time Warner, asked ICANN to
resolve problems they identified, with AlpNames the only registrar named.

“Troublingly”, the letter notes, “there also is a clear problem with one particular contracted party:

We find distinctive common patterns in domain name registration further suggesting malicious registrations. For example, we find 9,376 .link domains of which 9,256 were created in the first quarter of 2016 and 9,253 were registered with Alpnames Limited registrar.

  • …for 37.09% of the abused new gTLD domains reported by StopBadware, the sponsoring registrar is located in Gibraltar. Almost 195 abused new gTLD domains per 10,000 located in Gibraltar are abusive. (Note: Alpnames is located in Gibraltar.)
  • …we find that the abuse is driven by a single registrar: Alpnames Limited. For example, during the study period this registrar has acted as the sponsoring registrar for 53.97% (59,044) of the new gTLD domains that have been blacklisted by Spamhaus.
  • … one registrar, Alpnames Limited, having a high volume of abusive new gTLD domains reported by both Spamhaus and SURBL.”

The letter also notes there are problems with various generic
top level domains, both legacy (in particular .com although it does have 137.3
million domain names, ten times the size of the next biggest gTLD, .net, with
13.7 million).

“Additionally, according to the [Statistical Analysis of DNS Abuse in gTLDs (SADAG)] report:

The number of abused phishing domains in legacy gTLDs is mainly driven by the .com gTLD and at the end of 2016 represents 82.5% (15,795 of 19,157) of all abused legacy gTLD domains considered in this study.

  • …the five new gTLDs suffering from the highest concentrations of domain names used in phishing attacks listed on the APWG domain blacklist in the last quarter of 2016 collectively owned 58.7% of all blacklisted domains in all new gTLDs.
  • …we observe as many as 182 and 111 abused .work and .xyz domains, respectively. The results indicate that the majority of .work domains were registered by the same person. 150 domains were registered on the same day using the same registrant information, the same registrar, and the domain names were composed of similar strings. Note that only 150 abused domains, blacklisted in the third quarter of 2015, influenced the security reputation of all new gTLDs.
  • …the overwhelming majority of malware domains, which were categorized as compromised, belong to one of four new gTLDs: .win, .loan, .top, and .link (77.1%, which represents 19,261 out of 24,987 domains).”

There are also “regrettably stark increases and serious concentrations of abuse across legacy and new gTLDs, registries and registrars, and in the proliferation of spam, malware, phishing and other harms. For example, according to the Domain Abuse Activity Reporting (DAAR) System report:

  • the 25 most exploited TLDs account for 95% of the abuse complaints submitted to DAAR.
  • Five TLDs alone are responsible for more than half of abuse complaints.

The letter says “You’ll agree these are troublesome
statistics, and are antithetical to a secure and stable DNS administered by
ICANN.”

“We are alarmed at the levels of DNS abuse among a few contracted
parties, and would appreciate further information about how ICANN Compliance is
using available data to proactively address the abusive activity amongst this
subset of contracted parties in order to improve the situation before it
further deteriorates.”

In his reply, Hedlund notes there are limitations as to what
ICANN to do. He notes the current Registry Agreement “do not authorize ICANN
org to require registries to suspend or delete potentially abusive domain names.
Similarly, the RAA does not authorize ICANN org to require registrars to
suspend or delete potentially abusive domain names. Instead, under RAA Section
3.18, registrars are required to take reasonable and prompt steps to
investigate and respond appropriately to any reports of abuse. Registrars are
also required to review well-founded reports from law enforcement and other
similarly designated authorities within 24 hours of receipt. There is no
requirement in the RAA that requires registrars to suspend or delete reported
domains.”

Hedlund writes that “to terminate registrars with high rates
of abusive domains under management … a ‘court of competent jurisdiction’
must judge against the registrar prior to ICANN org taking action.”

The letter from the Independent Compliance Working Party is available to read in full at:
https://www.icann.org/en/system/files/correspondence/vayra-to-hedlund-27feb18-en.pdf

The letter from Jamie Hedlund, Senior Vice President, Contractual Compliance and Consumer Safeguard, in response is available to read in full at:
https://www.icann.org/en/system/files/correspondence/hedlund-to-vayra-04apr18-en.pdf

For more on AlpNames’ history, and what might happen next, check out the Domain Incite report here.

This latest Domain News has been posted from here: Source Link