Study shows reactive takedowns have little impact on deterring phishing.
An ICANN-funded study has identified which registrar practices are most associated with phishing-related domain name abuse.
Unsurprisingly, registration cost is one of the top factors associated with maliciously registered domain names.
The research, known as INFERMAL (Inferential Analysis of Maliciously Registered Domains), was conducted by KOR Labs for ICANN’s Office of the Chief Technology Officer and analyzed 29,000 domains over a two-year period.
The study aimed to investigate why phishing domains are often registered at specific registrars and in particular top level domains.
Researchers compared 14,500 malicious domains to a similar number of non-malicious ones, evaluating 73 different registrar and registry features to uncover common patterns.
One of the clearest findings was that cost matters. Malicious domains were registered for an average of $4.71, compared to $8.62 for non-malicious domains.
Bulk discounts and promotional pricing were frequently exploited by bad actors, particularly when paired with automated registration through open APIs. Registrars that offered such APIs were linked to a 401% increase in abuse compared to those that did not, according to the model used in the study.
Even when discounts were designed for first-time customers, bad actors found ways to automate registrations to take advantage of the lower pricing.
Free DNS and bundled hosting services also correlated with higher abuse rates, although the study acknowledged that these features are commonly used by legitimate registrants as well.
Proactive measures at the time of registration proved to be the most effective deterrents. Registrars that implemented identity verification, Know Your Business Customer (KYBC) procedures, or delays in domain activation saw a 63% drop in abuse.
But registration restrictions alone are not enough. The study pointed to the .dk TLD as a success story, citing its mandatory KYBC requirement and corresponding low abuse levels. In contrast, .cn also requires identity checks but continues to experience high abuse.
Reactive actions, such as suspending domains quickly after they appear on blocklists, had only a marginal impact. Since phishing attacks often succeed within hours, deterrents must be in place before the domain is ever used.
I sometimes hear from registries that sell domains with low initial registration costs that say they counteract abuse with fast takedowns. But that doesn’t seem to be an effective way of deterring abuse.
The report emphasizes that no single factor causes abuse. Rather, it is the combination of low cost, automation, and lack of verification that draws in bad actors.
ICANN is seeking input on potential follow-up research, such as:
- Abuse patterns beyond phishing, such as malware and spam
- Comparative studies across country-code TLDs
- Longitudinal studies of domain lifecycle and abuse evolution
You can read more about the study here.
Leave a Comment