This is an article that I originally posted on our RegistryOffice.blog site on April 1st.
We’ve added more suspected COVID-19 pandemic related domain scam report source feeds and
will shortly now include human verified blacklist feeds to production in our Abuse Monitor. This will help registry operators, registrars and hosters to save resources and effort managing the flood of COVID-19 domain abuse reports.
We will provide these feeds, as well as our existing reputation feeds, via Abuse Monitor at no charge or obligation for 60 days to any registry operator (gTLD or ccTLD), registrar or hosting providers that desire to access. Included in the service is our tool to manage identified domain abuse cases either through a web interface, or use our API. Contact us to get going.
We initially integrated a list provided by Malware Patrol and have since added CheckPhish.ai and a continuously updated blacklist provided by the COVID-19 Cyber Threat Coalition (@ThreatCoalition) that we have joined and endorsed. This is a remarkable global volunteer coalition of cybersecurity experts publishing data sets with indicators believed to be used by criminals trying to prey on individuals, organizations, businesses and governments using the COVID-19 pandemic.
The additional feeds, as well as our existing reputation feeds, will help users determine if the multiple feeds that we have curated are reporting suspected abuse for the same domain name. Below is an example screenshot where three different sources are reporting for the same domain name:
We are working hard on combining all available intelligence and endeavour to compare what is received against vetted whitelists in order to assist in reducing false positives. As development cycles can vary widely among registry operators, registrars and hosters, getting access to this tool now (and at no charge) can assist in mitigating this particular abuse threat and free up internal dev people for other priorities.
We are using the same abuse monitoring workflow logic that already applies to our tool for monitoring and managing domain abuse as defined by ICANN spec 11.3.b. Ultimately it is up to the registry operator or registrar to investigate each report of abuse and then manage each case according to their own policies and protocol, or they can be managed by RegistryOffice if using our managed services.
The ICANN Registry Agreement Spec 11.3B is related to DNS abuse. The COVID-19 feeds are more focused on content on a website.
Some of our COVID-19 feeds identify a domain name as suspicious based on keywords (“corona” “covid19” or other related keywords). This does not necessarily mean that the domain is being used for nefarious purposes. Some new registrations may be legitimate or point to parking pages. However, our testing has found that many are being used for malicious purposes such as leading to malware and phishing activity, which by our interpretation constitutes domain name abuse as defined by spec 11.3.b.
will shortly now include vetted COVID-19 feeds. A vetted feed is investigated by humans, hence should be more accurate and with lower false positives.
Compared with “legacy” Reputation Block Lists (Spamhaus, SURBL etc), we ask you to understand that the COVID-19 feeds are developed rapidly and in a more “ad-hoc” design. Our objective to add the COVID-19 feeds is to take part in the fight against false information, scams and phishing. We cannot let the pandemic be a playground for the bad guys.
We believe our subscribers will benefit from having this information and determine how best to act to protect their interests, and ultimately the public. We invite any registry operator (gTLD or ccTLD), registrar or hosting provider that has not yet subscribed to our domain Abuse Monitor to leverage our tools and the COVID-19 scam intelligence at no charge and no obligation for 60 days. Contact us to get going.
Updated 2 April 2020 by Pinky Brand
Posted 1 April 2020 by Pinky Brand