About Me

Francois Paget

Francois Paget
Senior Threat Researcher

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Is it Domain Tasting or Domain Misusing?

Thursday, January 24, 2008 at 11:01am by Francois Paget
Francois Paget

When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.

Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.

A quick analysis of the activity of registrars that are accredited by the ICANN (Internet Corporation for Assigned Names and Numbers) helps to measure the phenomenon. Already in 2006, during an organizational meeting, a workshop called domain name marketplace looked at figures from Verisign, the register for .COM and the one for .NET. Between May 1 and 31, 2006, they listed 616 registrars that had registered at least one name. Only 18 of them were responsible for 98.1% of this type of activity.

The following graph from Nick Ashton-Hart (Director for At-Large at ICANN) makes this clear:

It shows that the phenomenon is continuing to grow and that it involves more than just a few companies speculating on highly attractive domain names.

Undoubtedly hiding behind this multitude of names, there are blatantly criminal people that create and use random names, registered using more or less automated methods, to then be used a few days, or even a few hours, as temporary sites for selling products offered through spam campaigns or as mirror sites tied to phishing campaigns.

Below is a very brief excerpt from a list spanning several hundred pages that shows a series of domain names that were removed on December 11, 2007. It is clear that these names are not only viewed or used as high potential domain names:

For people interested in the domain tasting issue, I recommend a read of the GNSO Issues Report on Domain Tasting. GNSO (Generic Names Supporting Organisation) is the specific part of ICANN responsible for developing and recommending to the ICANN Board policies relating to generic Top Level Domains (gTLD).

Thanks to Franck Veysset (from France Telecom R&D) who gave me some details on this phenomenon during the last CLUSIF Cybercrime Conference in Paris.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • dripable.com November 1, 2011 3:27PM

    Thankfully some bloggers can still write. Thank you for this piece of writing.

    Reply
  • Vincent May 26, 2008 4:25AM

    Hi Frank,
    Actually, the vote didn’t exactly revoque the AGP. Here are the propositions:
    (1) ICANN could revise its registrar-level transaction fee (the current rate is US$0.20, which is subject to raise as the contracted rate is US$0.25) to cover all new registrations and discontinue the exemption for “tasted” domains,
    (2) registries could impose a “restocking” fee for disproportionate domain deletions,
    (3) ICANN could establish a new “policy” effectively deleting the add grace period policy in the registry agreements.

    This feature will still exist, but the registries will (be able to) collect a fee, as aconsensus on proposition n°2 has been reached.
    It is believed that this fee will discourage domain tasting. The problem is that it hasn’t been put in practice yet… Maybe at the coming ICANN meeting in paris in June?

    Reply
  • sai February 26, 2008 2:58AM

    where can get all the details of the domian which has been used for domain tasting and did not continue the same

    Reply
  • Franck Veysset January 30, 2008 6:24AM

    Some updates on Domain Tasting: Icann took some actions against it during a meeting hold last week
    http://www.icann.org/minutes/prelim-report-23jan08.htm

    See chapter 5, “Proposals to Address Domain Tasting”…
    Basically, they voted to eliminate this 5 days AGP
    -Franck

    Reply