We’ve seen alarmingly BIG increases in multiple abusive behaviors — like phishing, hacking and malware — that often leverage the domain name system (DNS) and privacy/proxy services. Cybercriminals capitalize on gaps in DNS security measures, and ICANN is holding the door open for them by failing to implement their privacy/proxy policy.
If you are ever targeted, you are not alone. Cyberattacks target banks, airlines, and many other businesses, as well as governments, and consumers alike. Mitigating these attacks requires fast access to accurate domain name information because every minute counts when fighting identity theft and other DNS abuse. This urgency is desperately lost on ICANN in this post-GDPR environment when it comes to policies, especially those related to privacy/proxy services. Although ICANN has had an approved policy for over three years that would standardize privacy/proxy services and make it easier to seek information regarding bad actors that misuse them, it refuses to implement that policy, in violation of its Bylaws.
Today, nearly 50 million registered domains (and growing) use privacy/proxy services. Providers of these services create obstacles to access domain name owner information, even when formally requested by parties with clear-cut examples of how the domain name is being used for abuse and malicious behavior. ICANN’s continued inaction is hurting mitigation efforts and making a bad situation worse. It is imperative that ICANN stop delaying and immediately implement the privacy/proxy policy.
1. Coalition of Bad Actors – Cobalt/MG4 Recent Skimming Attack
Since GDPR became effective in May of 2018, tools used by law enforcement and IP owners have been devastated. In particular, WHOIS (i.e., critical domain registrant) information is no longer readily available for cybersecurity, and consumer protection and registrars have made it almost impossible to obtain the information of customers of privacy and proxy services — with ICANN’s tacit agreement. As a result, it is easier for nefarious registrants to take advantage of privacy/proxy services to maintain enhanced anonymity. This has led to hackers becoming more audacious in their attacks, leaving cybersecurity investigators and efforts to protect consumers hamstrung. That is evident in the recent CSO Online report about two cybercrime groups — Magecart Group 4 (MG4) and Cobalt (aka Carbanak) — that orchestrated a Magecart-based web skimming attack that stole hundreds of millions from bank customers worldwide. The attackers employed a privacy service to hide the domain registrant information linked to the attacks, a maneuver that served to prevent investigators from piecing together the common elements among the domains used and quickly stop the attack. It is ironic that the privacy shield that once was supposed to protect personal data of registrants is now being used as a shield for cybercriminals to perpetrate and intensify their attacks.
2. Victim of Attack Fined Under GDPR – A Double-Negative
Imagine being fined for someone else hacking your devices and, adding insult to injury, the very privacy law that was intended to protect individuals’ data was misapplied so as to prevent you from obtaining information on the group stealing the private information? Well, the EU recently levied a $230 million fine against British Airways for its systems being hacked in late 2018. Another Magecart criminal entity engaged in a deliberate cyberattack against British Airways by injecting malicious code on the BA website. Investigations by RISKIQ, a well-known cyber security firm, revealed that the hackers loaded the malicious code from the baggage claim information page on BA’s website and mobile app, and once users hit the button to submit their payments, the financial and sensitive information of customers was extracted and sent to an imposter domain baways.com (a clear truncation of “British Airways”). The attack only lasted 15 days, during which sensitive information of 380,000-500,000 victims was stolen.
The domain name baways.com was registered with the Registrar, Namecheap, Inc., and was masked by Namecheap’s privacy/proxy service, WhoisGuard. Namecheap touts itself as going further than what the EU’s GDPR requires in terms of blocking access to domain holders’ information.
Is it a mere coincidence that bad actors take advantage of policies like this? Digging a bit deeper reveals how debilitating these requirements can be: this registrar will not disclose the identity of a customer who is protected by WhoisGuard unless specifically required by U.S. court order, subpoena or other regulation to which it is subject. This is an important red flag and contradicts the final report on privacy/proxy services accreditation which states that “[d]isclosure cannot be refused solely for lack of any of the following: (i) a court order; (ii) a subpoena; (iii) a pending civil action; or (iv) a UDRP or URS proceeding ….”
One can only speculate whether accreditation implementation would have caused a different result in the British Airways matter, as it would require accurate and verified registrant information to be maintained by the privacy/proxy service and to be made available upon proper request. Instead, we are left to ponder how BA, as the victim of an attack, could be fined for not securing customer data when the misapplication of the GDPR has caused both access to WHOIS data and Privacy/Proxy customer data to be inaccessible and, in turn, has tied the victim’s hands in attempting to find the bad actors responsible for this attack. Unfortunately, due to the misapplication of the GDPR, the very law that was intended to protect data privacy may have had the opposite effect.
3. The Path Forward
ICANN must move forward with implementation of the privacy/proxy accreditation program with great urgency to prevent the continued misuse of privacy/proxy services. The immediate need is concrete for uniform policies that allow appropriate access by law enforcement, cybersecurity investigators, IP owners, and other consumer rights advocates, while still maintaining appropriate privacy and data protection rights for the legitimate, individual users of these services. Lamentably, the recent Final Report of the RDS-WHOIS2 Review, calling for the Board to monitor the implementation of the privacy/proxy policy, followed by a public letter from Cyrus Namazi, Senior VP of ICANN’s Global Domain Division, does not provide confidence that this will happen anytime soon. ICANN has apparently deemed this issue as a low priority and the RDS-WHOIS 2 report merely affirms that the privacy/proxy accreditation implementation will be further delayed. This is unacceptable in the face of the onslaught of cyberattacks we face.By Russell Pangborn, Partner at Seed IP