This post was co-authored by Russell Pangborn and Syed Abedi of Seed IP Law Group

People are growing increasingly alarmed by recent examples of bad actors abusing proxy services offered by registrars. While proxy services are designed to protect the privacy of legitimate domain name users—they do the opposite when abused by cybercriminals. Responsible Proxy providers play a key role in mitigating abuse. When they don’t act responsibly—it’s clear they contribute to the problem. In a twist of irony, ICANN, the custodian of the internet domain name system, recently learned that no one is immune from these cyberscammers when ICANN itself was spoofed in a phishing attack. With over 90 million domain names covered by these types of services, facilitating abuse can have far-reaching consequences, as Microsoft and Facebook have demonstrated in pursuit of Iranian hackers and DNS abusers. Unfortunately, they had to turn to litigation to address the attacks. This is why ICANN needs to reverse course and immediately resume implementation of the privacy/proxy accreditation policy, originally adopted over three years ago, to better regulate these services. Requiring the victims of DNS abuse to turn to litigation is not the answer ... and neither is non-action.

Phishing ICANN

Despite years of delay, no urgency is being exhibited by the ICANN staff or Board to implement the approved privacy/proxy accreditation policy. All implementation efforts remain on hold until ICANN’s expedited policy development process (acronym-ized as the “EPDP”) relating to publication of Whois records is completed, approved, and implemented. The real-world effect of this: ICANN—the custodian of the Internet’s domain name system—embarrassingly learned that fraudsters do not discriminate among rights holders, even ICANN. In January, a company registered the domain name, icannservice.com, with the registrar GoDaddy and its identity was masked by GoDaddy’s privacy service, Domains by Proxy. A phishing attack followed. The deceptive domain was used in furtherance of a search engine submission scam where a spam email was sent from mail servers using the @icannservice.com email address, and used the “ICANN Domain Service” branding in the body of the email, along with other misleading uses of well-known brands like GOOGLE, BING, YAHOO!, VERISIGN, and others:

The targeting of ICANN’s good name in a phishing attack should shine a bright light on the need for quick access to registrant data for legitimate purposes, including data hidden by privacy and proxy services for these acts. This is a problem faced by countless businesses, law enforcement officials, brand owners, and other users of the Internet.

Iranian Hackers Use Privacy Service

Given that phishing attacks generally last a few hours only, the harm can have far-reaching consequences when obstructive registrars refuse to disclose registrant data in view of blatant abuse, and demand that rights holders obtain a court-ordered subpoena by expending significant resource to unmask cybercriminals hiding behind privacy/proxy services. Last year, Iranian hackers operating under the alias Phosphorous engaged in a highly sophisticated scheme to carry out phishing attacks on Microsoft users. The targeted Microsoft users included political dissidents, activist leaders, journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East. The scheme involved, among other things, sending links to victims leading them to fake webmail login pages, which mimicked Microsoft Outlook login pages. The stolen credentials were used to hack into the victims’ computers. Unsurprisingly, the overwhelming majority of domains were masked by privacy/proxy services including, Domain ID Shield Service, Domain Protection Services, and Domains by Proxy. (See, complaint at Appendix A). As noted below, the “Domain ID Shield” is the same privacy/proxy service that is the subject of the lawsuit filed by Facebook against OnlineNIC, and was overwhelmingly used to hide the identity of the Iranian hackers.

Microsoft had to file a lawsuit in the U.S. District Court for Washington DC, seek emergency relief and send subpoenas to registrars and registries to unmask the hidden registrant information. Ultimately, Microsoft was able to take control of these domains after months of litigation. While some major corporations may have the sophistication and resources to pursue legal action to protect themselves from such egregious attacks, this should be a stark reminder that others lacking such financial resources and/or technical savvy may not be as fortunate.

Obstructive Registrars Facilitate Abuse

Recent lawsuits filed against obstructive registrars and their privacy/proxy service alter egos highlight how challenging it has become to protect consumers targeted by bad actors. In late 2019, Facebook sued OnlineNIC and its alter ego privacy/proxy service, ID Shield, in an attempt to stop them from registering domain names that were used to impersonate Facebook services and deceive people through phishing and other malicious activity. Multiple requests for registrant information of the perpetrators were unsuccessful, leaving suing OnlineNIC as the only meaningful alternative.

More recently, Facebook filed a lawsuit against another registrar, this time Namecheap and its own proxy service, Whoisguard, in order to protect its customers against ongoing scams and attacks. Yet again, multiple requests to unmask the identities of the perpetrators of cybercrimes using infringing domains for phishing and hacking scams, were unsuccessful.

Namecheap responded that it will not unhide registrant information “without a court-ordered subpoena.” Of course, a court-ordered subpoena first requires filing a lawsuit in court, running legal costs in the thousands. In other words, Namecheap expects an average consumer or a small business whose rights are being violated to expend a significant amount of its limited resources to protect its rights. Namecheap claims that: “Namecheap takes every fraud and abuse allegation seriously, and diligently investigates each reported case of abuse. We actively remove any evidence-based abuse of our services on a daily basis.” This is hard to believe since as the complaint notes, in the case of every domain name at issue in the lawsuit a notice was given to Namecheap and ignored. Coupled with an “F” rating from the Better Business Bureau for failing to investigate 76 consumer complaints, including several related to fraud and abuse, these claims miss the mark entirely.

Perhaps this reaction isn’t surprising as Namecheap is no stranger to facilitating abuse. It has been on the losing side of numerous UDRP actions, including some of the most famous brands spanning the alphabet: ACCENTURE, BLOOMBERG, CALVIN KLEIN, DIRECTV, ELI LILLY, FACEBOOK, GAP, HUGO BOSS, KMART, LEGO, MASTERCARD, NIKE, RED BULL, SAMSUNG, TINDER, VOLKSWAGEN, WALMART, XEROX, YSL, and ZAPPOS.

Namecheap also tries to downplay its conduct by arguing that it is protecting personal private data. Namecheap again misses the point. Cybersquatters who register blatantly infringing and abusive domains such as “download-whatsapp.online,” “hackanyinstagram.com,” “facebooksupport.email,” and others, are using its privacy/proxy service to dupe private individuals and businesses alike into divulging sensitive, private, and financial information. So the very claim of protecting data privacy of its offending customer, serves to prolong the stealing of private information of the many customers and users being duped.

Protecting such cybersquatters and phishers as Namecheap and OnlineNIC do, ends up compromising personal private data of thousands of people whose computers and phones get attacked by phishing and other online scams. One would think, now that its own customers have been targeted by abuse, ICANN would exhibit a renewed impetus to resolving privacy/proxy accreditation and legitimate access to underlying registrant data. Unfortunately, ICANN still awaits its “expedited” procedure that is nearly two years in the making with no end in sight. Is waiting many more years to address the problem of legitimate access to masked registrant data of abusers really the right approach?