The report looks pretty accurate to me.

I can't entirely agree with the researchers regarding the WHOIS statements.

From my extensive research in BEC and Bank Phishing, an obvious pattern has emerged in the last few years.
Of course, I have access to the registrant data of the ICANN and ccTLD registrars on our platform (Registrar As A Service), and the researchers do not of the report do not.

What I observe is the following in 95% of all the cases I investigate.


Zero-knowledge providers are usually providers, who do not have information about their users, or it is all encrypted. Even if a law enforcement officer has a court order, there is not any useful information.

FakeID generators are available to everyone. And there some perfect ones out there.
During our investigation into BEC fraud with assistance from the security firm https://telsy.com, I noticed that each domain name had a unique registrant.
We suspect this is done to obstruct investigations and make detection harder. We still see this practice repeatedly with other forms of DNS Abuse, not just limited to BEC. But it was our 2018 investigation into BEC that made it clear that these criminals have become ghosts.
The arrest rate of these criminals is dramatically low. In general, arrest rates are low when it comes to cybercrime.
Botnet operators like Emotet are untouched since 2014, we have no idea who they are.
Ransomware operators like Maze, CLoP, CryLock, DoppelPaymer, Nemty, Nephilim, Netwalker, ProLock, Pysa, Ragnar, REvil/Sodinokibi, Sekhmet, Snake, Snatch continue to hijack entire networks.
LG, Garmin, Canon, Xerox, Jack Daniels, and so many more have become victims. We do not know who they are even though years of research into these groups.


The time that you could reverse search a telephone number through the WHOIS and detect more registrations by a criminal is long gone.

Is WHOIS useless? No, depending on what you are investigating, WHOIS can still be useful even if the registrant data is bogus.  We are currently examining Bahamut, a group of cyber mercenaries wreaking havoc in the Middle East, and we could still obtain some leads. Very thin leads, but Bahamut is a formidable adversary employed by hostile governments to attack other countries.

For investigations into Phishing, more clues can be found in the infrastructure used by criminals. Usually, we connect the dots much easier by investigating the technical infrastructure as we would with WHOIS.

Again, I still have access to WHOIS data, so I was able to witness the transition. Criminals have become very smart; something financial banks experience day in day out.

My advice to the ICANN community, set accountable goals/results for contracted parties rather than resurrecting the WHOIS.
Explore incentives for CP's. The RrSG abuse group will be releasing a whitepaper on that (hopefully soon). It would be great if we can get input on that from everyone.

You made it to the end of my email. Thanks for reading.

Theo

On Wed, Oct 14, 2020, at 12:33 AM, Olivier MJ Crépin-Leblond wrote:
A CircleID article published today can feed concerns about Domain Name abuse:

http://www.circleid.com/posts/20201013-new-data-reveals-phishing-attacks-are-bigger-than-reported/

The article quotes a report from Interisle Consulting Group that highlights phishing activity in both legacy and new gTLDs.

Kindest regards,

Olivier



_______________________________________________
CPWG mailing list
CPWG@icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.