Co-authored by Carlos Alvarez, Director, Disruption Partnerships, ZeroFox, Inc. and David Hughes, Executive Director of the Coalition for Online Accountability.

The ICANN community has recently taken a commendable step forward in the fight against domain name system abuse by initiating the Policy Development Process for DNS Abuse Mitigation, specifically focusing on Associated Domain Checks. This policy initiative aims to address a critical issue where threat actors register large portfolios of malicious domains, enabling them to launch coordinated phishing and malware campaigns at scale. By requiring registrars to proactively investigate other domains linked to a customer account when one domain is found to be engaged in abuse, the policy seeks to disrupt these operations comprehensively. Currently, there is no contractual requirement for a registrar to investigate whether a malicious actor has other active domains being used for similar abuse, which limits mitigation efforts to a reactive, one-at-a-time approach. We strongly recognize this policy process as a step in the right direction for global internet governance. However, we must also highlight how it is, precisely, just one step of the many that have to be taken to secure the domain name system against highly adaptable cybercriminals.

As we evaluate the evolving threat landscape, it is crucial to address another rapidly growing abuse vector that allows malicious actors to hide in plain sight. As comprehensive research by Infoblox and SURBL clearly shows, the phenomenon of parked domains being weaponized for extremely short time periods must be immediately addressed by the ICANN community. Historically, defenders often associated parked domains with bland pages filled with basic search advertisements, leading many to conclude they were harmless. Today, the landscape has drastically changed, and these parked domains are frequently weaponized to deliver malware, scams, and deceptive content to unsuspecting users through complex traffic distribution systems. In large-scale experiments, researchers found that over 90 percent of the time, visitors to a parked domain would be directed to illegal content, scams, scareware, or malware, as the initial click was sold from the parking company to advertisers.

The core of the problem lies in the temporal nature of these attacks. Cybercriminals are increasingly leasing or utilizing these parked domains for very short, targeted bursts of malicious activity. A domain might be actively weaponized for just one hour, two hours, four hours, or perhaps a single week. This creates a severe operational difficulty for the cybersecurity community and those working to enforce takedowns. The clock has already started ticking by the time one of these weaponized domains is identified by security researchers and reported for a takedown.

Unfortunately, by the time the registrar receives, processes, and manually analyzes the abuse report, the short-term attack window has often already closed. When the registrar’s abuse team finally investigates the reported domain, they are frequently met with a benign-looking parked page instead of the reported malicious content. Sophisticated threat actors use conditional redirects and device fingerprinting to ensure that security scanners, automated bots, and investigators only see a harmless parking page, while actual residential users are funneled to malicious payloads. Threat actors also use dynamic DNS capabilities to rapidly rotate name servers and IP addresses, making these short-lived domains even harder to track.

Because the domain appears parked and harmless at the exact time of the registrar’s analysis, the registrar naturally does not take any enforcement action. The domain is left active and intact, ready to be weaponized again for another brief window of time by the malicious actor. In addition, the total number of these parking domains increases constantly across the internet ecosystem, overwhelming the investigative capacities of the cybersecurity community and rendering traditional review processes highly ineffective.

To combat this evasive tactic, the ICANN community should define, as a matter of strict policy, that the short-term lease of domain names must be banned entirely. We propose achieving this critical objective by adding a new provision under section 3.7.7 of the Registrar Accreditation Agreement. Section 3.7.7 currently dictates the required provisions that registrars must include in their agreements with their registrants. By amending this specific section, ICANN can make it mandatory for registrars to include a provision in their registration agreement that explicitly forbids registrants from leasing domain names for periods shorter than 30 days.

A 30-day minimum requirement strikes an ideal balance between robust cybersecurity and necessary commercial flexibility. While the community must stop the rapid abuse that occurs within windows of just a few hours, it is important to recognize that legitimate short-term domain leases are sometimes pursued by marketing agencies, event planners, or concert organizers, for example, for highly targeted promotional campaigns. A 30-day window accommodates these temporary ventures, ensuring that websites for a weekend festival, a brief pop-up event, or a focused product launch can operate without any administrative hindrance. At the same time, this timeframe forces threat actors into a significantly longer holding pattern, effectively destroying the economic viability of leasing parked domains to distribute malicious content for highly compressed periods.

Implementing this 30-day minimum lease period would effectively dismantle the financial and operational model of short-term weaponized domains. We must highlight that this proposed change would not negatively affect registrars’ business models or their revenue streams. The general public, legitimate businesses, and standard organizations would still be able to seamlessly purchase and register any domains they need.

We can find no real legitimate use case for the leasing of domain names for periods of just a few hours or even a few days. Legitimate websites, brand protection efforts, and corporate infrastructure all require domain stability that extends well beyond a few hours. By contrast, the only actors who truly benefit from hour-long domain leases are cybercriminals seeking to evade detection and exploit the inevitable delays in the standard abuse reporting process.

While the Associated Domain Checks policy will undoubtedly help uncover malicious portfolios, it must be paired with structural changes that prevent rapid-fire domain abuse from occurring in the first place. Adding a 30-day minimum lease requirement to the Registrar Accreditation Agreement is a necessary, proportionate, and effective next step. We urge the ICANN community, policymakers, and industry stakeholders to recognize the severity of short-term parked domain abuse and support this policy enhancement.

Co-authored by Carlos Alvarez, Director, Disruption Partnerships, ZeroFox, Inc. and David Hughes, Executive Director of the Coalition for Online Accountability.