recent posts

Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections
Q&A With FBI's Cyber Division Chief
Microsoft Patches 26 Security Holes
New Tool to Automate Cookie Stealing from Gmail, Others

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Govt: Fake Web Site Registrations Churn Online Fraud

The U.S. Government Accountability Office released a report Wednesday that points to a serious problem that is contributing to the proliferation of fraudulent phishing and scam Web sites -- the relative lack of any real policing by the domain-name registrars of the data people must submit to register a new Web site.

GAO estimated that 2.31 million domain names (or slightly more than 5 percent of all currently registered Web site names in the .com, .net, and .org top level domains) have been registered with  false data. The agency found another 1.64 million domains that were registered with incomplete data.

GAO said it selected a random sample of 300 domain names from each of the three top level domains and performed record look-ups to obtain contact information for each domain name. Of the 45 error reports the agency submitted to ICANN (the group charged with overseeing the domain name space) for further investigation-- only about one-quarter were updated with accurate information. Nearly half of those domains were associated with Web search portals and adult content, among other categories, GAO said.

The GAO report concluded that while several tools are available to ICANN and the domain name registries and registrars to better police this space, none are widely implemented.

My gut says GAO's estimates probably low-ball the true number of domains registered with false information. I say this because I've investigated dozens of phishing sites, only to find that they were registered to real people whose information and credit card data had been stolen. My guess is that the study had no way of determining these types of registrations, so it did not include them. I wrote about just such an experience before in a previous post on a phishing scam targeting MasterCard users.

This is most certainly a difficult problem to fix, but ICANN and the many companies that help people register domain names could do everyone a great service if they got better at demanding accurate registration information. Yes, there are privacy and security issues involved in some cases, but most registrars offer some type of service that allows people to keep their contact information hidden from most queries, albeit usually for a fee.

By Brian Krebs |  December 8, 2005; 11:55 AM ET From the Bunker
Previous: Govt: Fake Web Site Registrations Churn Online Fraud | Next: Govt: Fake Web Site Registrations Churn Online Fraud

Comments

Please email us to report offensive comments.



"GAO estimated that 2.31 million domain names (or slightly more than 5 percent of all currently registered Web site names in the .com, .net, and .org top level domains) have been registered with false data."

For prosecution, this statistic is meaningless bits of crimes which cannot be (un)commited.

For security, on the other hand, it shows the futility of social engineering.

Why not fight techno-crime by making the act of having a web address harmless with safe clients (browsers) ?

Posted by: GTexas | December 8, 2005 3:23 PM

It's really very simple. Just stop the registrars from charging (often more than the price of registering the domain itself!) for making the information private. That removes the incentive for honest folks to give false information. Then aggressively go after the folks who give false information.

Posted by: just this guy | December 8, 2005 4:26 PM

Here's the email I got from Network Solutions, so they make some effort. But neither ICANN or the registrars have any financial incentive to enforce the existing policy.

What were the "several tools" you reference identified by the GAO that could address this issue?


Dear Network Solutions Customer:


To comply with the ICANN (Internet Corporation for Assigned Names and Numbers) WHOIS policy, we request each year that you confirm the accuracy of your WHOIS contact information. WHOIS is a publicly accessed database containing contact information associated with every domain name registration.

When you registered your domain name, you agreed to keep your contact information in Account Manager current. Please remember that providing inaccurate or dated contact information may be grounds for domain name cancellation. If your WHOIS information has changed or is inaccurate, please update it through your Network Solutions Account.

You may review the ICANN policy here.

Thank you for your attention to this important ICANN required message. We look forward to helping you grow your business on the Web.

Sincerely,

Network Solutions Customer Support

Posted by: Chris Parente | December 8, 2005 5:49 PM

Brian, you said "My gut says GAO's estimates probably low-ball the true number of domains registered with false information" and I think you're absolutely right. I investigate sites hosting malware and spyware, blog comment spamvertized sites and rogue anti-spyware sites and a huge percentage of them have false information. Some are so obviously fake, it's pathetic, like a phone number of 123-456-7890. Anyone can submit a complaint about false registration info here:

http://wdprs.internic.net/

I've reported a lot of domains and sometimes the information gets changed and sometimes not. Some of the registrars just don't do anything. Then there are some registrars that are in business with the spyware pushers. Esthost seems to be closely tied with the CoolWebSearch gang and hosts a LOT of CWS sites. They appear have their own registrar - Estdomains. So good luck on getting anything done about those domains.

Posted by: suzi | December 8, 2005 6:10 PM

This is a "Well Duh..." type of article. It is common knowledge that Domain Name Registration is and has been a mess for some time. When cybersquatters and other low-lives are allowed to get domain names that they should never really have, then the whole system will quickly break down as we have seen. There should be only one (or perhaps a couple) authorities that issue domain names, and all domain names issued should go through a review process before being issued, to ensure the person being issued the domain has rights to that domain. It was this way "in the beginning", but then someone decided that they could "make a buck" off something that should have been closely monitored (or even regulated), and we ended up with the domain name registration mess we have today. Sigh.

Posted by: WhatAMess | December 9, 2005 12:04 AM

We need a copy of GAO's list and it would be a great service to make publically available lists of websites with bogus data -- so that they can be filtered out when browsing.

Even better would be for search engines to provide a filter option for bogus websites.

Posted by: Stephen T. | December 10, 2005 8:17 AM

Registrars should be required to keep whois information private but freely available to law enforcement. If it wasn't freely available to law enforcement, there would be no law made to require that it be hidden from the public because that would hurt law enforcement.

This issue was debated by lawmakers a couple of years ago. Why didn't they fix it?

I reported a bogus administrative contact address for chase.com to http://wdprs.internic.net/ three weeks ago and nothing happened. Yesterday I followed up like internic says to do. No response yet. I complained because Chase provides no way to submit spoof reports and all of their online forms require personal information.

Posted by: Barry | December 10, 2005 11:38 AM

It's no surprise that domain registrants put false data into their whois record. When I was young and foolish I entered the correct data for my domain and I'm sure that 95% of my spam comes from people who farmed my email address out of the whois database.

Posted by: jimand | December 12, 2005 1:31 PM

Hi Brian - Nice article. For another view on this, see my post at http://www.namesatwork.com/blog/2005/12/07/she-gave-me-a-fake-phone-number/, which was picked up by Circle ID at http://www.circleid.com/posts/she_gave_me_a_fake_phone_number/.

By the way, that fee to keep your information secret is not cheap, often (as at GoDaddy, for instance), more expensive than the registration itself.

Posted by: Antony Van Couvering | December 14, 2005 1:52 PM

I'd agree that the figures they've produced are much lower than reality. I posted about this at:
http://www.mneylon.com/blog/archives/2005/12/09/incorrect-whois-data-gao-reports-to-us-congress/

Barry - quite a few ccTLDs keep registrant information private by default and would reveal it to law enforcement if the request came via the correct channels.

Posted by: Michele | December 15, 2005 4:30 PM

rerwer

Posted by: beyonikc | August 21, 2008 12:13 AM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

©  The Washington Post Company