GoDaddy is making a ton of money by allowing spammers and scammers to abuse .US domains. They have a massive incentive to turn a blind eye to it because cutting these bad actors off would mean they lose out on all that money. It doesn't matter to them if the money they're getting is likely stolen to begin with or that the domains will be used to rip off countless others.
Amoral monsters who will do anything for money can't be trusted to do anything other than make money. It's bad enough they're able to register domains with other TLDs, but we should probably not allow them to manage .US at all given their track record.
I know the enforcement of this would be problematic and require some tinkering and the establishment of probably a whole department of the .gov and a lot of tinkering by well informed people, but it is just wild to me that all entities, not even just registrars, but every entity in every step of the process, from registrars, to ISPs, to cloud service providers, to email providers, to hosting providers, everyone involved in a scammers' operation profits from the scamming, and none of them* are even slightly culpable.
Like how are you selling amaz0n.us and NOT figuring out that someone is up to shady shit? How are you approving thousands of emails with Amazon in the subject line and not realizing you are not Amazon's provider? How are you hosting pages clearly duplicated off legitimate websites that this one IS ABSOLUTELY NOT and just shrugging your shoulders?
I'm not even saying we need continuous monitoring on all these fronts but like, if you get an inordinate number of spam reports on a client, maybe take a freaking look? Maybe take a look at what your hosting servers are publicly serving? Maybe give the mildest of a shit about promoting a healthier Internet, considering you're selling the tools people use to build it?
ISPs and mail admins have some incentive to limit the amount of abuse because if they don't other networks will just drop their traffic. The problem is that this trick only works until you reach a certain size. Google can host malware all day and they're responsible for massive amounts of spam, but nobody is going to blacklist everything from @gmail.com so they don't have to care. When AOL was the largest ISP in the world the situation was similar. They'd aggressively blacklist other networks while not acting on abuse originating from their own.
We either need laws that penalize irresponsible internet companies or we need an origination like ICANN to enforce polices that cut off bad actors. If ARIN pulled the IP space from networks that didn't clean up their mess, or stopped letting lazy domain registrars sell domains things would improve pretty quickly. Instead we're making whois increasingly worthless and a growing number of sites and services don't even have a working abuse@ address to report problems to.
> Like how are you selling amaz0n.us and NOT figuring out that someone is up to shady shit?
They sell millions of domains and there is no human being looking at any of them.
You also have no idea what someone is going to use a domain for when they register it. How is the registrar supposed to know if amaz0n.us is intended to be a scam or some US citizen's advocacy site to protect the Amazon Rainforest, which they had to settle for because amazon.us was registered by some unrelated conglomerate in 2002? If someone is sending a lot of emails with Amazon in the subject line, maybe they're just a normal seller on Amazon communicating with their customers? Or the same advocacy group mailing people about the rainforest.
The only way to even attempt it is algorithmically, but algorithms have so many false positives that anyone who attempts it will quickly lose their legitimate customers to the horror stories of some unaccountable algorithm shutting down their sole source of income or their incredibly sympathetic charity organization.
> I'm not even saying we need continuous monitoring on all these fronts but like, if you get an inordinate number of spam reports on a client, maybe take a freaking look?
The scam sites do get shut down. The scammers just make new ones.
What you need is for the police to put the scammers in prison where they can't make any more websites.
Like spam email these phishing scams evolve. Something like amaz0n generally comes from amazon in the domain being blocked since not all domains can realistically be checked during the order. The phishing check need to continually evolve and there will always be false positives blocking legitimate sites. Bank is a common one that gets blocked so a domain like embankment - or you want to block cialis because of pharmaceutical and it blocks specialist - these may not pass phishing checks and be order stopping.
Godaddy probably can do more and be closer to other country level registrars that more closely require some type of id or business registration to complete the order but fraudsters will still try and some will succeed in getting phishing domains created.
One problem is that if they start policing spam, they might have to answer to Congress' opinions about content that is "as bad as spam" or worse like so-called misinformation. That is one reason (constitutional protection of freedom of speech) that the USPS ships so much junk mail around even when they could from an operational perspective (but again, not a constitutional perspective) decline it. I am not saying that the constitution protects phishing emails, but I am saying that claims of the technology not being developed yet for policing online content are one major reason the recent age verification push in Australia did not go into effect. It is not an unmitigated good for control at that level of granularity to be possible.
1) The Freedom of Speech and of the press by extension at the time it was created was working under the assumptions of the printing press and carriage mail. I think it's long past time for a re-evaluation on this in the modern age, not only when bulk mailing can done at a scale that would make a press-printer's head spin today with modern machinery, but also and especially with regard to email, which is basically free minus the trivial cost of electricity to send a truly mind bending amount of spam messages.
2) I think it's beyond ridiculous that so many people will bring up that "well having any standard of information (to prevent misinformation) can be used by bad actors, so it's better to not have the mechanism at all to review the content of things." On subjective matters of opinion, it is certainly much, much harder to determine bad-faith or say with certainty that something is misinformation. But tons and I do mean actual tons of spam can be easily flagged as misinformation: be they advertising products that are flagrantly fraudulent in nature, be they advertising 419 scams that are... scams, be they fake amazon alerts about missed shipments, etc. etc. I would go so far as to say a majority in fact of spam email can be objectively determined to be misinformation of one kind or another, even if you totally discount political things from that system which I can see the logic of even if I don't necessarily agree with it. And if you agree with that assessment, then why in the world are we permitting this communication to occur? Why have we just thrown up our hands and said "nothing to do about it" as spammers have basically ruined an entire medium of communication?
My best answer to both is that humanity has not advanced to the stage where the government or (worse) un-appointed mail carriers, electronic or otherwise, who were not selected by the market for their moderation skills or evenhandedness, can be given that kind of power. Instead, we make smaller forums and voluntarily submit ourselves to small scale powers like dang directly on the basis of their fairness and effectiveness. Could AT&T pull a dang out of their inner workings? Probably not... and definitely not the several thousand that would be necessary to limit spam.
>>NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
>> Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.
On reading that, my first thought was "why would anyone who has a clue expect GoDaddy to do anything resembling the right thing, especially if doing the wrong thing and/or doing it wrong will net them more money?
Evidently (in this case, well-earned negative-) reputation counts for nothing.
Wow, this is a blast from the past. Long story short, the original performer (Neustar) won the renewed contract, but everything went to hell and they got taken private by a PE firm. They sold off the entire registry unit to make some cash. GoDaddy had bid against Neustar for that contract in 2018, and lost (water cooler talk at the time was becasue the feds hated them), but won the war by purchasing a distressed asset.
This is a good point. I have loathing for GoDaddy based on abject misery they've subjected me to in the past, coupled with their unethical behavior (like registering and re-selling (for much more money) domains that customers are searching for through their interface but don't buy right a way). But it's important not to be overly reductive about the incentives here.
Ideally, they'd be doing their job and screening these people before they paid for a domain and started hosting phishing sites or malware, but you know, assuming they were catching these issues proactively and basically as soon as the payment was processed I'd be okay with them taking the money before shutting the domain down. Sure, it'd still be a company profiting from stolen money, but if it can't be returned it might as well be wasted.
I think the issue is that as soon as scammers realized they were throwing their money away they'd stop buying up .US domains and find some other means to trick people. Probably just using other TLDs and/or registrars which means GoDaddy loses their income stream either way.
So you are saying GoDaddy should first audit and approve every business before selling them a domain? They are a domain registrar, and their only job is to sell a domain to whoever wants it in a few clicks, nothing more. There is nothing special about ".us" over anything else. Content problems are the business of the FBI and other law enforcement agencies.
> There is nothing special about ".us" over anything else.
No, .us is special; the OP sums it up well enough:
> Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S.
Such restrictions aren't unique to .us, and I've worked with other ccTLDs that have similar restrictions. Generally, AIUI, they're supposed to be for the people of that nation, who can then do as they see fit. Maybe that's free access to whoever pays for it, maybe that's "only our people", such as is closer to the case here.
> Content problems are the business of the FBI and other law enforcement agencies.
If GoDaddy actually did the job they were supposed to be doing here, it might actually be possible for that to happen, since there'd be a door on US soil to bust down, but if the bad actor is just in some far-away nation that was never supposed to have been permitted to register that domain in the first place, the bar goes up a bit.
> Content problems are the business of the FBI and other law enforcement agencies.
I've often wondered why the FBI don't have a website where I, a random citizen, can get hold of SSN's, credit cards, bank accounts etc. to give to any scammer who asks me.
The FBI would then trace all uses of those numbers and use them like a honeypot.
My first thought was that the numbers would end up being collected and screened for by bad actors and if the numbers were generated on demand, we'd eventually just run out of valid SSNs or credit card numbers.
It might work on a small scale though. They could give a few of those numbers out to security researchers and internet abuse desks.
It seems like a clever idea to me! The first problem that comes to mind (not necessarily insurmountable) is that some number of people will use the honeypot data in legitimate forms, either due to cluelessness or intentional fraud on their end. It's not immediately obvious to me what happens in that case.
It used to be that to get a SSL certificate you had to provide a Dun & Bradstreet ID, and go through a minor audit. Was the Internet safer then? Well I certainly wasn't being phished in the 90's because it wasn't really a thing yet. I enjoy what Letsencrypt brings us so I don't want to go back to that, but I do believe the registrars are certainly partially to blame here, look at Google and .zip, how many valid domains are registered with that TLD, and how many are malicious? We can make better decisions, it just requires not being so damned greedy.
Those barriers to entry meant basically nobody hosted malicious sites with an SSL cert back then. "Look for the lock" was a valid security recommendation in those days.
Actually, we'd just see the web part of an attack on a hacked webserver, often with an wildcard EV cert. something.majorcorp.com/some/backwater/director/index.htm. The funny part is the phish would look like something at UPS and be hosted on some airline site, so the advice to check the link was the best defense.
Usually you find the mailer script (for spamming), a web shell, and a few different phish kits all under some directory. Also usually the captured credentials, etc.
> It used to be that to get a SSL certificate you had to provide a Dun & Bradstreet ID, and go through a minor audit.
What kind of audit? And was it conducted by DNB? If so, some audit it must have been.
I can't speak to the time before, but these days, DNB is a scam in and of itself. Just last year, the FTC finalized its order against them for deceptively selling a junk business credit monitoring service and failing to correct errors on business credit reports--even today, they'll tell you they don't know who provided the data that they themselves collected in the first place.
It wasn't a "audit" in the sense it is today, just a 'is this a real business?' 'not impersonating another business/person' kind of audit. Wasn't too difficult to pass if you had a business set up.
It was conducted by the company issuing the SSL certificate. Getting your initial cert could take anywhere from 24hours to a few days. Once you were set up renewals weren't a big deal.
Nowadays its all automated of course, anybody can get a cert easily and thats great!
Only some vendors did that, most didn't. And that was back in the days when we though SSL would be useful for ID verification, which it never was meant to be used for.
For legitimate use cases - I think the .us domain was doomed when the US government forbid using anonymizing proxies for the domain registrant’s contact information.
If you register one - you need to provide complete contact information, and that will be publicly available via Whois.
I still get spam calls offering “Web Design” services for the .us domain I naively bought 8 year ago, even though it’s 7 years expired.
Apparently at least this problem is being addressed by the NTIA:
> The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.
It's a shame that the .us locality namespace and delegated manager infrastructure has been allowed to languish. GoDaddy (and Neustar previously) have intentionally made it difficult or impossible to register new locality domains under namespaces managed by them (read: the majority of namespaces).
The delegated manager system truly represented the distributed, decentralized nature of the old Internet. That said, it is not completely dead; there are still a handful of delegated managers out there, and you can even convince some of them to "register" a new domain for you in the locality namespace!
As Wikipedia puts it:
Most registrants in the U.S. have registered for .com, .net, .org and other gTLDs, instead of .us, which has primarily been used by state and local governments, even though private entities may also register .us domains.
This makes .us a prime target for attackers because victims tend to trust .us more than .com. Nothing GoDaddy can do will change that.
This is HN so let's go beyond shallow outrage and actually think about what a solution would look like. I'm sure some here are involved in KYC and fraud prevention. What could GoDaddy do to prevent this kind of abuse?
NTIA could amend the contract to require or allow a different process that doesn't so readily enable phishing. So, bribe your local legislator if you'd like to see the process changed.
Gonna need some graphs that show "phishing volume per domain" here, because just saying that this is "according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends" doesn't actually anyone anything, it's just an appeal to authority when no one has any reason to trust a consulting group to actually be authoritative.
Most phishing comes from .com (expected due to its size). The report says about .us:
".US is the ccTLD of the United States and had a very large number of its domains used for phishing -- almost 30,000 domains, more than 20,000 of which were registered maliciously by phishers."
Also, it seems doubtful that krebsonsecurity would be appealing to some authority without a good cause.
> Also, it seems doubtful that krebsonsecurity would be appealing to some authority without a good cause.
Ever since the false accusations accident, I've stopped trusting Krebs when he's making statements like these.
.US has a high percentage of phishing domains, but in terms of raw numbers .com, .cn, and .pw are still much bigger than .us. I do wonder about these statistics, though; I don't know where domaintools.com gets their statistics from, but that's the only source for these "total domains registered" number. TLDs like .rest and .live also have much higher phishing percentages.
The assertion that .us is unusually phishy is backed by numbers that don't seem to have a clear, verifiable source. I don't know who Interisle are, but I don't think they run any TLDs, so I wonder where they got their data from. They say they've collected their data from through https://www.cybercrimeinfocenter.org/ but that's hardly an authoritative source of domain statistics.
Trust is hard to gain but easy to lose. When someone goes out and doxxes people during a Twitter argument, I find it hard not to be sceptical of their intentions going forward. Krebs is an expert in his field and has undoubtedly done more good than bad, but reading some of the stuff he did definitely left a bad taste in my mouth.
I used to lookup to him as a huge name in the infosec field until I found out he can be kind of a dick. I still love reading his work, but the vibe changed.
So GoDaddy is the registrar responsible for the ccTLD, but who is responsible for the 50+ second-level domains? Are those all under GoDaddy's control too?
I mean, I assume that most people registering a .US domain are not registering it at the top level. Do individual states have no control over how their second-level domains are administered and delegated? Furthermore, there are so many sub-sub-domains under all that. Any one of those could be vulnerable to someone entering unauthorized DNS information and getting a host within the domain without any need to register anything at all.
Well except for k12.xx.us, which used to be standard in every state. Some of these domains are still alive, so there are definitely third- and fourth-level domains available for hijacking and malicious injections.
Yes, that's exactly what I mean. The subdomains are administered by the autonomous IT departments and administrators who run their delegated, authoritative name servers.
Therefore, they are rather more vulnerable than a centralized registry that has the resources to scrutinize every application for veracity.
The article is about how GoDaddy doesn't even bother scrutinizing second level registrations. Nobody is bothering to hack local governments to set up phishing domains. It's a lot easier to navigate to godaddy.com with 5 dollars and a fake address to grab a second-level domain.
In 2002 the .us TLD started allowing others to register second-level domains as they wish, and those types of registrations became the majority that same year. Locality namespacing in .us is mostly a historical thing now. Some still exist, and their management is delegated to other managers other than GoDaddy.
States being part of .gov is relatively new. There was a very long period where .gov was exclusively for the federal government. The state governments were under the domain (abbreviation of state).us, and everything was a subdomain of that.
New York City, a municipal government, used to have its website at www.ci.nyc.ny.us, now it’s at nyc.gov. But NYC still has a bunch of active websites hosted at *.nyc.ny.us.
But you don't get it. No registration is necessary. All an attacker needs is access to the authoritative DNS servers. They can get a delegation or insert their own resource records. Why go through a registry and give up a credit card and personal details?
I think at this point it’s been allowed for over 20 years but I’m sure there is a mixture still.
I was mostly trying to point out that registering under .us is pretty trivial. There is no need to try and sneak something into some states’s dns records, anyone can just go on any registrar and purchase something directly under .us
I did get my firstname.us yesterday (for legitimate purposes, maybe a blog post sometime in next decade). One can absolutely register.us at top level. Many institutions like school, counties, departments get countyname.us & then provide sub domains to others. Many in California has switched over to .gov by using .ca.gov at least at state government level.
What steps would be reasonable to "verify that their customers actually reside in the United States, or own organizations based in the U.S." and wouldn't be very easily subverted by bad actors?
I would object much more strongly to registrars being heavy-handed about verification for .us domains than being overly-loose about it.
Phishing/spam problems aren't going to be solved by verifying .us domains.
It's not terribly difficult to find mules in a country to do the (totally legal) work of registering a domain name which is then credentials-transferred or has NS records pointed at DNS under scammers' control.
Passkeys are probably the solution to most phishing attempts.
because a domain extension based off of a country is more reputable (and likely more available) than its .com equivalent?
I love Kreb's work but this article title is complete garbage. It has nothing to do with the domain extension and more about godaddy turning a blind eye to their customers' nefarious doings. This can happen with _any_ domain.
US citizens getting screwed over because the government outsourced management of a national resource to the biggest company it could find, that company’s proving to be totally incompetent, and oversight is basically nonexistent? Say it ain’t so!
To be clear, that’s not what I’m saying at all. Plenty of other governments manage to do this fine; the US government, on the other hand, has been shaped by 40 years of anti-government, pro-business philosophy to both favor the largest institutional partners it can find (very often rewarding size and prior government contracts over any actual competency) and to effectively lack the staff and ability to provide proper oversight. We regularly hand over government functions to partners with no actual incentive to provide more than their bare contractually obligated service while extracting the absolute most from users of those services and wind up getting shitty outcomes and high prices, and somehow this is used to _further_ drive the narrative that government is the problem and we should outsource even more.
In TFA: "Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States."
... and ...
"Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working."
Amoral monsters who will do anything for money can't be trusted to do anything other than make money. It's bad enough they're able to register domains with other TLDs, but we should probably not allow them to manage .US at all given their track record.