The variety of phishing web sites tied to area title registrar Freenom dropped precipitously within the months surrounding a current lawsuit from social networking large Meta, which alleged the free area title supplier has a protracted historical past of ignoring abuse complaints about phishing web sites whereas monetizing visitors to these abusive domains.
Freenom is the area title registry service supplier for 5 so-called “country code top level domains” (ccTLDs), together with .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has at all times waived the registration charges for domains in these country-code domains, however the registrar additionally reserves the appropriate to take again free domains at any time, and to divert visitors to different websites — together with grownup web sites. And there are numerous reviews from Freenom customers who’ve seen free domains faraway from their management and forwarded to different web sites.
By the time Meta initially filed its lawsuit in December 2022, Freenom was the supply of effectively greater than half of all new phishing domains coming from country-code top-level domains. Meta initially requested a courtroom to seal its case towards Freenom, however that request was denied. Meta withdrew its December 2022 lawsuit and re-filed it in March 2023.
“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” Meta’s grievance charged. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta pointed to analysis from Interisle Consulting Group, which found in 2021 and once more final yr that the 5 ccTLDs operated by Freenom made up half of the Top Ten TLDs most abused by phishers.
Interisle associate Dave Piscitello stated one thing exceptional has occurred within the months for the reason that Meta lawsuit.
“We’ve observed a significant decline in phishing domains reported in the Freenom commercialized ccTLDs in months surrounding the lawsuit,” Piscitello wrote on Mastodon. “Responsible for over 60% of phishing domains reported in November 2022, Freenom’s percentage has dropped to under 15%.”
Interisle collects knowledge from 12 main blocklists for spam, malware, and phishing, and it receives phishing-specific knowledge from Spamhaus, Phishtank, OpenPhish and the APWG Ecrime Exchange. The firm publishes historic knowledge units quarterly, each on malware and phishing.
Piscitello stated it’s too quickly to inform the complete influence of the Freenom lawsuit, noting that Interisle’s sources of spam and phishing knowledge all have completely different insurance policies about when domains are faraway from their block lists.
“One of the things we don’t have visibility into is how each of the blocklists determine to remove a URL from their lists,” he stated. “Some of them time out [listed domains] after 14 days, some do it after 30, and some keep them forever.”
Freenom didn’t reply to requests for remark.
This is the second time in as a few years {that a} lawsuit by Meta towards a site registrar has disrupted the phishing business. In March 2020, Meta sued area registrar large Namecheap, alleging cybersquatting and trademark infringement.
The two events settled the matter in April 2022. While the phrases of that settlement haven’t been disclosed, new phishing domains registered via Namecheap declined greater than 50 % the next quarter, Interisle discovered.
Unfortunately, the lawsuits have had little impact on the general variety of phishing assaults and phishing-related domains, which have steadily elevated in quantity through the years. Piscitello stated the phishers are likely to gravitate towards registrars that provide the least resistance and lowest worth per area. And with new top-level domains always being launched, there’s not often a scarcity of tremendous low-priced domains.
“The abuse of a new top-level domain is largely the result of one registrar’s portfolio,” Piscitello informed KrebsOnSecurity. “Alibaba or Namecheap or another registrar will run a promotion for a cheap domain, and then we’ll see flocking and migration of the phishers to that TLD. It’s like strip mining, where they’ll buy hundreds or thousands of domains, use those in a campaign, exhaust that TLD and then move on to another provider.”
Piscitello stated regardless of the steep drop in phishing domains popping out of Freenom, the options out there to phishers are many. After all, there are greater than 2,000 accredited area registrars, to not point out dozens of providers that permit anybody arrange a web site totally free with out even proudly owning a site.
“There is no evidence that the trend line is even going to level off,” he stated. “I think what the Meta lawsuit tells us is that litigation is like giving someone a standing eight count. It temporarily disrupts a process. And in that sense, litigation appears to be working.”