Dec 09, 2025
On December 9, The Capitol Forum held a conference call with Dave Piscitello and Karen Rose of Interisle Consulting Group and Rick Lane, CEO of IGGY Ventures LLC, for a conference call on the growing cybersecurity crisis linked to domain name infrastructure. The full transcript, which has been modified slightly for accuracy, can be found below.
ETHAN EHRENHAFT: Hi, everyone. I’m Ethan Ehrenhaft, a Reporter at The Capitol Forum.Thank you for joining us for today’s conversation on “ICANN, VeriSign, and the Cybercrime Supply Chain.” We’re pleased to be joined today by Karen Rose and Dave Piscitello of InterisleConsulting Group, as well as Rick Lane, CEO of Iggy Ventures. Their work spans cybersecurity, internet governments, child safety, and the policies that shape how the global domain name system operates.
Today’s discussion will focus on the rise of cybercrime enabled through the DNS, how bad actors are rapidly and cheaply acquiring domain names to launch phishing—that’s phishing with ph—malware and spam attacks that reach millions of consumers. We’ll also look at potential steps the administration, Congress, ICANN, and registry operators like VeriSign could take to help mitigate DNS abuse.
And before we get started, a quick housekeeping note. To submit questions, please enter them into the questions box that you should see on your control panel. We’ll collect questions throughout the call and address them during the Q&A towards the end.
And now to introduce today’s speakers. Karen Rose is a partner at Interisle and a leading expert on internet policy and infrastructure. Her career includes senior roles at ISOC, the FCC, and NTIA, where she co-authored the U.S. policy framework that led to the creation of the Internet Cooperation for Assigned Names and Numbers, or ICANN.
Dave Piscitello coordinates cybersecurity activities at Interisle and directs the group’s Cybercrime Information Center. He previously served as vice president of security at ICANN and is active with the Anti-Phishing Working Group, the Coalition Against Unsolicited Commercial Email, and the Messaging, Malware, and Mobile Anti-Abuse Working Group..
And last but not least, Rick Lane is the Founder and CEO of Iggy Ventures and a longtime tech policy expert and child safety advocate. He previously spent 16 years at 21st Century Fox as Senior Vice President of Government Affairs and earlier served at the U.S. Chamber of Commerce, focusing on e-commerce and internet policy issues.
So, surrounded by decades of combined experience up here on internet governance. And with that said, thank you all so much for being here. Let’s dive right in. To get us started, so last month, if folks aren’t aware, Interisle released its latest annual cybercrime supply chain report, which analyzed more than 26 million unique cybercrime events involving malware, phishing, and spam, which was a 60 percent increase from last year.
So, Karen or Dave, would love if you could start by telling us a bit about Interisle’s work to begin with, but then also why you started putting out these annual reports.
DAVE PISCITELLO: Sure. I’ll take this. Interisle began its research on domain name and hosting abuse in 2019. This is a follow-on from projects that I was involved in for about 20 years. Our goal was to build a repository to study name and address resources that criminals use to perpetrate cybercrimes. Specifically, we investigate phishing, malware, and spam. We chose these because these are considered cybercrimes in the Council of Europe’s Budapest Convention or the Convention on Cybercrime.
Since 2021, we’ve used the Cybercrime Information Center to provide quarterly and longitudinal analyses of cybercrime activity, particularly measuring and reporting on top level domains, registrars, and website and hosting operators that criminals exploit.
ETHAN EHRENHAFT: And Karen, do you want to add to that and maybe talk a bit about what data you’re sourcing, what’s your methodology, when you’re approaching such as vast an issue as cybercrime attacks?
DAVE PISCITELLO: Karen, do you want me to field that?
KAREN ROSE: Yeah. Go ahead, Dave.
DAVE PISCITELLO: Sure. So, we gather millions of reports annually from commercial and publicly available domain name and URL or hyperlinked block list services. For example, in our last three months of measuring spam, we collected four million events.
We also gather DNS data from the public DNS. We get domain and IP registration data from the Registration Data Directory Services. And then many of our feeds provide us with metadata that allows us to understand a little bit about how the domains have been used, for example, what specific malware was hosted and what kind of spam activity. And these all allow us to enrich the names and addresses data with some context.
For most of our measurements, we run numerous filters to deduplicate and normalize our data and to associate domains and addresses with a behavior, for example, bulk registration. We then analyze these unique accounts and report them by category, for example, total abusive registrations, malicious registrations, hosting geography, brands impersonated.
We publish our methodology at the Cybercrime Information Center so that along with using public data—we don’t use any reports that we generate ourselves—we have a published methodology. So, in the spirit of a academic research, someone who takes the same data that we have and uses our methodology should find similar results to what we found.
ETHAN EHRENHAFT: All right. Got it. Thanks for that overview, Dave. Karen, maybe if you want to talk a bit about what you mean actually by this term just cybercrime supply chain. What does that imply? And why do you use that when discussing this?
KAREN ROSE: Sure. Cybercrime is a business like any other business. And all businesses need to acquire the supplies and resources they need to put together their products and services and gain value and profit. Cybercriminals operate very much the same way and are now operating at a highly industrialized scale. We are no longer in the space of the proverbial kid in a hoodie in a basement conducting attacks. These are very organized operations. They operate across borders. They have access to considerable resources and their profits are astronomical.
So, we use a cybercrime supply chain in order to be able to look at the inputs and resources that cybercriminals are using to conduct their activities. And if you look at our report, we break these down into different supply chain links –attack resources, naming resources, hosting resources, domain name resources, etcetera—to look at the different inputs they need, acquire and assemble to conduct these attacks.
One of the reasons we do this is because we believe that in order to combat cybercrime, we can’t just take a whack-a-mole approach to go after individual syndicates. We need to look at the resources they are using and to starve criminals of access to those resources, while allowing law-abiding citizens to be able to get access to what they need on the internet.
So, that’s why we take this approach to break it down as a business, to understand it as a business, and then understand what the weak links are in the chain and where they can be broken..
ETHAN EHRENHAFT: Yeah, I think that’s really important to sort of qualify up front that with some of these enterprises, we’re talking about cybercriminals, like you said, that would like very much mirror real-world corporate infrastructure. They might offer salary jobs and benefits to employees. And yet, they’re conducting these attacks on an industrialized scale.
And your most recent report really gets into this issue of cybercrime as a service or phishing as a service. Why do you think this professionalized model has taken off, especially, again, really since the pandemic? And we’ve seen that reflected in some news stories that have been put out in recent weeks, as folks might be familiar with.
DAVE PISCITELLO: Yeah. So, we’ve been studying all three kinds of attacks that operate as services at this point. And crime as a service generally is an evolution of exploit kits or attack kits and botnets and merging the services of the two. A kit attempts to provide an attack-in-a-box kind of solution. It’s a set of files that you can acquire on the dark web, and in fact, for a while, you could acquire them on social media. The kits were a way for someone who was actually a professional, so to speak, in attacking, phishing, spamming, or in developing and distributing malware, to monetize what he does.
So, it’s a follow-the-money kind of thing. Instead of just doing it on your own and being the only one at risk and being the only one who profits, there was an amplification.
Wannabe spammers or phishers needed hack infrastructures. They needed a kit to actually understand and how to operate a phishing website and generate emails and the like.And so, there was sort of a natural evolution – from giving people the opportunity to download a kit and giving people the opportunity to lease a botnet – to combining these into a subscriber or affiliate servicewhere you offer domain registration, along with the kits, along with a way to impersonate or attack specific brands and lists of the brands. Enabling and perpetuating the attack, all the way through to cash-out methods are now in these services.
So, we look at this as sort of a natural or business-savvy evolution. We went from one-man operation to small business to full-on enterprise.
ETHAN EHRENHAFT: Yeah, that’s a scary thought that we’re now on the full-on enterprise end of it.
DAVE PISCITELLO: Well, we’re not quite on the full-on enterprise yet. We’re only seeing the emergence of how criminals are going to be using AI in order to not only facilitate the attacks, but to react in real-time to what they receive back from a victim.
ETHAN EHRENHAFT: Right. I’m sure AI will just add a whole other layer of sophistication to this supply chain. Turning to Rick, Rick would love to get your thoughts on some of your reactions to Interisle‘s findings. You’ve worked in online safety for a long time. You advise the FTC, state governments on some of these issues. So, what have been some of the most alarming trends to you in this DNS abuse space in recent years?
RICK LANE: Well, I think one of the facts that come out of this report is that we knew this was going to happen. This is not a surprise based on the policies of ICANN and the contracted parties. This discussion around who is, and access to who is, and cybersecurity, was at the cornerstone when ICANN was—and Karen will remember this – NEW CO., back in 1998, as part of the Department of Commerce white and green papers that created ICANN.
And one of the first things that was an important piece in the Federal Register that came out was making sure that there was access to who is information, that there’s going to be concerns about trademarks, cybersecurity. So, this discussion is not new. What we have seen is that it’s just grown considerably because of some of the policy decisions within the ICANN process and its delaying in engaging.
ETHAN EHRENHAFT: Yeah, I think that’s important to also discuss here is that these issues have been going on since the dawn of the internet to some degree, but it’s an evolution, as Dave was talking about. Maybe to take a step back—and Karen, you might be the best person for this, since you were involved in the creation of DNS governance back in the day. If you wouldn’t mind giving the audience maybe just a brief breakdown of how internet government works, and sort of what is the relationship between these various players that you all highlight in the report that are responsible for just domain name?
KAREN ROSE: Sure, yeah. So, ICANN, the Internet Corporation for Assigned Names and Numbers, is a nonprofit public benefit organization that was established to coordinate certain aspects of the internet’s unique identifier system. In addition to coordinating things and maintaining uniqueness of domain names, there’s other activities that they do with respect to the distribution of IP addresses, and other little bits and bobs of maintaining lists of unique identifiers that most of us never see, recognize, hear about, with respect to some of the IANA function in particular.
In the domain names space, ICANN does a number of things. ICANN is intended to be an organization that develops policy from the bottom up with stakeholder representation and open processes to develop DNS policies. ICANN also does things like accredit internet registrars and contract with internet registries,. They maintain the standards by which the industry needs to operate contractually, as well as running processes for the selection of new top-level domains.
In that, I would say—and I think it’s relevant to our discussion— the inception one of ICANN’s main purposes and goals was to develop competition in the internet domain name space. Because we went from having no competition to then opening up domain name registration to multiple registrars and then to open up the domain name space to new TLDs. And this has been a particular pursuit of ICANN, again, since its inception.
One of the things I think we’re potentially seeing now is excess entry in the marketplace, especially given the reduction in domain name demand, and a question about the standards by which ICANN promulgates for the industry. Are the standards by which registries and registrars operate too low? Do we need to start raising standards, especially in light of developments in the marketplace?
And I would say that one of the things that we did not have back in the day is the level of DNS abuse we have now. There were always people registering domain names for bad and nefarious things. Now, however, we are seeing this done on an industrial scale. We are just in such a fundamentally different place, than we were 20 years ago, that we need to start looking and adapting ICANN’s policies in response to the realities of the market today.
But again, ICANN’s overall function is not just an industry organization. It is a public benefit organization. And it does have public interest requirements and obligations. So, that’s the overall framework of ICANN and the basic relationships.
ETHAN EHRENHAFT: Thank you, yeah. Go ahead, Dave.
DAVE PISCITELLO: So, one of the things that our work has demonstrated to us over the periods of time that we’ve been doing longitudinal analyses is that very few people understand that ICANN has a limited purview in this. They have a purview in what are called the generic TLD space, and while there’s a relationship between ICANN and the countries that have what are called country code TLDs,the countries basically set their own policies. And in some cases, the countries have exceptionally better policies.
The other aspect that people tend to focus on when they look at ICANN is domain names only. Hosting is also one of the biggest problems. You don’t need a domain name to host malware. You need an IP address. You can use any IP address. You can even use residential access devices like home routers.
So, ICANN has no purview over those spaces. And if we continue to look at each of these as silos, and we just look at the ICANN piece, and we just look at the hosting piece, and we then don’t consider the fact that free website operators like Blogspot and Weebly and others whose services don’t even need unique domain names, we’re never going to really solve the problem.
We have a big problem space to solve. We can tackle it piecemeal. But one of the things we have to pay attention to is that pressing on one silo without trying to exert the commensurate pressure on all three silos is not going to solve the problem.
ETHAN EHRENHAFT: Sure, yeah. It’s a very intertwined ecosystem. As you said, David, you can’t look at the registrars in one silo, registry operators in another silo, hosting services, and yet another. Rick, did you have anything else to add to that? Or I would say just building off of maybe Karen’s remark about competition in this space—I think this is related—is that in the early days of the internet, folks wanted to make their name registration as easy as possible, but that lack of friction ultimately has also made it a lot easier for exploitation by cybercriminals.
So, any thoughts on why this lack of friction has largely continued unabated and in some ways gotten worse? Because, I mean, my understanding is really like, if you want to acquire some of these resources, usually all you need is like a credit card, email, not much else.
RICK LANE: Yeah. I think, first of all, David’s absolutely correct. It’s all layers of the stack we need to address. It’s a supply chain. It’s not just one link in the chain. So, obviously we have to address those issues, but you do have to address the fundamental problems within ICANN and its structure. Because, as Karen said, it’s not supposed to be a trade association for the contracted parties. It’s supposed to have a public interest.
And what has happened over time is that the contracted parties, they have basically control of ICANN right now, the way the process works. And we haven’t had major policy changes in ICANN in like over ten years. The average time it takes to have any discussions—we started this RDRS process, ticketing system for requests, what? Five, six years ago now? And we’re still nowhere. And we’re still having conversations about it. It just gets pushed down. We had one policy that did go through, which was VeriSign was supposed to have a thing WHOIS. And that has completely disappeared. They’re no longer in existence.
And then when they want to change something, the contracted parties, they go through contracts. They’re contracts. Because that’s how ICANN works. It’s contracted parties with the registries and the registrars and then the registrant. And when they put something in the contract, the multi-stakeholder process has no say because they don’t have privity to that contract. They can’t say we don’t like that provision in that contract. They can just say, you can’t sue us because the contract is between ICANN and the contracted parties.
So, you do have a fundamental structure at the base level, at the internet protocol level, that is creating and starting the harms. But, as Dave correctly pointed out, it has to go all the way through the process. But we have to start somewhere as well. And right now, because the economic incentive is to sell as many domain names as possible or to license—because you don’t sell them. You don’t own them as the individuals—to license those domain names as many as possible, as quickly as possible. All these hurdles that try to protect consumers and help fight cybercrime just become a nuisance.
ETHAN EHRENHAFT: Karen or Dave, do either of you, just thoughts—since I know both of you have worked with and for ICANN—how that barrier kind of gets moved forward. If, as Rick was saying also the infrastructure is not just the registry operators, registrars benefiting from domain name registration. I mean, this is how ICANN partially generates revenue as well. Any thoughts on that?
RICK LANE: Not just partially.
ETHAN EHRENHAFT: Yes, not just partially.
KAREN ROSE: Well, I think if we look at the malicious use of domain names, – it’s usually called domain name abuse within ICANN in parlance—ICANN needs to take a very holistic and serious look at this issue. I think it is an issue that ICANN needs make some pretty specific statements about their intent to reduce malicious domain name abuse.
The organization, at the moment, does not have any identifiable or measurable goals for reducing abuse or a broad, board-level statement saying that this is something that must be addressed.. They did identify domain name abuse as a threat in their last strategic plan. But that was not balanced by saying addressing it needs to be a priority for the organization.
That said, ICANN is currently looking at a number of policies, two policies, related to domain name abuse. And there currently is a policy in place that deals with the mitigation of abusive domains on the back end. So, it’s not like the organization has not looked at this issue at all or has done nothing about this issue. But this issue, in order to be able to address it, needs a more sort of holistic approach and holistic look at saying what are the factors.
It’s not just going to be one policy that is going to reduce the harm of domain name abuse. It’s going to have to look across proactive, preventative measures for domain name abuse, as well as mitigation measures, as well as holding operators to a certain level of accountability for processing and taking abusive domains.
The organization is looking at this issue in a limited way, but a more holistic approach is really needed. Because one or two policies here and there is not going to solve this problem.
DAVE PISCITELLO: I was VP of Security and ICT Coordination at ICANN for a number of years. So, I know how the sausage is made. And one of the things that retrospectively, looking back now almost seven years since I’ve left the organization, is that, like any other organization, and even like constitutionalists, you have to look at what you wrote down over 250 years ago and consider whether it’s still relevant and whether there are areas where you need to improve.
I have been chatting with my partners about, gee, maybe someone should take a look at the bylaws and look at the structure of ICANN and say, is the structure actually meeting what the expectations were back in the 1990s? And that’s as far as I really want to comment about it because I don’t want to pull us off the main topic.
I want to emphasize that not only has Karen been spot on about where ICANN is today and what they’re trying to do, but for a number of years, we and others have been identifying possible solutions to mitigating abuse or at least throttling it back. And many of the proactive or preemptive activities that registries and registrars can do with respect to domain names at the time of registration as opposed to after it’s registered are important.
And while there’s no vaccine, there are certain things that you can do, that we do post-mortem, that would allow you to say why are there suddenly 56,000 domains with the string EZTOLL in them? Why were they all registered on a given day at a given time by an unknown party, but through the same registrar in the same TLD? These are all sort of “markers of a fingerprint” that tell you this is not an activity that we intended when we created the domain name registration system.
So, if you look at the problem that way, you say, “All right. There are a number of things we can do. We can delay delegation to investigate as an example.” And some of those remedies are things that are going to disrupt the way that the registries and registrars do business. They’re not going to enter them lightly without understanding the cost and understanding how they respond and change their business model.
But the conversation has at least begun. And coming from where I was when I went into ICANN in 2005 when no one spoke at all about the word security, I don’t want to say that two decades later we’ve made marked progress. But at least we’ve moved the goalposts a little bit.
ETHAN EHRENHAFT: Before we—I think, we’ll definitely want to close on just looking at solutions and more specific possible policy recommendations. But I want to pick up on something you were talking about, Dave, which is like just the issue of like all registrations and the fact that folks might be registering thousands of domains over the span of a few minutes, all containing like USPS in the top level domain, for instance.
So, either Dave or Karen, do you mind talking briefly about this issue of bulk domain registrations? Because to me, one of the most alarming stats from the latest report was this 177 percent spike year over year and malicious bulk registration. So, if you don’t mind talking about what exactly is a bulk registration? Because I think this speaks to and ties together some of the greater DNS problems we’ve been looking at.
KAREN ROSE: Sure. I’ll start off and you can add, Dave. So, bulk registration is basically a process by which an individual or an entity can register very, very large numbers of domain names at one time. And this is often done by cybercriminals. They register thousands of domain names at a time over very, very short periods. So, for example, in our phishing landscape study, we found a case of a one criminal registering 17,000 domains within a span of hours– very high-volume registration.
One of the things that I want to add in this as well is that a lot of these registrations, as Dave was saying, are very conspicuous,.We are seeing, when we do our research, that these cybercriminals will register variations, very conspicuous variations, on brand names. My mother was caught up in a phishing scam because somebody registered Amazone customer service. And when you look through these registrations and these cybercriminal registrations, they are all very conspicuous variations – or many of them are very conspicuous variations—on a theme. A lot of them show signs of being algorithmically generated, thousands of complete nonsense strings registered at a time.
So, that is the practice. That is facilitated by services that are offered by certain registrars. Registrars are where the customer goes to register the domain name. And cybercriminals are exploiting these bulk registration tools at a very high-level.
And as Dave was mentioning, when we look at some of the bulk registration patterns we see that for a particular TLD, sometimes the amount of cybercriminal registrations that churn, that are reported and churn through that registry in one year are higher than the snapshot of the domains under registration for that year. So, especially if you’re a small provider and you wake up one day and before you had a handful of domains in your registry and all of a sudden the next day you have 20,000 domain names, extra domain names as a registrar or registry, you would think you might want to take a look, right?
So, bulk registration, again, these are this high volume registration. Cybercriminals are exploiting them and they’re exploiting them in very, very conspicuous ways. Which leads to the question of we need to look at. And there is a policy being considered in ICANN to look at bulk registration specifically. Again, it is a good start, but it is definitely a tool that is aggressively exploited by cybercriminals.
RICK LANE: If I can add just a couple of points there. One, when I was at the Chamber in the late 90s when this was coming around, there was efforts in Congress to kill ICANN because they felt that it had gone astray from the interests of the business community and consumer protection. And we felt at the Chamber that as a nonprofit, a private sector entity could move faster than governments to implement changes and protect consumers and protect the interests of business, not the interests of the contracted parties, the interests of business and consumers.
And we have drifted away from that, which is why you have a lot of businesses raising so many concerns. The business constituency, the intellectual property constituencies, they are not happy right now with the process of ICANN and are getting frustrated and people are just leaving it, which is a threat to ICANN itself. Because the model is valid of multi-stakeholder, but it is not being implemented in a way.
The other thing, when you add bulk registration along with privacy proxy and the inability to send—you have to do one request at a time to a registrar or a registry. You can’t do bulk and try to figure out the strings that are out there. You’re doing one at a time and you have 1,000 out there based on your trademark. That becomes a huge problem. And that is what we have lost.
And it’s one of the reasons why the EU’s NIS2, their national security strategy, talks about, from a cybersecurity and consumer protection standpoint, the need for access to who is and the issues around privacy proxies, both also at the registrar and registry levels. And those discussions, there’s a lot of ongoing discussions at ICANN. It’s like the soap operas back from Channel 7 that you would watch. You can miss it for like a year and the characters are the same and the storylines are the same. And that’s what we’re finding right now is that there’s a lot of discussion, but no action.
ETHAN EHRENHAFT: Taking a step back, Rick, just to also set terms for the audience, do you mind just talking about, for viewers, the European Union’s NIS2 directive standards? It’s something that I think, Dave and Karen, in your phishing report mentioned that this is something that ICANN could and should look at adopting itself. But Rick, do you mind talking about what makes those standards in the EU a potentially effective model to follow?
RICK LANE: Yeah, I think you just have to read their report and the directive. And I’ll just read one small section of it. It says, “Upholding and preserving a reliable, resilient, and secure domain name system are key factors in maintaining the integrity of the internet and are essential for its continuous and stable operation on which the digital economy and society depend.”
And then it says, “Therefore, the directive should apply to top-level domain name registries and DNS service providers that are to be understood as entities providing publicly available recursive domain name resolution services for internet end users.” And it goes on to talk about that “maintaining accurate and complete databases of domain name registration data, who is data, and providing lawful access to such data is essential to ensure the security, stability, and resilience of the DNS.” And that’s their core structure. I mean, that’s right out of the NIS2. And that’s what we’re saying. Those of us in the IPC and the child safety realm in the business constituency is exactly what the NIS2. When the GDPR, the EU’s privacy directive, came out, the contracted parties were quick to say, oh, my gosh. We’re going to be fined. And we need to make the WHJOIS go dark. And then the privacy proxy structure just got shut down in conversations.
Then when the NIS2 comes out and is being implemented by certain countries in the EU, a little slower to react. That’s because—again, I don’t blame them. I’m a businessperson. Their economic self-interest is to not have to have any liability or to take necessary steps that are cost centers.
What we’re talking about from the business constituent side and the intellectual property constituent side are cost centers. We understand that. But when you build a business based on the historical record, getting back to the founding fathers of the internet and this whole ICANN infrastructure, the key component was to protect businesses and consumers.
ETHAN EHRENHAFT: Karen or Dave, I think this would be a good place to start getting into some of your policy recommendations from the latest cybercrime supply chain report, one of which was this idea of robust identity verification on the front end. So, I was wondering if one of you wanted to start addressing that point.
DAVE PISCITELLO: Before we do that, I’ve realized that we haven’t explained why people register thousands of domains. And I think it’s important. Because the average person would say, gee, I only need one domain for a phishing attack or one domain for a spam attack. Well, Rick mentioned security, stability and resiliency. And resiliency is something that cybercriminals actually appreciate even more than many, many large enterprises. You want to be resilient from failure. In the case of a cyberattack, if someone takes down one domain and that’s the only domain where you’re hosting your phishing website, your impersonation website, you’re out of business.
Now, if you want to model it after weaponry, having a revolver versus having a gun with a clip versus having a machine gun with a thousand shells or bullets, you’re weaponizing in a sense. If I have a thousand names, and I don’t just only put them in one TLD, and I scatter them all over, we call this snowshoe. You’re distributing your weight across the snow on a broad shoe so that all your weight is not one small area and doesn’t sink through the snow.
Well, in the same sense, what criminals do is get a thousand domains, go out, use those thousand domains. By the time the folks at Spamhaus or SURBL collect all those, they’ve gone and done it again. So, they’re just buying more and more magazines and it’s basic lather, rinse, repeat.
And when we talk about, when Karen talks about, one instance of 17,000 in a couple of hours, what you have to understand is that it’s very likely that those same criminal enterprises are doing this repeatedly within a month, month after month after month. And it’s the only explanation for how steep the slope of this curve of growth in cyberattacks is.
KAREN ROSE: I’m wondering if I can just put some numbers on some of what we’re talking about. So, looking in our study, the cybercrime supply chain, we found over the course of one year, 19.5 million domain names that were either compromised or purposely maliciously registered that were used in cybercrimes across phishing, spam, and malware.
If we look at bulk registration, within our definition of bulk registrations, we found over seven million domain names maliciously registered in bulk. And this was up 150 percent from last year. So, this kind of activity is not just growing slowly. It is growing by leaps and bounds.
And I want to make a comment as well. A lot of times we talk about volumes of domain names. But as Dave was saying, domain names are weaponized. And each weaponized domain name has the potential of creating mass public harm.
I want to talk quickly about a couple of numbers. This isn’t research from us. This is research from an organization called Silent Push that did a lot of investigating into the Lighthouse syndicate. So, they found, looking at some inside information they got out of Lighthouse, that off the back of just 9,000 domains, Lighthouse was able to reach and victimize over a million victims in just 20 days.
If you look at also the numbers of credit cards that are stolen on the back of domains—again, this was looking at a specific aspect of Lighthouse. This may not be generally applicable to every single domain name that is registered for a malicious purpose. But looking at Lighthouse, they found that these cyber criminals were able to capture over 440,000 credit cards just on the back of 1,000 domain names. This was an average of almost 400 stolen credit cards per domain name in this particular scan.
So, the volumes that we’re talking about are huge and they are growing by leaps and bounds. And the amount of public harm that can be caused on the back of even one or a handful of domain names is significant. And I say this as a segue to when we’re going to be talking about solutions—which I will pause, but I’m happy to do—is because just focusing on things like mitigation on the back end is not good enough. By the time, as Dave was saying, that these are identified and taken down, the cyber criminals are already on to their next scam. And millions of people have been victimized. So, we need a more robust and coherent strategy and policies to look at this problem.
ETHAN EHRENHAFT: Right. Because by the time that potentially a malicious domain name gets flagged, the damage has already been done. It’s been exposed to thousands, tens of thousands of consumers.
I guess, Karen, one immediate follow-up, and then we can start getting into solutions and recommendations more. But just why permit the practice of bulk registrations to begin with, if you’re a registrar, if there’s such a high correlation or potential for this to be abused in this very way?
KAREN ROSE: We have not been presented with any cases in which why a legitimate user would want to register 17,000, 10,000 domain names at a time. I mean, even organizations that do things like brand protection. Or let’s say that you’re starting a business, right? You have a bunch of different business names that you have an idea for, and you want to register 100 variations on the business names you’re thinking of preemptively so you can decide later.
The cases that people generally talk to us about are ones that are handfuls, hundreds of domains- not thousands and thousands of domains. Maybe Rick or Dave knows of instances where there’s legitimate use at these levels. But at these levels, these are not legitimate I’m aware of.
RICK LANE: If I can just add to that, think about it from a business perspective. They don’t want to spend money on a bunch of domain names. That is not their interest. And defensive registration, which is what you do sometimes as a business to defend against trademark, can be expensive. And you sometimes just say, it’s not worth it. And so, that is one of the areas where, again, I work for a Fortune 50 company. We did not buy domain names in bulk like that. There is no need. And our CFO would just say, why are you guys doing that?
The other thing that’s important about the bulk registration and what Dave was saying about buying it from different registrars or licensing it and getting it from different registrars and registries, this is why the registries have to be part of this solution of having access and accurate and set who is because it’s hard. I think there’s like 2,300 registrars that provide registrants with .com and .net or something like that. So, going to 2,400 different registrars one at a time, trying to figure out the connection, the cybercriminals know that it’s an impossible task.
And then once you get to the CCTLDs, where it gets even more complicated as Dave mentioned, but now we’re facing a time where a lot of the focus for ICANN is rolling out new GTLDs. And we haven’t even solved the problems with the old ones yet.
And so, talk about the study for when the new GTLDs come out for Dave and Karen, we’re going to be here saying, is it shocking that the numbers are through the roof even more because we have these new GTLDs without any infrastructure in place to protect brand owners and cybersecurity and all the things they’re finding in the reports? It’s just a very vicious cycle that madness just needs to stop.
DAVE PISCITELLO: Well, let me give you a couple of examples of what is considered legitimate. If you are trying to monetize domains and you have some intel about an emerging keyword that’s going to be very popular in domain use, you might go out and grab lots of different name spins of that and speculate with them.
So, that’s one. The other is secondary market. I imagine that there are people who are tracking what is called the drop period. When someone’s domain expires, the “drop catchers” go out and they grab as many domains as they can. They’re not really bulk registrations in the context that we describe. We only begin with domains reported for criminal activity, and the pace of registration that we’re talking about is something that cannot be achieved by humans typing things. It’s something that has to be done by automation. And maybe AI will help us identify bulk registrants in the future. But for now, when we look at something that’s bulk registration, whether we have Whois or not is almost immaterial because we can tell by the behavior and tell by the result
ETHAN EHRENHAFT: And want to be conscious of time here, leave time for audience questions, which we’re starting to get. Please, if you have any, feel free again to type those into the questions panel. But maybe starting with Karen, if you want to get into, again, some of these policy recommendations that Interisle put forward and your two most recent reports I mentioned earlier, potentially identity verification requirements. And some of these are policies that have already been adopted, for instance, by, I know, certain CCTLDs, for instance. So, yeah, to start on any of those.
KAREN ROSE: Yeah. So, as I mentioned, ICANN really needs to pursue a coherent strategy around mitigating DNS abuse and lowering the rates of DNS abuse. It needs to be built around measurable goals, effective prevention, rapid mitigation, and credible enforcement.
So, first of all, ICANN needs to adopt a clear policy goal at the board level that says they are going to go after and reduce DNS abuse. This is an urgent issue. I think the ICANN board’s lack of very, very clear statement on this is not a great look. It suggests the lack of urgency in addressing the public harm that is being perpetrated on the back of a market they oversee.
In terms of prevention, again, we need to look at measures to prevent abuse before it happens. Because as we said, by the time abuse happens, people have already been victimized. So, a couple of things that have proven effective is automated screening to reduce suspicious registrations. There are systems that are being put in place, for example, in Europe for European CCTLDs that look and they scan for suspicious registration activity. And they pause the registration of that domain name until it can be investigated. So, these preventative measures on the front end to proactively screen for domain name abuse are proving to be effective.
Number two, stronger verification of registration data. So, Rick was talking about the NIS2 verification framework and the requirements there. A stronger verification of users has been shown to lower rates of abuse. Right now, the ICANN policies for verifying registration data from registrants is very, very minimal. So, we need stronger verification, and verification at point of sale, not just after the horse is already out of the barn.
Restrictions on bulk registration services or greater oversight, greater control, over bulk registration, ICANN is currently discussing a policy within its process on that,but again, that needs to be part of a larger, more coherent strategy to battle DNS abuse.
On mitigation,—some abuse is going to get through, even if there are the best preventative measures. So, we need to speed up the response times and strengthen the process and requirements for mitigating a maliciously registered domain name once once it’s been found. That process needs to be much easier, more efficient. And these domains need to be taken down within a critical window of about 24 hours—Not, “Well, we’ll look at it. We’ll get an email and we’ll look at it in a few days and then check out the domain name.” And now there’s some research saying that it takes an average of nine days through ICANN’s process in order to get a domain name taken down. By that time, people have already been victimized and the damage has been done.
Finally, the last thing I’ll say is they need to raise the accountability and enforcement standards. So, registries and registrars, which have shown persistently high abuse rates, need to improve their performance. They should need to improve their performance or face penalties such as suspension of their registration privileges or even potential deaccreditation. So, we need good enforcement and accountability in addition to preventative as well as mitigation measures.
ETHAN EHRENHAFT: Thanks, Karen. And yeah, Rick and Dave, please feel free to add. And then we do you want to get to some audience questions as well.
DAVE PISCITELLO: Just one very important one that Karen didn’t mention is a trusted reporter environment. One of the challenges, and Rick alluded to it, is that if you have a thousand domains, you can’t feed them in one at a time. You have to have some relationships between the registrars, registries and parties that are competent, who report, who go out and do the investigation. The reporters are legit, private sector, first responders. They’re doing triage. They’re not all intellectual property people. A lot of them are public safety people. A lot of them are independent people like us. We need an environment where we set aside, “oh, who’s going to be liable for a false positive?” for a second, and just model what a trusted reporter should do and what the party that receives it should do. And then figure out what kind of liability environment it is.
So, if I could say one thing to ICANN, I’d say, could the lawyers just set aside for a while and listen? And just kind of think about how this might work as opposed to immediately responding by, no, it can’t work. I think we could make a lot of progress.
ETHAN EHRENHAFT: And Rick, yeah, please feel free to chime in there.
RICK LANE: Yeah, I agree with everything that Karen and Dave have said about the internal process that needs to happen at ICANN. The problem is we’ll be here in 2030 having the same conversation if history is an indication. We’ve been having these conversations since 1998, and we haven’t gotten anywhere.
That is why the EU took strong steps with NIS2. They felt the same frustration, and they decided to do it unilaterally. I think the U.S. government needs to do the same. I think that if .com and .net basically control 90 percent of the GTLD market from their own stats, they have a 60 percent net profit, which is great. If you have 10 percent, you’re doing well. And 20 percent, you’re doing amazing, 60 percent, that’s impressive. Because they have been given a monopoly by the U.S. government. But it is something that the U.S. government should be looking at where the harms in terms of the two is.
We need to support the Anti-Cybersquatting Protection Act reforms that need to take place so that U.S. businesses have the ability to hold the contracted parties accountable for what happens when they are doing bulk registration. It gets back to accountability that Karen talked about. I have not seen, and I would love to know if there’s stats out there, any registry or registrar and how many have lost accreditation because they are not fulfilling their obligations under their contracts. I haven’t been able to find one. But maybe there is an example, and maybe Karen knows more than I. But with the total harm that is occurring out there, the fact that there’s no ramifications is, I think, telling in and of itself.
ETHAN EHRENHAFT: Thanks, Rick. I had one question that I wanted to get to from an audience member, and I think this is for the Interisle folks. But do you have numbers excluding spam that’s a point of disagreement as DNS abuse unless used for malware. So, I guess getting into sort of the definition there.
DAVE PISCITELLO: Sure. We’re running out of time. I’m not going to try to cite numbers by scrambling and looking for a report that’s online, but we do a phishing landscape. And the only thing that we measure in that report is phishing. And the numbers are just as frightening.
And we also, at our Cybercrime Information Center, post quarterly figures for phishing, spam, and malware. And those figures include rankings by TLD and registrar and hosting network for phishing, malware, and spam every quarter. We publish a summary of those on a monthly basis at our substack, interisle.substack.com.
So, there’s a lot of numbers out there if you’re looking for numbers. Spam, the only comment I’ll make is that if you still don’t think that spam is a cybercrime, you’re not understanding what spam is.
ETHAN EHRENHAFT: Thanks, Dave. Yeah, and then this might be a good question. I know we’re brushing up on the hour here. But this is another one. Has there been a GTLD that’s been particularly effective at implementing some of the recommendations you’ve discussed or that has shown a significant cutback on being associated with cybercrime? Any example there that kind of jumps out to you?
DAVE PISCITELLO: Yeah. And again, I’ll point you to some of the posts that we’ve made at our substack. There are some new GTLDs from the 2014 program that are called Community TLDs. And one group of those TLDs is called the highly secure TLDs. They, for the most part, have exceptionally low phishing and spam and malware. That’s like .bank and .insurance and .pharmacy. That’s because they have registration requirements. And they also have higher registration fees compared to the 99 cents fees that you can get elsewhere.
The other group that is also a community new TLD is the city or geo TLDs like .paris, .berlin, .catalan, and the like. They are all relatively small and the fees are varied, but they also have very, very little phishing. Again, it’s because they require a nexus. They have a requirement and obligation to provide some sort of association with the community or some sort of valid ID.
What we found is that not having any registration restriction will chase away phishers because they just don’t want to bother when there’s less friction elsewhere. And that combined with having a even slightly higher fees tends to dramatically reduce the amount of phishing or malware or spam that we encounter.
RICK LANE: What’s sad about Dave’s answer is he talked about there’s some CCTLDs that have done really well in this space because of the requirements. But one that has not is .us, which is managed and controlled by the U.S. government. And it has high abuse rates for phishing and others because most people don’t realize that .us is not .gov. And so, when they see something coming in, they say, oh, .us, they think it is a government entity. And those numbers run pretty high.
We’ve been trying to get some of those numbers publicly, and it’s been impossible. They’re supposed to do reports every year, but they don’t make them public. But just from some of the research that I’ve seen out there, the .us is a big problem.
KAREN ROSE: And just very quickly, I would just add that a number of our studies, the Phishing Landscape Report, and I think also in the Cybercrime Supply Chain, we do have some case studies that look comparatively at the rates of abusive registrations versus different categories of domains. For example, we looked at CCTLDs, for example, and registration policies in CCTLDs as a cohort, as well as some on GTLDs. So, you can definitely go to a report for that.
Also, we do have, you were talking about rankings and where do you see the most abuse. Our Phishing Landscape and Cybercrime Supply Chain study have those. And as Dave said, in addition, our Cybercrime Information Center has those rankings updated.
ETHAN EHRENHAFT: Awesome. Well, that might be a good note to end on. I know we’re at the hour. But I would certainly encourage everyone listening to check out Interisle‘s site and the two most recent reports. But it was great talking with you all. I know we covered a lot of ground, but thanks so much for joining us.
KAREN ROSE: Thank you.
DAVE PISCITELLO: Thank you. Everyone have a good day.
RICK LANE: Thank you.
ETHAN EHRENHAFT: Thank you. And you can find more of our reporting and our media library on our website. And we always welcome questions or feedbacks at editorial@thecapitolforum.com. So, thanks again, everyone. And hope everyone has a great rest of their day.
KAREN ROSE: Have a good holiday.
ETHAN EHRENHAFT: Bye.
RICK LANE: Happy holidays.
