Hi all,
I just wanted to show you what we mean by considering other indicators rather than one domain to start ADC.
You need multiple signals to trigger ADC, not just one abusive domain. Here's what those signals look like — and how even free agent Detective Badi undertook her analysis
with zero equipment or use of intelligence firms (yes yes I know, when it scales it's harder.)
Before diving in, here are the kinds of freely available, contextual indicators I can think of:
1. Is the domain on a blocklist?
2. Has it been reported before?
3. Does it relate to a documented, active campaign?
4. Does it share infrastructure (e.g. nameservers)
that host a large number of malicious actors?
5. Was it registered during a period of heightened relevance to a specific attack target?
6. Is the registry going through a period of increased abuse? (check domain metrica)
7. Is the registrar going through a period of increased abuse? (check domain metrica)
These paint a much richer picture than "one domain in a portfolio is bad, therefore ADC should start and every domain should be checked."
This is not a formal NCSG position
, but we've been saying for a while that ADC should be triggered based on a combination of such indicators/signals rather than profiling entire registrant portfolios from a single abusive domain. Ching's ADC examples inspired me to actually do this
exercise and show what that looks like in practice.
One caveat before I go further: I am not comfortable with these indicators. But they might be better than profiling domain name registrants and their entire portfolios based on a single abusive domain.
---
THE TELEGRAM-HONG KONG CASE
In Ching's examples I came across telegram-hongkong[.]com. This one is very interesting for me I worked on the use of Telegram in Hong Kong during the 2019 uprising.
Here's the scenario: imagine this domain was registered around the uprising time in Hong Kong. Telegram was the most popular app during the uprising, and people were desperately trying to download and use it. A domain registered in that window, mimicking
Telegram, could signal a systematic effort to cause security issues for a specific population at a specific moment. That's a genuinely good contextual indicator for triggering ADC — the timing and the target tell you something that the domain name alone cannot.
But this is not without its complications. During that same period, people also ran apps that helped protesters track police locations,
and dear Apple took those down. Now imagine that somewhere in an "abusive" portfolio, a couple of domains exist that were actually helping protesters. Authorities are actively requesting takedowns of such domains. What should the registrar do?
Does their knowledge of those domains create legal or political exposure for them?
The contextual signal cuts both ways. Which is exactly why context needs to be analyzed.
For the record, Malwarebytes documented a campaign where attackers used malicious Google ads exclusively targeting people in Hong Kong, luring victims into downloading a malicious version of Telegram. So yes — this domain relates to a well-known, documented
campaign. That's another signal worth noting.
---
THE CRAIGSLIT / CALUDE CASE
I do DNS abuse reporting as a hobby,
partly to understand what doesn't work and what could be better. In one of my hunts I came across Craigslit[.]com. I reported it multiple times through different reporting mechanisms, it got suspended, and then,
sigh, it's active again.
What's interesting is that it used to share a nameserver that I have come across too often in abusive domain (like calude(.)ai But the name server can be rapidly changed so this metric should not be used on its
own.
Another signal: whether a domain has been reported before. I was excited to see that Domain Metrica claimed to have this kind of data — until it didn't actually tell me whether the domain had ever been reported, despite the fact that I know I reported it myself.
This is admittedly a weak signal, but public reporting history is still better than snooping on registrant accounts.
All in all,
You need contextual, situational signals alongside the abusive domain to justify starting ADC — things like blocklist presence, prior reports, shared infrastructure, registration timing, and ties to documented malicious campaigns. These signals are freely available
in the world. No special access required. No account surveillance needed.
you can use
abuse.ch and a myriad of free tools that can help you with your decision.
Best regards,
Detective FB
Ching's ADC examples inspired me to do this exercise. This is not an NCSG position but we have been saying that the start of ADC should be based on different indicators instead of just if one domain
is abusive, then we should trigger ADC.
Before I begin, I want to be very clear that I am not comfortable with these indicators. But they are better than profiling domain name registrants and their portfolios based on one abusive domain.
In Ching's examples I came across telegram-hongkong[.]com. This is a very interesting case. It was exciting for me especially because I worked on the use of Telegram in Hong Kong during the 2019 uprising.
So the scenario is as follows: imagine if this domain was registered around that time. Telegram was the most popular app around that time and people would want to download it or use it. So perhaps if the domain was registered during that time, it could signal
that it's a systematic effort to cause some security issues. So that's actually a good indicator to consider when wanting to trigger ADC. This is not without its shortcomings. During that period they also ran apps that would inform the protestors about the
police location. Those apps were taken down by dear Apple. Now imagine if in this abusive portfolio, there are a couple of registered domains that help protestors. There is a clear request from the authorities to take down such apps/domains. What should the
registrar do? doesn't their knowledge of existence of such domains create problems?
Other factors that should be considered are: is the nameserver ... does the domain relate to a well known campaign (it does, Malwarebytes documented a campaign where attackers used malicious Google
ads exclusively targeting people in Hong Kong, luring victims into downloading a malicious version of Telegram.)
Anyway I continue. I do DNS abuse reporting as a hobby to understand what doesn't work, what could be better etc. In one of my hunts, I came across Craigslit[.]com. I reported this domain many times
using different reporting mechanisms and it was suspended and now I see it's active again. But interestingly it shares the same name-server with my other hunt and that's
calude.ai, They both use
NS1.HASTYDNS.COM (the name server).
Another signal can be if the domain has been reported before. I got excited to see domain metrica said it has such data but it didn't tell me if it was ever reported despite the fact that I know I
have reported the domain name! (this is a weak signal, but again public data might be better than snooping on accounts etc).
So what is the moral of the story.
You need to have different signals (contextual situational) as well as the abusive domain to start ADC. Those signals are available for free out in the world and even Detective Badi without any equipment
managed to do it.
Farzaneh
Dear all,
Please review the attached 2023 research slides regarding typosquatting groups, which may be relevant to this PDP. In short, the research compares two different datasets -- typo groups vs. confirmed IoC domains .
Feel free to ask any questions or comments via the list or privately.
Best,
Ching
Ching Chiao 乔敬
Head of APAC & Corporate Development
