Popular domain registrars put up few barriers for those seeking to acquire domains suggesting illegal activities, according to a report from consumer watchdog group Digital Citizens Alliance.
The report, released Tuesday, raises debate over the role of tech companies in overseeing the purchases of domains that could be used for crime.
Between February and May, researchers at the alliance (DCA) were able to purchase dozens of domains suggesting illegal behavior in the domain text itself. Examples included: “dangerousmalwareforsale.co” (Google), “malwareforsale.com” (NameCheap), “buyillegalassaultweapons.co” (Network Solutions) and “untraceablegunsforsale.com” (GoDaddy).
The examples are “symbolic” of how easily domains suggesting criminal activity can be obtained, DCA executive director Tom Galvin told CyberScoop. While a savvy hacker certainly wouldn’t be looking for malware at such an obvious location on the open internet, Galvin says his group is trying to make the point that if companies won’t stop such egregious examples, they are likely missing less obvious URLs being used by criminals.
NameCheap, GoDaddy, and Network Solutions did not return CyberScoop’s request for comment.
Google prohibits using domains for certain purposes, including phishing and malware, according to the company. It does not prohibit registering domains using such terms. Google Domains monitors domains for potentially abusive behavior and suspends or terminates websites found in violation of its terms of service, a spokesperson told CyberScoop.
Not all of the researcher’s examples were as far-fetched. For instance, researchers were able to buy “oxycodone-no-prescription.com” from GoDaddy. Groups like the National Association of Boards of Pharmacy have raised concerns about fake and illegal prescription drugs online and urged domain registrars to do more to verify domain buyers.
Digital Citizens Alliance receives funding from telecommunications, pharmaceutical and tech organizations, as well as some members of the Motion Picture Association of America.
In 2020, DCA researchers reported easily buying COVID-19-related domains during an uptick in online scams and malware attacks using the pandemic as a lure. In response, some domain registrars increased their resources for taking down fraudulent sites and tightening protocols required for buying domains mentioning COVID.
The report also raises concerns about domain brokers, a growing industry of secondary marketplaces that sell already-registered domains to buyers.
For instance, a Digital Citizens Alliance researcher posed as a buyer to acquire the domain “covidvaccinecardsforsale.net” from the domain broker website VPN.com.
VPN.com CEO Michael Gargiulo wrote in a statement to CyberScoop that the sales associate the researcher communicated with did not understand “the illegal intent as they are from a country with a different interpretation as you regarding Covid cards and Covid certificates.” Gargiulo called the report “defamatory” and accused Digital Citizens Alliance researchers of falsely representing their intent. VPN.com prohibits the use of its services for “any illegal purpose,” Gargiulo said.
From a security standpoint, being able to correlate an illicit domain name with potentially malicious online behavior isn’t as straightforward. In that case, factors like matches between elements like IP addresses and registration emails with known malicious domains are a stronger indicator, according to Tim Helming, a security researcher at DomainTools, a firm that analyzes the risks of domains and other network components.
Based on both historical and more recent data, DomainTools did not see a higher than average level of risk of malicious online activity associated with domains using the terms “gun” and “sale” and “gun” and “show,” Helming told CyberScoop.
“The algorithms we have won’t necessarily detect if there’s a societal harm,” said Helming.
Tech companies skilled in content moderation, however, might have those tools. The question is if they want to use it, a move that could potentially be perceived as infringing on free speech.
Galvin’s group is not advocating for blanket bans of terms. Instead, they’re hoping for increased human involvement to vet the buyers and their purposes for using them.
“There’s a hope among the platforms, and I’d say a growing expectation that when they see things that would be considered troublesome, illicit or illegal, there would be some vetting of it,” Galvin said. “I think we’re talking about the same type of thing on the domain side.”