Streamlining domain name abuse reports and disclosure requests

We released a few new features, one of them, RDAP reseller Vcard. 

To further streamline abuse reports & disclosure requests, Realtime Register introduces the Abuse Vcard. This Vcard will display your (reseller role) abuse contact details through RDAP. 

Showing your (external) abuse contact information will increase the speed of abuse reporting. 

Internal abuse email address/information. 

Resellers can also enter abuse contact information for our abuse & support staff. 

We are not setting requirements here for our resellers, but it would be good if this email address is monitored 24/7. We intend to use this info for emergency communications when dealing with security threats. 

Abuse Domain Manager

 

External abuse reporting address (RDAP). 

RDAP, the replacement of WHOIS, is role-based and supports Vcards. The general idea is that resellers supply their public abuse email address and Company name and telephone number. 

Once this information is present in our system, we will display the info through RDAP. We are confident that the use of this extra contact will streamline abuse reporting.  

Resellers can also assign an abuse contact information for sub-resellers or different labels using the branding management tool within the reseller account. 

At a later stage, we will incorporate such public abuse email addresses in our reseller lookup tool. 

Reseller lookup tool? Yes, just before the GDPR enforcement back in 2018, we introduced a reseller lookup tool to assist LEA’s and other third parties. 

https://www.realtimeregister.com/resources/locate-your-provider/

Reseller Lookup tool

For the reader who knows RDAP very well, yes, we are using the reseller role to display abuse contact information. 

We think that this a better use for now as we already have a reseller lookup tool. 

While RDAP supports many more roles, there is currently no standard for other roles. Once more roles are defined, we can add more info to RDAP. 

Data Protection Officer 

If your company has a DPO, please enter their contact information. While this would satisfy GDPR compliance requirements, there are multiple practical reasons: 

  • Registrant disclosure requests
  • More streamlined communication if there is a data breach. 
  • Improved communication if a data subject wants to exercise his or her rights provided by the GDPR. 

RDAP Output with Abuse Vcard

ICANN SSAD.

The ICANN community is still working on the Standardized System for Access and Disclosure (SSAD).

The details of how this is going to work are still being discussed.

 But we imagine that at some point, we want to automate disclosure requests as much as possible. 

The DPO contact role may, at some point, be used within the SSAD to send disclosure requests.

GDPR Art 27

For those of our resellers who need to comply with Art 27, you can now enter an email address of such a GDPR Representative.

Again this is to ensure better coordination between requestors and other third parties. 

The GDPR Representative data is not public in the WHOIS or RDAP. 

Please check our knowledge base on how to add this information to your into the Realtime Register Domain Manager.

Using Spiderfoot to combat domain name abuse/security threats

“Behavior reflects personality. The best indicator of future violence is past violence. To understand the “artist,” you must study his “art.” The crime must be evaluated in its totality. There is no substitute for experience, and if you want to understand the criminal mind, you must go directly to the source and learn to decipher what he tells you. And, above all: Why + How = Who.”
― John E. Douglas, Mindhunter: Inside the FBI’s Elite Serial Crime Unit

The above quote is also applicable when you deal with cybercrime investigations. Though registrars usually do not deal with serial killers, we do deal with a lot of security threats.
And security threats require a holistic approach to get to the Why + How = Who.
Lucky for cyber threat intelligence analysts, there is Spiderfoot created by Steve Micallef. Spiderfoot automates a lot of research and combines the data.

Spiderfoot Tree map

So let me run you through a typical abuse report and how I used to approach such a report.
Assume the domain name account-login.tld is reported for malware activities. The experienced investigator understands that such a domain name can be used for a lot of different things.

  • apple.com.account-login.icu
  • BankName.account-login.tld
  • YourCompany.URLaccount-login.tld

With just a few of the above examples, the potential scope of criminal possibilities has expanded from malware to spam to phishing and or account theft. BEC/VEC fraud is also associated with such domain names.

I also could be dealing with a poorly chosen domain name of a company that uses the domain name to let employees log in to a CRM. Here at Realtime Register, we also have a few domain names that, at first glance, reveal nothing about our business but are essential in our daily operations. Suspending such domain names even if there is a report of malware could be very tricky.
Not to mention the legal liabilities.
If the domain name is suspended and hundreds of employees cannot do their work, well, again tricky.

So what I lack here is actionable info.
The first action is to inform the reseller of the security threat report. Making sure the uptime is as low as possible is essential. The reseller might be dealing with an unmanaged VPS, which also complicates the matter.
I mention the unmanaged VPS with a reason. Often wholesale registrars are powerless to address the issue.
Wholesale registrars might not host anything or do not provide email services. But with some research, things might become actionable.

Weapons of choice.
So there are many tools out there that you can use for your investigation.
Virustotal.com can be used for a second opinion when dealing with malware or phishing. It has many more features, so check it out.

Do you want to check if subdomains are present for malicious practices? Well, try Sublist3r.

If you want to check co-hosted sites, DGA domains, or cybersquatting domain names on a server, check out RiskIQ community edition.
RiskIQ is also great for some first OSINT research and is just awesome when doing reverse domain name lookups through a Google or FB id.

You also want to check some threat exchanges like Pulsedive. Getting some info on past breaches and leak sites is also handy to known.
Doing a little research on the dark web through Intelligence X on the domain name could reveal actionable info also.

The need for speed
Checking all the mentioned sources would take a lot of time, most likely a full day to gather the information.
Not to mention, you need to analyze all the information.

So here is where Spiderfoot comes in.
Spiderfoot connects to all these databases and pulls that info for you.
One interface, one scan, and within 30 minutes, you usually have actionable information.
Through the report section, you correlate the data and collected evidence.
The evidence can be exported, which is a great plus if an officer of the law contacts you about a malicious domain name.
Usually, LE’s officers are somewhat surprised by the amount of data you have on a target.

Spiderfoot short overview

Reconnaissance, the first scan
The scan setting I use is always set to passive, and there are a few reasons for that.
-I do not want to alert the criminals that they are being investigated.
-The scan is a lot quicker, and it gives me enough results to understand the threat level.
-As I am not sure about what kind of technical infrastructure I am dealing with, I like to make sure I do not break something by accident. Having a reseller go berzerk on you is something you want to avoid for many good reasons.

By now, I have confirmation that either passing the security threat report to the reseller was enough.
Or I need to suspend the domain name?

I also might have evidence now that I am dealing with a criminal reseller.
Or criminals are abusing the services of our resellers. Either way, I need to act.
What action is required depends on many factors. In the past, we dealt with criminal resellers who registered a bunch of sleeper domain names.
Usually, it is best to take all those domain names offline before they become active. But again, there might be a situation where this is not the best course of action. For example, you do not want to alert the criminal just yet.
Or there is conflicting info that requires more investigation focus.

Versions of Spiderfoot.
There are several versions out there of Spiderfoot. My advice if you are going to use Spiderfoot go for the HX, aka cloud version. Visit the website here.

  • You have a centralized solution and reports for you and your team members in one place
  • Always the latest version
  • Instant access to new modules
  • No need to tinker around with Linux or Python

Overkill?
The above use of OSINT techniques and the use of Spiderfoot as part of a set procedure when dealing with domain names that are engaged in abuse might seem like overkill.
But too often, the reality is that we quickly detect patterns and can avoid future security threats and prevent fraud for our customers.
Usually, these fraudulent domain names are registered with stolen credit cards or stolen Paypal accounts.
As you can imagine, there is a monetary loss, not to mention there is paperwork involved.

No reports.
I want to highlight the fact that a lot of abuse goes unreported.
My first thought that the correct parties were contacted by skipping the registrar.
But often, I had to hear back that a hosting company wasn’t informed about the security threat.
Where the disconnect is located is unknown to me at this moment.
But perhaps the issue of the disconnect could be a discussion item for ICANN 66, as it appears there is a lot of low hanging fruit.

More Spiderfoot modules

For more information about Spiderfoot, check the website.
A word of advice for my registrar/registry colleagues.
While Spiderfoot automates a lot of tasks for you, it does not substitute experience.
Experience in cyber threat intelligence is required in your decision making. Again Why + How = Who.

.

Nic IT and consent for publishing data?

The Italian registry has made some changes to their production system and in my opinion, it is not an improvement.

Till today you could opt out for publishing data in the WHOIS for the following entities:

  • Natural persons Italian and EU based
  • Freelance workers/professionals (Italian based)
  • Italian Companies/one-man companies (Italian based)
  •  Public organizations (Italian based)
  •  Non-profit organizations(Italian based)
  •  Foreign companies/organizations matching 2-6 (EU based)
  •  Other subjects (Italian based)

Since today the opt-out is available for natural persons only.
All other entities must agree to the fact that its data will be published in the WHOIS. If the registrant is not a natural person and does not agree, the domain name will not be registered.

While legally speaking the above is correct as only natural persons are covered by the GDPR and legal entities are not.
However, a majority of the lawyers in the EU think there is an exception to the rule, as one-man-owned entities and freelancers are viewed as a natural person as it is not possible to separate personal and corporate data. But unless a DPA or a court confirms this exception, the situation is as it is.

Due to the above, we advise our resellers to inform their customers of the changes by the Italian Registry and warn of the consequences.

How the Registry handles personal data in the WHOIS can be read here.

Brexit & Domain Names, recipe for Chaos?

The short answer is no, depending on the scenario.

While there are many Brexit experts, their views and opinions are not helping when it comes to making business decisions. When it comes to predictions, it might be even better to check the British bookmakers and get a sense of the betting odds if there will be a Brexit or not.

 

However, we can make a few assumptions when it comes to domain names and the Brexit, let us assume the worst scenario; hard Brexit, as in no deal.

The issue
In case of a, no deal Brexit currently slated for March 30th would deem the UK as a third country from a GDPR legal perspective. And it will not come as a surprise for most that the GDPR has a whole set of rules when it comes to data export outside of the EEA, which you can read here.

Transition  Period
There is the option that the Commission will issue some kind of emergency legislation which allows for a smaller transition period as it will be only a few months. Which is not a lot but might mitigate some of the issues.

Solution
You usually have a set of options to transfer data outside of the EU.
Adequacy decisions, data subject consent, public interest, etc.
With domain names, the options become limited due to various reasons.
The most logical solution is the use of standard contract clauses, sometimes called model clauses.
Nominet and applicable gTLD registries would include these standard contract clauses in their contracts which you as a reseller a solid legal basis when it comes to domain name registrations and transferring data to the UK.

Affected TLDs due to the Brexit

.cymru Nominet
.wales Nominet
.blog Knock Knock WHOIS There LLC
.abogado MMX
.bayern Bayern Connect GMBH/MMX
.beer MMX
.boston Boston TLD Management LLC /MMX
.bradesco Banco Bradesco S.A./MMX
.budapest MMX
.casa MMX
.cooking MMX
.dds MMX
.fashion MMX
.fishing MMX
.fit MMX
.garden MMX
.gop Republican State Leadership Committee Inc./MMX
.horse MMX
.law MMX
.london Dot London Domains Ltd./MMX
.luxe MMX
.miami MMX
.rodeo MMX
.surf MMX
.vip MMX
.vodka MMX
.wedding MMX
.work MMX
.yoga MMX
.broadway Celebrate Broadway Inc.

And last but not least, .UK and .CO.UK.

In the above scenario where domain name resellers or registrars in the EU register domain names in the UK for their customers who are in scope of the GDPR (art 2&3), there seems to be plenty of time and not much to worry about.

The not so clear scenario
It becomes very complicated when you create scenarios with domain name resellers in the UK also dealing with customers from the EU, registering domain names in China or Russia or the USA using a domain name registrar located in Europe.
It goes beyond the scope of this article to flesh out every scenario to the core or the bone.

A pragmatic approach to deal with this scenario or other scenarios could be mapping each data flow and check what legal basis you have used pre-Brexit.

Did you use EU adequacy decisions as a legal basis, can you still use them?
Was the legal basis consent? Do you need to update such approval?
If Privacy Shield is the legal basis to transfer data to the USA what are the options?
Even with a transition period, there is much ground to be covered. If there will be no transition period options will be very limited.

The when Satan will ice skate to work scenario
If the ICANN EPDP workgroup who are currently struggling with the EU GDPR would recommend that thick whois registries are a thing from the past and no longer there is a need to send personal data to the registry, then there is of course in the case of gTLDs no issue at all, let alone you require a legal basis.
The EPDP team final report is slated for February 1. The ICANN board would have to accept such recommendations and undo a decision they made in 2012 when they decided all registries should operate a thick whois.
Given the divide within the EPDP team, I doubt we will see much solid recommendations, let alone a speedy process of implementation.

For more information and tools on data protection in combination with the Brexit please visit the ICO website.

Brexit, and the impact on .EU domain names, sound the alarm?

Update 04-01-2019

The British government issued further guidance regarding the Brexit and Eurid.

Click here to view the guidance and scenarios.

Update 05-11-2018

It seems very likely the two scenarios posted below are the most likely outcome as we quickly move towards the deadline of 29th of March 2019.

(1) If the UK exits the EU and becomes a temporary member of the European Economic Area (EEA) there will be no issue until the duration of such membership.

(2) If however, it turns out to be a “hard Brexit” or “no deal Brexit” than registrars are no longer in a position to service UK registrants for .EU domain names. Please read the below article if the situation is applicable to you as a reseller.

I do not think it is time to sound the alarm yet, but some caution and some thinking ahead of the Brexit might be advised when it comes to .EU domain names and Brittish registrants.

Who will be affected?

Organizations that are established in the United Kingdom but not in the EU and natural persons who reside in the United Kingdom.

Impact

The above-listed persons or organizations will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date. Accredited .eu Registrars will not be entitled to process any request for the registration of or for renewing registrations of .eu domain names by those undertakings, organizations, and persons.

Relevant dates

Measures are effective as from 1 January 2021 or, in case that there was no withdrawal agreement in force prior to 30 March 2019, as from 30 March 2019. Negotiations are ongoing with the United Kingdom and the EU to come up a withdrawal agreement.

What to do?

At the moment there is little information to go about. The latest status update can be located here, we urge our customers to check this website often for more information.

If the EC really wants to push through remains to be seen, given the current status between the UK and the EU it looks pretty grim. It is advisable to contact high profile customers (if you have them) who have a .EU domain name and match the criteria mentioned earlier on.

A possible solution for Brittish registrants is to update the domain names via their European (non-UK) address (if available). We highly advise against the use of proxy solutions as they are in violation of Eurid’s terms and conditions. One can expect that after the Brexit, Eurid might monitor affected domain names and enforce their terms and conditions.

Using incorrect registrant information is always ill-advised and a violation of Registrar and Registry terms and conditions.