In an encouraging sign that the research efforts of our cybercrime-fighting community are aligned, two major studies released last month— one co-sponsored by the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) and one sponsored by ICANN—draw similar conclusions regarding a disturbing trend in the domain registration habits of online abusers.

As mentioned last month in this blog, M3AAWG co-sponsored Cybercrime Supply Chain 2024, a study conducted by the Interisle Consulting Group that revealed alarming increases in year-over-year online abuse. One of the key findings from Interisle’s report revealed that attackers exploited low-cost and unrestricted registration processes, especially when bulk registration services were available. This finding was corroborated in the Inferential Analysis of Maliciously Registered Domains (INFERMAL) Project’s report released in November 2024.

This INFERMAL report, underwritten by the Internet Corporation for Assigned Names and Numbers (ICANN), aimed to uncover patterns in cybercriminal activity related to the criminal exploitation of low-cost domain registration, especially within phishing campaigns.

Some of the key findings in this INFERMAL/ICANN report include:

•  Low prices or discounts raise the likelihood of domains being registered for malicious purposes. For each dollar that is reduced in registration fees, there is a corresponding 49% increase in malicious domains. Bulk registration services also are attractive to phishers.
• The availability of free services, such as web hosting, resulted in an 88% rise in phishing activities.
• Proactive restrictions, including strict registration policies and required email/phone validation, are correlated with a significant decline in malicious domain registrations.

The INFERMAL report and Cybercrime Supply Chain study were conducted as independent investigations from different sponsoring communities and were released on a nearly simultaneous date by coincidence. They both found evidence pointing to the cybercriminals’ knack for exploiting cost-effective domain registration. Both studies also call for more verification and certification requirements to deter this criminal activity moving forward.

"I'm pleased that our research was cited multiple times in the INFERMAL study, and it is very encouraging to see how our findings from the Supply Chain Report align with the INFERMAL study regarding registration policies that attract criminals. This trend was noted in our phishing study from last July and was reiterated once again in the Supply Chain Report we released last month, which M3AAWG co-sponsored,” said Dave Piscitello, Partner at Interisle Consulting Group.

As stated in the Supply Chain Report, cybercriminals are drawn to cheap prices and easy registration. In addition, they tend to exploit new generic top-level domains (new gTLDs), which account for 37% of domains reported in cybercrime activities while representing only 11% of the total market.

“Both the Supply Chain Report and the INFERMAL study make it clear that environments where cybercriminals can cheaply access resources create conditions in which they can best wreak havoc,” Dave Piscitello said. “We need to refocus our sights on making these resources more difficult and costly for criminals to acquire as our path forward.”