Domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced are a critical resource for cybercriminals. Some attacks, including spam and ransomware campaigns and criminal infrastructure operation (e.g., “botnets”), benefit particularly from the ability to rapidly and cheaply acquire very large numbers of domain names—a tactic known as bulk registration. When cybercriminals can register hundreds or thousands of domain names in a matter of minutes, an attack can be widely distributed to make detection, blocking, and dismantling more difficult and prolonged.

Cybercrime investigation is always a race against the clock—the longer it takes to identify an attacker and block the attack, the more damage can be inflicted on more victims. Before the adoption by ICANN of a Temporary Specification (“Temp Spec”) for handling domain name registration data in compliance with the European General Data Protection Regulation (GDPR), investigators had ready access to the contact information provided by domain name registrants (“Whois data”). This information, even when incomplete or inaccurate, facilitated rapid attack response both directly (when it correctly identified the attacker) and indirectly (by enabling “connect the dots” methods such as search-and-pivot).

The immediate effect of the Temp Spec since the GDPR took full effect on 25 May 2018 has been to severely limit access to domain name registrant contact information, most of which is now redacted by registries and registrars when they respond to Whois data queries. Although cybercrime investigators with proper authorization can petition a registry or registrar for the redacted information, this takes place on a glacial time scale compared to the “every second counts” imperative to limit the loss or harm caused by an attack.

The use of bulk registration to distribute attacks across hundreds or thousands of domain names in matters of minutes, coupled with the crippling of registration data access by the Temp Spec, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals.

Research conducted by Interisle Consulting Group confirms the hypothesis that cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domains for their attacks. The study identifies four specific registrars at which abusive registration activity appears to be concentrated. It also confirms that ICANN’s Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation. Working without essential information, both real-time and historical, investigators cannot make the necessary correlations to quickly and thoroughly map a criminal domain infrastructure or to attribute criminal activity to a perpetrator in time to prevent substantial harm to the victims of an attack.