A growing problem
SIDN wants to make digital living easier and safer for everyone. Internet abuse is one of the biggest things that stands in our way. So we're committed to doing all we can to prevent it. And prevention is badly needed, because abuse is a growing problem, according to Lilian van Mierlo, our Registration & Service Manager. "There are some types of abuse that we used to get reports about maybe ten times a year, and now we're getting a thousand reports about. Or more! It's not just that there's more abuse going on. The abuse is also becoming more sophisticated. Most phishing sites used to stand out a mile, with clumsy layouts and machine-translated text. Whereas a lot of them nowadays are hard to tell apart from the real thing."
The role of Registration & Service
As the registry for .nl, we have unique insight into the zone. That enables us to play a key role in fighting abuse. However, we can't do that on our own. We have to work in partnership with others, including registrars, hosting service providers, consumer organisations, government agencies and bodies such as the Fraud Help Desk. And contact is often through R&S. So the department helps to make things happen, but that's not all. "We're involved in defining criteria and processes, and we're responsible for things such as functional management of the Abuse Information Exchange," Lilian explains. "Regular contact with clients also enables us to flag up new trends in abuse. If we start hearing about a particular scam more often, we can alert our colleagues at SIDN Labs, enabling them to refine their detection techniques and resources."
Fighting on three fronts
"In recent years, anti-abuse work has been taking up more and more of my department's time," Lilian continues. "It was easy to see that teaming up with others active in the field made sense. Collaboration is organised through Support4Abuse20 ("support for abuse to zero"). And it means we're able to fight abuse on three fronts. We tackle phishing and malware through abuse204.nl, we act to get fake webshops taken down, and we respond to botnets via the Abuse Information Exchange."
Abuse204.nl ("abuse to zero for .nl") is an initiative designed to clamp down on phishing and malware. At the heart of the system is a feed provided by Netcraft, an international company that tracks malware and phishing. Netcraft collates abuse reports and checks their validity. A monitoring system then automatically e-mails the abuse reporting address of any domain linked to phishing or malware. If the domain doesn't have a dedicated abuse reporting mailbox, all the contacts for the domain name are mailed. The aim being to get a message through the right person in the chain as soon as possible. R&S keeps watch over the system to see whether the automated e-mails trigger a response. In many cases, the registrar or hosting firm will intervene when they get an alert. If that doesn't happen, we ask the registrars whether we can help. Where necessary we'll follow that up with a reminder. Since we started abuse204.nl, we've managed to cut the average time-to-live of phishing and malware sites substantially."
Shutting down fake webshops
"Fake webshops have been around for years, but recently they've been getting more common. Even in the .nl domain, sadly. It's a simple scam: offer attractive goods for sale, but never send them to the buyers, or only send fakes. Interestingly, sham webshops often use domain names that don't match what they're supposedly selling. So you might get shoes being sold using an address that looks as if it belongs to a housing advice service. The logic seems to be that a domain name that's been in use before will feature higher in search results. The strategy is helped by the fact that other genuine sites often still have links to a previously used domain. And the more visitors the scammers can attract, the more they can earn. There isn't a lot that we can do about fake webshops. But that doesn't stop us doing what we can. We check the registration data of domain names used for suspect webshops, because it often turns out to be false. The registrant might be a non-existent person, for example. Or a real person who has nothing to do with the registration. Giving false information is against our terms and conditions, and that gives us leverage. We ask the registrant to provide valid details, and if they don't we cancel the registration. So the fake webshop can't make use of the name."
Abuse Information Exchange
The Abuse Information Exchange is a vehicle for fighting botnets. Botnets are networks of infected computers, which crooks use to launch DDoS attacks, commit identity fraud and send spam. Using the Exchange's platform, the AbuseHUB, ISPs and others share information about botnets so as to improve the response. "SIDN is both an information supplier and an information user," Lilian explains. "We're also involved in functional management of the AbuseHUB. That's quite a job actually, which often takes up a lot of our time."
When it comes to tackling abuse, it's vital to act quickly. The sooner countermeasures are taken, the fewer people will be scammed. "Keeping a sharp lookout enables us to intervene promptly. But, of course, we have to be very careful as well. In principle, website content isn't something we should be interfering with. So we need to be very sure of our ground before we act. Making a website unreachable by taking its domain name off the internet is always a last resort. First, we have to give the person who put up the content the chance to take it down. If they don't, we approach the website's administrator, then the hosting service provider, and so on. As the registry, we're the final link in the chain. Approaching everybody one by one can make the system slow, unfortunately. So we're looking at ways of making collaboration within the chain more rapid and efficient."
Lilian is quick to point out that .nl is one of the most secure internet domains in the world. "If we can keep it that way, all the effort's worthwhile. But we have to be realistic: it's impossible to eliminate abuse completely. Crooks are getting smarter all the time and we will always be one step behind. Cybercrime is even being marketed as a service these days. But none of that should deter us from doing all we can to make .nl less attractive to scammers."