Dave Piscitello wrote an interesting article on SPAMHAUS.org that took issue with the practice of bulk domain name registrations.
Piscitello described the allure of bulk registration for cyber criminals. He talks about the weaponizing of domain names and how ICANN and the domain registrars have a part to play in slowing it down.
He breaks down the economics for cyber criminals, from the article:
Cheap domain names, accessible in bulk, contribute to a criminal marketplace in which small investments can yield extraordinary returns. In the Interisle report, we consider the investment in a ransomware attack:
- Mailing lists can be purchased on the Dark Web, online or created using email harvesters, again available from programming repositories such as GitHub.
- 1000s of domain names can be acquired for pennies per domain from various registrars
- Malware can be purchased through RaaS as cheaply as $39.00. Similar opportunities exist for acquiring a Phishing kit, or these can be downloaded for free from repositories such as GitHub.
- Online tutorials for novices are available from YouTube.
Assuming an extortion fee of U.S. $200-500, a ransomware attack can be profitable with fewer than a dozen victims. Multiple, successful ransomware campaigns yielding thousands of victims is within reach, making this criminal activity a possible $1M/year enterprise.
The article makes some hyperbolic analogies, putting bulk domain registrations on par with tracking ammonium nitrate.
Other industries recognize and accept their obligation to protect the public from criminal misuse of potentially dangerous products through mandatory or recommended validation regimes. U.S. pharmacies, for example, require valid proof of identity from any party that attempts to purchase quantities of pseudoephedrine that exceed well-defined limits. Legitimate businesses comply with these and like-minded regulations in the interest of public safety.
The domain name industry could accept a similar obligation by verifying registrant payment methods as part of the validation process; for example, registrars could decline transactions in which the registrant contact data does not match the authorized credit card user. They could also prohibit anonymous or non-traceable payment methods.
You can read the full article here