In a recent advisory, the Kingston Police have raised a red flag concerning a pressing cybersecurity issue that has been steadily on the rise. Cybercriminals are increasingly exploiting a rather unexpected avenue in their nefarious activities: the use of over 20,000 .us top-level domains (TLDs) in phishing attacks. This warning from law enforcement sheds light on a critical issue, highlighting the need for heightened awareness and caution in the digital realm.
The Significance of .US Domains
.US is the country code top-level domain (ccTLD) for the United States, much like .MX for Mexico or .CA for Canada. One might expect such a domain to be relatively secure, given its association with a major nation and the fact that it is overseen by the U.S. government. However, recent research by The Interisle Consulting Group has unveiled some alarming findings.
The Interisle Consulting Group conducted a study that examined six million phishing reports between May 1, 2022, and April 30, 2023. The study identified a staggering 30,000 .US domains used in phishing attacks during this period. This revelation raises concerns about the efficacy of the oversight and management of .US domains.
The Role of Oversight and Management
The .US domain is managed by the National Telecommunications and Information Administration (NTIA), an agency within the U.S. Department of Commerce. However, the management of .US domains is currently contracted out to GoDaddy, one of the world’s largest domain registrars.
Under NTIA regulations, domain administrators must verify that their customers have a legitimate connection to the United States. This requirement is intended to limit domain registrations to U.S. citizens or entities with a physical presence in the country. However, Interisle’s research suggests that this vetting process may not be as effective as intended.
Comparison with Other ccTLDs
The significant difference in cybersecurity outcomes between .US domains and other country code top-level domains (ccTLDs) worldwide has raised concerns and prompted calls for more robust management of .US domains.
Comparatively, .US domains exhibit a disproportionately high prevalence of abuse, including phishing and malware, in contrast to other ccTLDs. Notably, even large ccTLDs like .de (Germany), which have a significantly larger share of domain name registrations than .US, maintain impressively low levels of abuse.
Furthermore, several ccTLDs, such as .HU (Hungary), .NZ (New Zealand), .FI (Finland), and .LK (Sri Lanka), that also restrict registrations to their citizens or require a substantial connection to the country, have achieved notable success in mitigating abuse. These domains implement stringent validation processes, demanding registrants to prove their genuine connection to the country, present proof of identity, or provide evidence of incorporation. Additionally, some ccTLDs, like .LK, have implemented policies such as ‘lock and suspend’ in response to suspicious domain activities. These success stories highlight the importance of stringent registrant validation measures in ensuring public safety and maintaining the integrity of the domain space.
Unfortunately, .US domains have struggled with a persistent history of phishing activity, as indicated by Interisle’s findings dating back to 2018. During that period, .US was under different management. Despite the existence of nexus requirements, the domain continues to grapple with issues such as spam, botnets (infrastructure for Distributed Denial of Service attacks), and illicit or harmful content.
The impact of this trend is not limited to the United States. Phishing campaigns using .US domains have targeted organizations and entities worldwide, including prominent U.S. companies like Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Additionally, the U.S. government and foreign government operations have fallen victim to these attacks.
Current Response and Future Implications
GoDaddy, the administrator of .US domains, has responded to these findings by emphasizing that all .US registrants must certify their compliance with NTIA’s nexus requirements. However, it appears that this process may involve little more than an affirmative response pre-selected for all new registrants.
The NTIA has proposed redacting registrant data from WHOIS registration records for .US domains. This proposal, if implemented, could make it even more challenging to identify phishers and verify registrants’ identities and qualifications.
The rise in phishing attacks using .US domain names is a significant concern in the cybersecurity landscape. It underscores the importance of robust oversight and verification processes for domain registrations, especially in ccTLDs associated with major countries. As cybersecurity threats continue to evolve, addressing these vulnerabilities is crucial to maintaining a secure online environment. The NTIA and domain registrars must work together to strengthen the security of .US domains and protect individuals and organizations from phishing attacks.