Mastodawn

Amy Sep 1, 2023

Why is the .US domain -- the country code top-level domain (ccTLD) for the United States -- consistently among the most prevalent in phishing domains?

And why is this okay, when other ccTLDs that also restrict registration to residents/citizens don't seem to have this problem? And when a fair number of .US domains are used to attack US government agencies? Today's story explores these questions:

Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.

https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/

Why is .US Being Used to Phish So Many of Us? – Krebs on Security

Thomas Barrett 👨‍💻Sep 1, 2023

@briankrebs Who are the registrars? I remember when having a .us TLD, I had to prove that I was US-based and was not allowed to hide my WHOIS.

BrianKrebs Sep 1, 2023

@trbarrettjr GoDaddy manages it now. Here's what their page looks like on attestation. You can see the option that you're an American citizen is already populated.

digitalcatnip Sep 1, 2023

@briankrebs @trbarrettjr Big surprise - outsource this to a for-profit entity and they try to maximize their profit. Great reporting that draws attention to an embarrassing issue for the US

@digitalcatnip @briankrebs @trbarrettjr

I actually wonder how much of an issue spam is on different ccTLD, comparing those managed by for profit contractors vs. those managed by non-profit ones.

For instance, .ca is managed by @cira, which is a non-profit tasked to manage the .ca ccTLD. I wonder how much spam there is with .ca vs. .us in proportion to how many domains they have in total.

KoHoSo Sep 1, 2023

@briankrebs How odd considering what it takes to get a dot-us domain. I thought having my site be KoHoSo.us made it and its email a little more trustworthy. I guess not.

Ursidinoj/The Bjornsdottirs Sep 1, 2023

@briankrebs I'm getting 403 flak off your site

BrianKrebs Sep 1, 2023

@ellenor2000 come again? what's the issue exactly?

Ursidinoj/The Bjornsdottirs Sep 1, 2023

@briankrebs i try to click around and i am getting nondescript 403s.

BrianKrebs Sep 1, 2023

@ellenor2000 can you give me an example of a link that is doing this?

Ursidinoj/The Bjornsdottirs Sep 1, 2023

@briankrebs I'll give it 10 hours (I plan to sleep) and I'll get back to you if it's still doing it. Web stuff is super finicky.

David Collantes Sep 1, 2023

@briankrebs this is sad, and bad news. I have owned a .us almost ever since it became available, and it is my main presence almost everywhere (it is where I have my main email address as well). There should be a better control, and management, of it.

Jlo Sep 1, 2023

@briankrebs The fact you can’t have WHOIS privacy with .US is asinine.

@briankrebs I want to be able to get a state level TLD from the DMV

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@feistel @briankrebs Like .nv.us, .wa.us or .tx.us?

Should not be the biggest problem at all. *EvilGrin*

@hackbyte @briankrebs we're probably already at the point where users are mostly unaware or uncertain of domain registration policies except for .gov -- the problem can't really get worse.

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@feistel I fear that most don't even know what a TLD is at all..... mhh ;)

They're just used to the fact, that there are certain letter combinations at the end of a "url" - meh. ;)

danimrich Sep 1, 2023

@briankrebs So, they contracted out the management of a TLD that is fairly attractive to phishers to a company that probably has a financial incentive to sell as many registrations as possible. What could possibly go wrong?

golem Sep 1, 2023

An interesting exercise is to take a block of registered .us domains and then track the actual hosting entity... lots of .ru and related hosters in there...

Nicolás Alvarez Sep 1, 2023

@briankrebs "Dozens of countries have their own ccTLDs" huh?
Every country has one, there are 255 ccTLDs, plus more with non-Latin characters. All two-letter TLDs are ccTLDs.

BrianKrebs Sep 1, 2023

@nicolas17 thanks. so you're certain every country on earth has a tld?

Nicolás Alvarez Sep 1, 2023

@briankrebs I think there's a few that don't (or formally have one but don't use it), but for some it quickly gets into complex "what is even recognized as a country?" definitions...

@briankrebs As someone who would like to have their last name as a domain in .us (think [email protected] for email address), but I can’t because it’s registered to a company in Italy, I am happy to report that the nexus requirement is an absolute joke.

Namecheap, the registrar for the domain, has allowed an Italian company with no presence in the US, and the Italy country code as their nexus required “state of residence”, to register the domain name.

But for me to contest the validity of the current registration, it appears that I would need to spend hundreds or thousands of dollars with no guarantee that the outcome would allow me to register the domain. Even though I’m a US citizen, and the current registrant has no US presence.

@infosec_jcp 🐈🃏 done differently Sep 1, 2023

Hmm, so .us is just like .ly & .XYZ & .mov & .zip domains for ☣️? Huh.

I think I should do a new Bing🔴 Card 🤡🎡 for the SOC🧦 🐈🃏 😆☣️

🧵
👇
https://infosec.exchange/@infosec_jcp/110577970480550542

Perhaps making a bingo card for helping clean up some .us domains would be effective at the ccTLD level as a visual reference? Some ppl are more visual learners so. ¯\_(ツ)_/¯

@infosec_jcp 🆓🐦🐈🃏 done differently (@[email protected])

Attached: 1 image · Content warning: re: #infosec #bingo 🐈🃏

Infosec Exchange

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@infosec_jcp @briankrebs Uhm .. sry .. but .. .social exists? ;)

@infosec_jcp 🐈🃏 done differently Sep 1, 2023

@hackbyte @briankrebs

You mean 'FreeWebHosting', from an Advertising company, I believe. Like a Tripod, Angel fire, MySpace, Friendster, etc.

Unless you are talking about the depreciated MARCOM terminology, Social media, from 15+yrs ago, that's run by Advertising Companies dressing up via fancy made up words to describe their AD / Profiling / LDAP / BBS like Platform that just hides the email address per user with a slightly different UI/UX & has UUEncoding/UUDecoding built in like the newsgroups, iGuess? 😆¯\_(ツ)_/¯

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@infosec_jcp @briankrebs oh my fscking gosh ... no i'm absolutely _NOT_ talking about that...

More about like originary #fediverse services and sites like mastodon.social, firefish.social, friendica.social (sadly down) and lots of others.... mhhhhh ;)

@infosec_jcp 🐈🃏 done differently Sep 1, 2023

@hackbyte @briankrebs

So #fediverse 🎯😆 & #ActivityPub 🍻

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@infosec_jcp I actually prefer the visualisation here... but it is outdated sadly. ;)

.oO( i came down and _actually_ joined the fediverse way back down when Google+ Died ... and first was on the common treck to #diaspora* .. from which i emancipated a (few?) years later ;))

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@infosec_jcp But basically yes..... the greater #fediverse with all it's bits and bobs .... isles and non-isles. ;)

@infosec_jcp 🐈🃏 done differently Sep 1, 2023

https://infosec.exchange/@infosec_jcp/110991731557383694

@infosec_jcp 🆓🐦🐈🃏 done differently (@[email protected])

Perhaps we need to #rebrand some #advertising companies who call themselves #SocialMedia as : #OligarchRunFreeWebHosting platform on #web1 💯💸 🤔

Infosec Exchange

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@infosec_jcp @briankrebs Essactly! ;)

@briankrebs what really makes me boil is that .gov, .mil & .edu is U.S. centric, as if there is no Government, military and espechally no education outside of the USA.

hackbyte Antifa (friendica) 13HB1 Sep 1, 2023

@kkarhan @briankrebs OH boy ......that's a completely differen story on it's own. ;)

@hackbyte @briankrebs yeah, but to go back to the point: #Spam is a big issue and 99,9% of all Spam that isn't bring #DROP'd by #Spamhaus blocklists are from #GMail, #YahooMail, #Hotmail / #Outlook.com / #Office365 / #AzureHostedExchange and domains hosted by registrars like #GoDaddy, because #Google, #Yahoo, #Microsoft and the Registrars refuse to even process #Abuse #reports at all.

@hackbyte @briankrebs
Like it's not even a "please click our #CAPTCHA meant to prevent false reports by bots (which isn't a thing btw!) but literally Registrars like #GoDaddy saying in corporate legalese:

'We don't give a f**k about spamming and we won't do jack shite about that!'

There's a reason .de domains are one of the best regarded, and it's not because #DeNIC demands a legal resident with a fax number as contact, but because regulators like @BNetzA are rightfully short-fused re: #SPAM.

@hackbyte @briankrebs @BNetzA

Amd no, "#unsubscribing" only confirms it as real amd one.gets spammed form 5+ others in retaliation vecause there is no #Provacy or #DataProtection law in the #USA. (#COPPA doesn't count because it's a legal figleaf noone complies with!)
https://github.com/greyhat-academy/lists.d/blob/main/spammers.domains.block.list.tsv

lists.d/spammers.domains.block.list.tsv at main · greyhat-academy/lists.d

List of useful things. Contribute to greyhat-academy/lists.d development by creating an account on GitHub.

GitHub

SeaCaptain(Ret)Sep 1, 2023

@briankrebs In the late 80’s my first ISP picked up a block of .<state>.us names and I had that Domain for abt 25 yrs before I had to drop that isp because they wouldn’t do dkim or spf and a fair bit of email bounced. Not only huge uptick in spam but everyone shying away from .us so I was getting blocked at a lot of web sites.

SpaceLifeForm Sep 1, 2023

I suspect two things.

The enemy is within.

The targets are .gov or .mil people that may not catch the TLD switcheroo.

Renée Burton Sep 6, 2023

@briankrebs not to defend GoDaddy as the .us registry... yes the .us TLD is a cesspool no doubt...but your article brushes over the registrars.. i'm sure you didn't mean to imply that the only place one could register a .us domain is on GoDaddy (which yes, the drop down choices are indeed nuts)...but it reads that way... fwiw, we spend a lot of time detecting bad domains and a lot of them are in .us TLD... and most of them are not registered via GoDaddy. (again not to defend their role as a registry)... indeed, probably Name Silo from a *registrar* perspective of .us domains is the biggest point of abuse. actors will always go to the point of cheapest return. and yes it is crazy and bad. i do love the registrant disclosure personally. :) but there a lot more players in the phishing mix than GoDaddy. what role should the registrars play in checking credentials? 🤷

BrianKrebs Sep 6, 2023

@knitcode I understand your point. I think it's also important to mention that while indeed the entire industry is a cesspool, GoDaddy is the one that sets the practice on .US; the rest just follow their lead.

Renée Burton Sep 7, 2023

@briankrebs do they? 🤷 idk. but to your point, one of the most prolific actors we track in .us has a ukranian personal email, a registrant country of Poland, a very fake name, and hosting "in" Estonia... GoDaddy's fault? yeah as the oversight. But I hold NameSilo just as accountable.