What you can do about malicious .nl domain names
SIDN acts as gatekeeper
A leading Dutch newspaper recently published an article about the use of domain names for websites selling fake tickets for the football World Cup. An investigation by IT security specialists Check Point found thousands of suspect domain names seemingly registered to cash in on the tournament’s popularity. Sadly, some of the domain names involved were .nls, such as wk2026tickets.nl and fifalive2026.nl. Obviously not welcome news. And it prompts the question: what can you do if you come across a site like that?
SIDN acts as gatekeeper
Ideally, of course, scam sites would never go live in the first place. In partnership with our registrars, we work hard to keep maliciously registered domain names out of the .nl zone. SIDN Labs has developed a sophisticated system that automatically checks new domain name registrations for tell-tale signs of abuse. Every domain name that the system flags up as a risk is carefully assessed. And, whenever we have misgivings, the registrant is asked to confirm their identity. If we don't get a satisfactory response inside 3 days, we disable the relevant domain name, in line with the General Terms and Conditions for .nl Registrants.
Notice-and-Take-Down Procedure
Usually, the quickest way to tackle a dodgy website is to follow the Notice-and-Take-Down Procedure.Anyone who encounters a .nl domain name with obviously unlawful content can use the procedure. It involves first asking the content provider to take the site down and, if that doesn’t work, escalating the case to the registrant and then the hosting service provider. Finally, if none of those take action, the matter can be referred to us at SIDN, and we’ll consider removing the domain name from the zone. Very few cases ever get that far, though, because most hosting service providers don’t want their networks being used for malicious activities and therefore intervene whenever they get a justified complaint. Nearly all of them have special channels for reporting suspected abuse. The biggest difficulty with the Notice-and-Take-Down Procedure is that intervention depends on a domain name being used for something obviously criminal. That often means obtaining extra evidence, such as evidence that FIFA has no ties with a site that claims to be a FIFA site.
Checking the registrant’s identity
Sometimes it’s hard to demonstrate that a domain name is being used for a clearly unlawful purpose and should therefore be taken down. In cases like that, one helpful way forward we often use is to ask the registrant to confirm their identity. We’re allowed to do that under the General Terms and Conditions for .nl Registrants. It’s a useful tactic because crooks and other malicious actors are generally reluctant to reveal their true identities. And, since October 2024, it’s been against the rules to register a name through a third party (a so-called privacy or proxy service provider). Every year, we cancel thousands of domain name registrations, because the registrants can’t or won’t confirm their identities.
Domain name monitoring
The final option for cracking down on malicious sites is for legitimate organisations to look out for people registering domain names that look very like their own. Where scam World Cup ticket sites are concerned, for example, FIFA could do that. Our data shows that proactive monitoring with a service such as SIDN BrandGuard is an effective way of nipping abuse in the bud. Cybercriminals soon realise that a monitored brand name is no easy target. What’s more, the monitoring provided is global, not just for .nl registrations.
What if you’ve already been scammed?
Once you’ve bought a fake ticket, getting the website taken down is, of course, closing the stable door after the horse has bolted. If you find yourself in that situation, we recommend visiting the Fraud Help Desk website. The site offers expert advice on what your options are.
