INFERMAL Project: Analyzing Features of Malicious Domain Registrations

The Inferential Analysis of Maliciously Registered Domains (INFERMAL) Project, funded by ICANN and conducted by KOR Labs, is dedicated to understanding the selection patterns behind cybercriminals' preferences for specific domain name registrars and top-level domains (TLDs) in their phishing operations. Our goal is to dissect the factors that make certain registrars and TLDs particularly attractive to attackers, focusing on pre-selected features grouped into three categories: registration attributes, proactive verification, and reactive security practices.

Registration Attributes

These attributes include the services and policies offered by registrars that can be exploited by malicious actors:

1. Domain Registration Price: Previous work (the Statistical Analysis of DNS Abuse in gTLDs), suggested that pricing strategies may influence the behavior of cybercriminals, particularly those operating on a tight budget. The INFERMAL project explores how different pricing structures affect the potential for malicious registrations.
2. Discounts: Bulk registration discounts are enticing for attackers looking to scale their operations. Our analysis investigates the correlation between these discounts and rates of domain abuse.
3. Available Payment Methods: Cybercriminals often prefer payment options that afford anonymity, such as cryptocurrencies. This work examines 13 payment methods to assess their impact on malicious registrations.
4. API Access: Unrestricted API access allows for the rapid setup of malicious infrastructures. This work analyzes how easy access to automated registration contributes to domain abuse, including the prevalence of bulk registration options.
5. Free Services: Registrars offering complimentary services - like hosting or TLS certificates - can significantly reduce operational costs for attackers. By capitalizing on these free offerings, cybercriminals can create phishing sites with minimal investment.

Proactive Verification

This category encompasses the measures registrars employ to validate registrant information during the registration process:

1. Operational Validation of Registrant Information: Variability in the validation of contact details, such as email addresses and phone numbers, can create loopholes for attackers. INFERMAL aims to explore how these differences affect the ease of malicious registrations.
2. Registration Restrictions: Local presence requirements and identification mandates can deter cybercriminals. This work assesses how stringent restrictions influence attackers' choices of registrars.
3. Domain Registration Warnings and Prevention: Registrars that issue warnings or block suspicious registrations may discourage attackers. Our research examines the effectiveness of these preventive measures.

Reactive Security Practices

Reactive practices focus on how registrars respond to detected abuse:

1. Malicious Domain Name Uptimes: Understanding how long malicious domains remain active before being mitigated is crucial. The INFERMAL project analyzes both the uptime of these domains and the speed of mitigation after being blocklisted.

Feature Engineering

To enhance our analysis, INFERMAL consolidates related features. For instance, multiple payment methods are categorized into broader groups (e.g., "payment crypto," "payment digital wallet"), and various security restrictions are aggregated into a composite indicator. This approach enhances the model's interpretability and reliability.

Conclusion

By examining registration attributes, proactive verification, and reactive security practices, our research aims to illuminate the factors contributing to malicious domain registrations. This analysis not only reveals the mechanisms of domain abuse but also highlights the complexities of malicious activities within the registration landscape.

What is Next?

Feature selection was the step behind the final analysis of the INFERMAL project. After the features are selected and collected, the project leads are going to build statistical models to see if they can explain why and to what extent certain features play a role in DNS abuse. This is the last deliverable of the project: INFERMAL's final report.

Upon our agreements, the final report will be submitted to the Office of the CTO's Security, Stability, and Resiliency team by late October. After that, it will undergo internal reviews. We hope to publish the INFERMAL report to our community in early November 2024, just before the ICANN81 meeting.