The Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) identified five broad categories of harmful activities Domain Name Registrars (RRs) and Registries (RYs) should act against in commentary provided to the government of the United Kingdom in support of their efforts to mitigate Domain Name System (DNS) abuse. The comments, published in August 2023, also included further guidance on best practices to fight DNS abuse. 

Under the UK’s Digital Economy Act 2010, the government can invoke powers of intervention when RRs fail to address serious abuses of their domain names. The proposed regulations would establish a list of abuses RRs and RYs should act against to preclude the government from exercising those powers.

DNS Abuse Categories

M³AAWG acknowledged five broad categories of abuse identified by the Internet Corporation for Assigned Names and Numbers Amendment 3 (ICANN.3):

• Malware: installing malicious software on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.
• Botnets: collections of internet-connected computers that are infected with malware and commanded to perform activities under the control of a remote administrator.
• Pharming: redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking occurs when attackers use malware to redirect victims to the attacker’s site instead of the one initially requested. DNS poisoning causes a DNS server, or resolver, to respond with a false Internet Protocol (IP) address bearing malicious code.
• Phishing: when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g., account numbers, login IDs, passwords), whether through sending fraudulent or ‘look-alike’ emails or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install software, which is in fact malware. Phishing differs from pharming in that the latter involves modifying DNS entries, while the former tricks users into entering personal information.
• Spam emails: when used as a vehicle for at least one of the preceding misuses.

M³AAWG identified additional types of abuse, such as Child Sexual Abuse Material (CSAM), as a specific category RRs and RYs should also act against when domain names are misused to promote or display CSAM.

Fighting the Disturbing Upward Trend in DNS Abuse

Recent studies on DNS abuse show a disturbing upward trend. Interisle Consulting Group reported a 121% increase in the abuse of domain names in the fourth quarter of 2022. Interisle’s observations also revealed that phishers often launch their attacks through malicious domain names. The 2022 EU DNS Abuse Study acknowledged similar trends, and the initiatives undertaken in response, “…have not yet resulted in a significant reduction of DNS abuse.” 

M³AAWG offered additional guidance to fight the upward trend in DNS abuse:

• Broadly define DNS abuse. The DNS abuse categories mentioned above are a starting point for RRs and RYs to act upon. M³AAWG suggests a broader definition of DNS abuse that can adapt to the constantly changing nature of cybercrime. To protect against new threats, DNS definitions should focus on risks, threats, and harms rather than categories. The UK should also look to the Budapest Convention to ensure that they include the cybercrimes it enumerates in the definition of DNS abuse.
• Address the lack of availability of WHOIS data. The findings of the M³AAWG study ICANN, GDPR, and the WHOIS: A Users Survey–Three Years Later found the lack of WHOIS data makes it harder to investigate, mitigate, and prevent cybercrime. The revised EU Directive on Security of Network and Information Systems (referred to as NIS2) is a good start but may not cover the topic of WHOIS access and availability outside of the EU. As a result, a UK-specific solution is needed.
• Include DNS misuse mitigation requirements in contracts. At a minimum, the UK should adopt best practices regarding DNS abuse to be included in the contracts with RRs and RYs to ensure swift mitigation of DNS abuse.
• Transparency increases confidence in DNS abuse mitigation measures. It is important for UK authorities to ensure transparency and update their DNS abuse mitigation measures as techniques and deployments change. Good actors will maintain confidence in a transparent system that details mitigation techniques. Those details may also help avoid perceptions of bias by law enforcement, regulators, RYs, and RRs.

Additional recommendations can be found in the full report, Comments of the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) on Powers in Relation to UK-Related Domain Name Registries available on the website.

M³AAWG has commented on various public policy initiatives. Visit the Public Policy section on the M³AAWG website for more.

M³AAWG is a technology-neutral global industry association. Our approach to internet abuse focuses on operational issues where we can collaborate with industry, leverage technology, and shape public policy. With over 200 institutional members worldwide, we bring together stakeholders in the online community in a confidential yet open forum, developing best practices and cooperative approaches in the fight against online abuse.