Sponsored Conventional email security tools are losing the battle against phishing attacks. The cause? Instead of registering a handful of domains from which to conduct their phishing campaigns, many cybercriminals now buy them by the thousand. This approach makes it harder for traditional email protection tools to spot phishing emails among the ‘noise’. Thanks to bulk domain registration services, malicious spammers can tip the balance in their favour through sheer volume.
Domain blocklists have traditionally been one of the most important assets in the war against phishing and spam. If a domain is on a blocklist then there's a high probability that it has been used in a malicious campaign such as ransomware or credential phishing in the past. The exact process for blocklisting a domain is often opaque, but it's a gradual process involving a measurable reputation for each domain that changes over time.
Factors such as a domain's age, its links to particular IP addresses, and its known use in malicious emails will all affect its standing. Blocklist organisers research domains via reports of malicious campaigns, and also through honeypots that vacuum up and analyse malicious emails. There are many such blocklists. Spamhaus runs the domain blocklist (DBL). Other organizations like PhishTank, Stopbadware, the Anti-Phishing Working Group, and SURBL all list domains of ill repute.
So far, so good, but several developments have made it more difficult to build and use blocklists. One of these, bizarrely, was GDPR. It caused ICANN, the organisation responsible for governing domain registrars, to introduce a Temporary Specification ('temp spec' that redacted much of the data that would normally turn up in a WHOIS request. Researchers needed that data to help them research the bad actors behind malicious domains. That temp spec has since expired, but its proposed replacement has left the “Whois system fractured and not fit for purpose”, according to Fabricio Vayra, an intellectual property lawyer at the Seattle Law firm Perkins Coie. “The world now is nearly completely without a tool necessary to protect against online abuses and safeguard important rights,” he writes.
The growth of mass bulk registration
Fast bulk registration is the other problem. Traditionally, you'd use a web form to register a domain, meaning that you'd only do a few of them at a time. Then, registrars introduced bulk services. Instead of a web form, you'd upload a file with a list of requested domain names, or take advantage of the registrar's name composition tool, which would help you to come up with many different domain name variations. Some registrars even allow companies to register domains in bulk automatically using an application programming interface (API).
There are some use cases for this kind of bulk registration. A company afraid of trademark infringement might want to register a domain with every conceivable variation on its name to stop phishers from targeting its customers. In many cases, though, criminals use these tools for their own nefarious purposes. A report on bulk domain registration abuse from technology consultancy Interisle found a marked correlation between bulk-registered domains and malicious online campaigns. In some cases, those domains don't show up in blocklists for months, suggesting that some criminals store domains for use over time.
This capability will only become more important as criminals continue to exploit new gTLDs. Bulk registration was bad enough when the list of gTLDs was more limited, but ICAAN's opening up of that namespace also created new opportunities for malicious bulk registrants. Interisle's report found gTLDs like .Tokyo and .cloud are heavily abused. The Spamhaus 'badness index' for .cloud domains was 26.4 per cent, nearly seven times .com's 3.9 per cent. .Top domains had a badness index nearly nine times higher than .com.
The cost of registering these domains is laughably low. The Interisle report found that gTLD registrations can cost less than $1, and in some cases promotional pricing gets it down to a cent per domain.
This low domain registration cost lowers the overall opportunity cost for cybercrime. Spamhaus notes that ransomware-as-a-service (RaaS) kits often go for as little as $39 online, while phishing kits are downloadable from GitHub. You can teach yourself how to run a malware campaign out of your basement on YouTube. Interisle says that consequently, ransomware can generate profits from fewer than a dozen victims (and many campaigns successfully target far more than that).
Why mass domain registration works
Bulk domain registration is the perfect weaponisation system for cybercriminals. It allows them to tread lightly, and quickly. Imagine registering a domain and using it in a campaign that targets thousands of victims. Eventually, someone will report the spam or it'll get caught in a honeypot. The more reports, the more likely its reputation is to drop, making it ineffective. But a criminal with thousands of domains in their pocket can use lots of domains in a single campaign, each targeting a smaller number of users. This approach, known as snowshoeing, helps to keep attackers under the radar.
Bulk domain registrants also have speed on their side. Because they have so many domains, they can make them disposable, using them once and then discarding them before they ever show up on a blocklist. So cybercriminals love it when a bulk domain registrar offers a first-year discount for domain registration – they get a deal on a domain that they were only ever going to use once anyway. Bulk domain registration also gives attackers an advantage as a weapon in the form of asymmetric warfare. An attacker only needs to succeed once with an email to get a foothold in the defender's infrastructure. Conversely, a defender needs to win every time. The more domains that an attacker has, the more likely one of them is to break through and infect a target.
Changing the rules of engagement
ICANN and the bulk domain registrars need to get their act together. But of course it would impact the domain industry's bottom line – so don’t hold your breath for too long. In the unlikely event that they do the right thing in the foreseeable future, the domain name problem will still live on, albeit on a smaller scale. So what are the appropriate tools to tackle this security issue? Legacy tools will only get worse at detecting malicious emails because they rely on a rigid set of rules. The rules-based approach limits what they can watch. They can only process so many data points about an email using this approach before the whole thing becomes too complex and unwieldy – that's why they have to rely on blocklists.
However, checking IP addresses and domains against these lists is no longer enough in an environment where malicious domain volumes have increased exponentially and where a relatively slow-moving cybersecurity ecosystem still takes time to spot bad domains. Instead, companies like Darktrace are applying a new AI-based model to detecting malicious emails. It takes a broader, more holistic view of an organization's entire email landscape. Instead of looking only for emails that fit a known bad pattern and risking a false negative, it looks for what's normal and then watches for things that deviate from that.
AI email security technology analyzes hundreds more data points than traditional legacy email scanners can process. These metrics are often nuanced, examining the visual similarity between domains, and whether the recipient (or the business as a whole) has ever received an email from that domain before, or an email containing it in the body text.
These new, sophisticated tools don't just compare these hundreds of metrics against a list. In most cases, such a list doesn't exist. Instead, a mixture of supervised and unsupervised machine learning techniques looks at an organisation's entire email history and network events to establish a baseline of normality for the whole organization and for individual recipients. AI then looks at incoming emails to see how much they deviate from this baseline.
This new AI-driven approach is our best shot at reverting the advantage, taking it away from the attacker and giving the defender the upper hand. The defender need no longer try to match constantly-evolving indicators of compromise against a constantly-out-of-date list. Instead, the scanner just looks for things that aren't normal. This creates security by default.
Sponsored by Darktrace