Easy creation of domain names by hackers leaves SMBs dangerously exposed

Cooling-off period urged to vet site and decide whether it should be blocked

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The vast major­i­ty of new Web domains estab­lished every day on the Inter­net are cre­at­ed for mali­cious purposes.

That shock­ing tru­ism of the Infor­ma­tion Age comes from none oth­er than Inter­net pio­neer and thought leader Paul Vixie.

Vix­ie is the founder of the Inter­net Sys­tems Con­sor­tium, a non­prof­it group ded­i­cat­ed to sup­port­ing the infra­struc­ture of the Internet—and the auton­o­my of its par­tic­i­pants. He is best known in tech cir­cles for design­ing and imple­ment­ing sev­er­al Domain Name Sys­tem pro­to­cols, exten­sions and applications.

Sad­ly, Vix­ie recent­ly told Third­Cer­tain­ty, DNS as it is being used on a dai­ly basis today is large­ly broken.

One new domain is cre­at­ed every sec­ond and pret­ty much 199 out of 200 of them are junk domains cre­at­ed for the pur­pose of search engine opti­miza­tion, spam, phish­ing or oth­er com­plete­ly use­less things,” says Vix­ie, who is now CEO of Far­sight Secu­ri­ty.

More: Why 2015 will top 2014 in new exposures

Oth­er exam­ples of mali­cious use include new­ly cre­at­ed domains to set up bot­net com­mand-and-con­trol servers, to estab­lish down­load sites for mal­ware, or to host phish­ing and dri­ve-by-mal­ware-down­load pages.

For crim­i­nals, time is of the essence

Those who set up such domains tend to want to use them as quick­ly as pos­si­ble after reg­is­ter­ing before the site can get black­list­ed or before it is tak­en down by net­work operators.

The log­ic of cyber crim­i­nals engaged in this activ­i­ty goes some­thing like this, Vix­ie says: “I want to do some­thing that absolute­ly no else in the world wants me to do, and I am using this coop­er­a­tive struc­ture to allo­cate the resources to me that I need to do the thing that every­body wish­es I wasn’t doing.”

Since it is almost a cer­tain bet that the only peo­ple seek­ing to use a new domain imme­di­ate­ly upon reg­is­tra­tion are those with mali­cious intent, the best way to deter them is to intro­duce a wait­ing peri­od, Vix­ie says.

Small change, big difference

This sim­ple prac­tice would go a long way toward deter­ring cyber crim­i­nals from reg­is­ter­ing new domains for nefar­i­ous pur­pos­es that typ­i­cal­ly include spam­ming, mal­ware dis­tri­b­u­tion and car­ry­ing out phish­ing campaigns.

In Vixie’s view, those who con­trol DNS should move for­ward on imple­ment­ing such a cool­ing-off peri­od. Impos­ing a six- to 24-hour delay between when a site is reg­is­tered and when it becomes avail­able could give the secu­ri­ty indus­try enough time to vet the new domain and decide whether if it’s some­thing that should be blocked or monitored.

Reverse Engineering FINALThe reg­is­tra­tion event has been pub­lished, the domain isn’t actu­al­ly work­ing yet … that gives the secu­ri­ty indus­try an advance look to find out, ‘Am I going to want to block that by the time it comes out of its 24-hour wait­ing peri­od’,” Vix­ie says.

Pre­vi­ous stud­ies that have attempt­ed to under­stand the domain reg­is­tra­tion behav­ior of spam­mers have not­ed the dif­fi­cul­ty that net­work oper­a­tors face in mak­ing deci­sions about whether to black­list a domain or not.

Because of the rate at which new domains appear, mak­ing black­list deci­sions at reg­is­tra­tion has become par­tic­u­lar­ly chal­leng­ing, the stud­ies not­ed. As a result, the typ­i­cal response mod­el has been to wait for a domain to start exhibit­ing mali­cious behav­ior before attempt­ing to stop it.

Mon­ey like­ly to rule the day

Intro­duc­ing a wait­ing peri­od as Vix­ie sug­gests could give the secu­ri­ty indus­try the time need­ed to vet new sites and reduce the risk posed by new domains to small, medi­um and large busi­ness­es. But Vix­ie isn’t hold­ing his breath that the indus­try will imple­ment the delay he pro­pos­es any time soon.

Vix­ie admits that when he made the pro­pos­al at RSA this year, it wasn’t wide­ly picked up by any­one. He plans to air it again at an ICANN meet­ing next month in Dublin, Ire­land, but isn’t too optimistic.

It’s all about mon­ey,” Vix­ie says. “There’s a lot of mon­ey to be made in reg­is­ter­ing new domains, and the com­pa­nies that do that for a liv­ing are going to be unwill­ing to make any change that could slow down their revenues.

There’s some very big, very suc­cess­ful com­pa­nies mak­ing a lot sell­ing this stuff,” he says. “If I come along and throw a wet blan­ket over it and said that action is fun­da­men­tal­ly destruc­tive to the social order, we need to slow this down a lit­tle bit, they’d think I’m nuts.”

Third­Cer­tain­ty Edi­tor-In-Chief Byron Aco­hi­do con­tributed to this report.

 More on domain names and cybersecurity:
What’s in a (domain) name? For gener­ic TLD hack­ers, a lot

Faked Pay­Pal sites hard to dis­tin­guish from the real thing
SMBs should start with sim­ple solu­tions to man­age secu­ri­ty risks


Posted in Cybersecurity, Featured StoryTagged