Hacker News new | past | comments | ask | show | jobs | submit login
Phishing domains tanked after Meta sued Freenom (krebsonsecurity.com)
197 points by todsacerdoti on May 26, 2023 | hide | past | favorite | 90 comments



While freenom did genuinely have issues with spam and the like.

I must say it played a pivotal role in my life, it allowed me to do my passion and have a domain name in my early teens when I couldn't pay for anything. Being able to toy with a domain name led me down many rabbit holes and led to me trying out self-hosting and system administration.

Sad we can't have free things.


I have mixed feelings as well, for the same reason, but I find it absolutely terrible that the citizens of Mali, RCA, Gabon, and Equatorial Guinea have basically been robbed of their TLD by their (mostly failed) governments.


.io is similarly problematic. Although at this point I think the best solution would be to retroactively set .io to mean Input/Output and give the Chagossians a new TLD.

https://tamouse.github.io/blog/politics/2019/10/02/why-is-th...

EDIT: it could also be argued that this controversy is beneficial for the Chagossians I guess. I didn't know anything about them until I purchased a .io domain a few years ago.


Do you not see the obvious irony in taking a people who were forcibly removed from their home so it could be given to others, issuing them a TLD, and now you're suggesting forcibly removing that from them and giving it to others?


It's something they didn't really ask for, never meaningfully utilized anyway, and ultimately is an entry in a table on some servers they can't really care less about.

You can fantasize about the hardships the citizens suffered for the appropriation of the .io TLD and draw any analogy you want, but there are probably more pressing needs of the people you're not addressing by spending time to supply this sort of sympathy.

Worse, imagine a world where you actually advocate for the displaced indigenous people to care about this problem. Probably you'd be asking them to divert attention from real problems such as being able to afford food tomorrow.


No, the real problems are obviously more important. I'm just pointing out the minor insult that echoes the major injury that would be this plan.


That is really painful.

But if those TLDs don't even bring them any money and they're not named after something in the Chagossian's own language, do they even own them in any meaningful sense?

Aside from the right to return to their homelands, these people should be given some actual royalties from .io domain purchases. And then maybe also a new TLD that is more meaningfully connected to them and less likely to be hijacked.


When I wrote that I wasn't imagining any forcing going on. Rather I was thinking about dialogue happening with the ethnic group in question to try and find a TLD that makes sense in their own language rather than English.


I don't buy this at all. Country-specific tlds are more or less a total failure. To the extent they still have a role, it is in having official government sites (eg "gov.uk" in the uk)

Firstly the US never bought into it so all the original successful internet companies are ".coms". For this reason if you are a global company, chances are you would prefer a ".com" to anything else. Most companies want to address a global audience and part of the point of e-commerce is to make this happen. So they don't necessarily want a parochial-seeming national tld but would prefer a global one. This makes country-specific tlds redundant for commerce.

Secondly the people running the national TLDs are (in my experience) often doing so to further their own egos and personal interests and so tend to offer a shitty service. This is why I gave up my ".co.uk" domain some years back. The UK NIC were just annoying in a bunch of different ways.


not sure what world you live in, but ccTLDs are widely used across the world, and in a lot of countries much preferred over .com.

german people, for example, will trust a business running on a .de domain much more than a .com one.

in most cases it is much preferred for an international company to run the country-specific website on the according ccTLD. companies that "want to address a global audience" are a specific set of companies that might prefer a "global" website, but most businesses will run country specific sites, not "global" sites.

also not sure what the UK NIC being "annoying in a bunch of different ways" has to do with anything, or even means.

seems to me like you are living in your own world, far detached from reality.


I’m happy to be wrong about this and hear about the thriving ccTLD scene but there’s no reason to get personal and say I’m detached from reality.

The way in which the UK nic used to be annoying that is relevant for this is that they used to make it much harder to register, transfer and renew domains. So at some point even though I had a .co.uk and a .com I just stopped trying to transfer the .co.uk and let it lapse at the next renewal date.


yeah you're right that some registries might have some weird quirks about certain things like transfers or additional mandatory requirements etc.

UK transfers are surely more complicated than they have to be (push vs. pull logic).

and I can also see where you're coming from, since in the UK it doesn't seem to be such a big thing.

but in most other non-english speaking countries (or even .com.au or co.nz), ccTLDs are actually a big trust factor. also for example high-end keyworddomains sell for a multiple of the respective .com domain price. sometimes as much as 5-10 times.


It might be different for the UK, but as others have said ccTLDs in my experience are much preferred over .com. .com is basically used for generic US multinational companies, which means a handful of websites you care about but locally relevant sites are going to be .fr or .be for me.

.fr and .be are as easy to manage as any other TLD, and they have the advantage that you're probably not going to be price gouged as they are not run for profit.


'more or less'.

In Europe they are working very well and are used constantly.

.de is used by most Germans. .fr french, .at etc.


Germany absolutely LOVES their .de TLD.

.de has more weight than .net or .com for most people in Germany.


In Qatar national services use ".qa", and these are not necessarily official government sites.

For example our community schools uses a .qa domain and the biggest telecom provider among various other sites.

What you're saying does not apply to all countries.


> Firstly the US never bought into it

"Never bought into is" as never bothered and never cared about other countries (main character syndrome)


A failure in the US maybe, but in countries like The Netherlands it's weird if a Dutch site does NOT have a .nl TLD


Same here, running little websites using a free hosting provider and a tk domain was a great experience.


I recently recovered password for my 2002 era davinder.8m.net free website. It is still hsoted all these 20 years for free.


Yes! My freeservers site from the same era (2000, when I was 15 ) is also somehow still alive. I don’t have the password though. So I cannot fix the error haunting me for all time that I listed Generations as a TV series of Star Trek rather than a movie.

http://stvoyager.iwarp.com/

I’d love to know how/why they’ve managed to keep all of those alive so long. I am very appreciative but equally surprised.


Storage and bandwidth has gotten orders of magnitude cheaper since then so that might be part of it. Identifying and deleting inactive websites might have deemed to be more expensive than just letting them stay on.


> the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains

If the way to have there things is defrauding others, then they are not as free as they seem.

I'd say that a third-level domain is fine for teenage projects; was fine for me even past teens.


can you link me some free third level domain services that allow full control over all records? while I don't need it now, in the past I have wanted such a service and was unable to find them.


"All records" makes an important difference indeed. I mostly thought about web projects where you need A / AAAA and CNAME. I do remember that I had access to MX and TXT at some free provider around 1995; GeoCities? Can't remember.


Sitelutions.com still offers this. Without a paid account, the only limitation is the TTL.


So far I've only found https://nic.eu.org/ but it works, and I assume it's unlikely to go anywhere for the foreseeable future.


for $8 a year you can get a regular domain and then have as many free 3rd level domains with full DNS control as you want. or do you really just mean free free


based on the top level comment, I guess free free; something a child without a credit card can use on his own while playing around


Yeah, the refrain is usually "anyone should be able to afford $8 a year", but I remember being teenager and even when I was making an income I still couldn't get a credit card. It's less about the money and more about the ability to pay.


You don't really need credit cards, we found ways to pay for domains and hosting back in the day when we weren't legally able to get one (due to being minors). Some smaller companies accept other ways to pay that can be used anonymously. I definitely couldn't afford $8 a year thought, so others were covering that.


Even if you can't get a credit card, most banks will give you a debit card at 13.


Not in the part of the world I lived in, plus debit cards here work on local only sites whereas registrars are non-local.


It requires specific care because in the DOM security model, third level sites are all in the same security domain and can read each others cookies and control each others pages. The browsers have a special list with gov.uk, co.uk etc so it knows these are special.

That wasn’t a concern in 2002 but today it should be.


I am still using a couple of .cf and .tk domains for semi-serious mail, haven't had any issues with delivery.


that's actually really weird


These domains apply a serious bonus to spam scores, but if you do everything else right (send a normal but not too large amount of email, get your mail server from a domain with high reliability, set up SPF/DKIM/DMARC/etc.) you shouldn't fall below the spam line in most spam filters.


Given .tk's known practice of seizing domains for their own use, it might be wise to migrate to a more stable TLD.


> have a domain name in my early teens

yep, being a kid iterested in tech and having parents, that are not, is probably a huge pain... internet at home and a computer.. sure... giving your credit card info to your kid for some name on the internet? No way s/he's getting that.

Having a free option (and dynamic dns, and possibly even a free virtual machine somewhere) makes a lot of learning and experimenting possible for kids.


> giving your credit card info to your kid for some name on the internet?

I’d guess that in many cases, being interested in tech might make people _less_ likely to do this.


Facebook is playing double-standards here.

They are knowingly allowing card fraud and other cybercrime groups to operate openly on there. We’re not talking about criminals that use the platform while trying to appear sneaky and flying under the radar - we’re talking about groups outright advertising their wares in the group name: https://krebsonsecurity.com/2018/04/deleted-facebook-cybercr...

> Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years.

> KrebsOnSecurity’s research was far from exhaustive: For the most part, I only looked at groups that promoted fraudulent activities in the English language. Also, I ignored groups that had fewer than 25 members. As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms.

I have my own personal experience with this. I came across a page promoting Snapchat (and maybe other services) hacking services that in exchange for a fee claimed it would email you the credentials of the target account, with plenty of obviously compromised accounts posting comments claiming it works. Obviously very illegal in the vast majority of jurisdictions, but the double whammy there is that the service was itself a scam.

Reporting the aforementioned group and a few of the fake comments yielded that none of this activity goes against their community standards.


i love reading the comment in HN, not the articles. but this is a strange one.

> They are knowingly allowing card fraud and other cybercrime groups to operate openly on there.

i wonder if you believe yourself when you write stuff like that? as if that company has a policy to allow fraud and cybercrime and they really believe its good for their business.

if you do... well... watch out from those black helicopters


You don't need an explicit policy to allow it (putting it in writing would be stupid). There's plenty of ways to effectively allow it without saying it, like not encouraging/deprioritizing projects that aim to crack down on this kind of behavior, effectively turning a blind eye to the bad content without ever explicitly "allowing" it so they retain plausible deniability when confronted.


Note: they "stopped phishing" by basically forbidding almost anyone from registering a domain, I've been trying to get a new domain there for months without success


Existing domains stopped working too, I lost the one I've been using for 10+ years :(

The most annoying part is there has been zero communication from Freenom - not a single email. They also never replied when I asked what was going on.


This is the real answer, I have a paid domain and am still unable to get contact or transfer off (I have attempted this with all known registrars that support .tk, Freenom simply fails to respond to the transfer request)


I mean that's basically the point. The barrier to entry of $10/yr and breaking anonymity is enough to price out bad actors.

If anyone at all has a way to combat this stuff that doesn't rely on "bad actors need disposable identities to get around blocks and don't usually have money" will basically win the internet.


LLM?


The title is a little deceptive. From near the end:

> Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years.

> Piscitello said despite the steep drop in phishing domains coming out of Freenom, the alternatives available to phishers are many.


Any phishing domain in my spam folder is NameCheap 9 times out of 10.


Isn't it the biggest after godaddy?


No idea. It might just be they are lower priced than other places that attracts miscreants wanting domains in bulk.


So spammers are attracted to the same low prices and quality of services as anyone else? The subtext of this comment chain is a pretty weird take. The fact a domain is registered at Namecheap does not by itself make it any more likely to be a source of spam.


I think it is more likely that spammers favor Namecheap because Namecheap ignores spam reports (at least mine). So far, I received the same kind of spam from ~500 of their domains.


In my experience they handle abuse amazingly, suspended within 30min most of the time


It was just a relatively recent development in large part due to Facebook (https://domainnamewire.com/2022/04/25/meta-platforms-drops-l...), after this settlement the response to abuse reports did markedly improve.


They've handled abuse great for me, even before that


What kind of evidence do you need to provide when reporting spam to a domain registrar? Could I get your domain banned by spoofing spam emails and sending screenshots of them to Namecheap?


Screenshots are not enough, they ask for eml


Can't that still be pretty trivially faked?


Not too sure, not sure of the process how they validate it


That wasn't the intent of the comment. The original article was suggesting Freenom was popular with spammers. I was adding my observation that it has often been Namecheap that is prolific in my spam folder. We then go on to discuss why that may be.


Would you have evidence of this?


Yes, I have domains at Namecheap that don't host spam.


What alternative options exist for low budget passion projects, toy projects, and the like? It's such a tough space to exist, trying to offer a free service while also combating spam.

The best list I'm seeing is: https://free-for.life/#/?id=domains


Now I just wish Google would get googleusercontent.com and googleapis.com under control...


What’s going on here?


i suspect that, in absolute numbers, most of spam and phishing and malware is homed there


Think of all the email spam you get from cold sales outreach.


I wish they would do .cc next. I see a lot of spam from them on my personal mailboxes. Followed by all those google gtlds.


Hoping for .facebook and .google


Maybe this is the way. I'm no fan of Meta but harping on lax domain setup controls might put the right pressure to lower malware installs.


It's funny how meta actually takes spam somewhat seriously, unlike google.


I was about to order something from a website[1] that showed as first page result on Google Search.

Spending couple of minutes on the site, it became obvious that it is a scam website. Confirmed further by another search on domain[2]. I wanted to report it but there is no easy way to report this. So I gave up and hope no one falls for it.

[1]: https:// littletikes . savemoney . store [2]: https://forums.dansdeals.com/index.php?topic=119138.0


You can report phishing sites really easily here https://safebrowsing.google.com/safebrowsing/report_phish/?h...

Or alternatively report an abusive google ad here https://support.google.com/ads/troubleshooter/4578507


Thank you, I tried to report it from the search page. I clicked on the 3 dots menu. The options were not perfect for this kind of scam reporting but I selected something close enough. Then it took me to another page where there was a huge form to fill out.

It should be easier to report scams or phishing sites from search page, imo.


Every third of fourth technical Google search I try lists about 10 to 20 fake sites. Many of them using .it for some reason, but there are plenty of other TLDs with this problem as well. At this point I'll click a .biz before I click a .it.

I'm not going to report hundreds of domains every month. Google needs to get their crap together.

The same is very much true for other parts of Google as well. Youtube comments are hilariously full of spam. There's a pretty good tool out there to get rid of the spam, which just runs the comments through a basic spam filter, but for big channels you can't let the tool run for too long because of API call limits.


And likely nothing will happen.


Ymmv but I've got very good results reporting websites to Google safe browsing and them getting blocked.


Google's ignoring spam is especially egregious through side channels, e.g. spammers adding you to Photos message shares.


This is super annoying. I get mentioned in random documents all the time... No idea why


Yes, Google launching .ZIP and .MOV domains is yet another sign of the moral rot at a once ethical company.


“Once ethical”? How far back do you have to go for that? 1999?


I dunno, I feel like you could make that case right up until they merged with doubleclick.


You could, but you cold make it the other way too.

https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...


Personally I find .com and .sh to be much worse as it refers to actual executable files.


~~Do no evil.~~


I've had people open up Facebook and Instagram accounts using my email address. They don't bother with requiring verification to use their services. Before I took over the accounts I'd get periodic notices about "friend" activity but never a nag to verify the e-mail.


Don't they verify by phone number these days


Unless it happens on their own platform, then they dont care




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: