• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
  • Events
  • Contact
  • Blog
  • NetBeacon
  • DNSAI Compass
DNS Abuse Institute

ABOUT US

Discover who we are and what we do

INNOVATION

Learn about our innovative solutions to strengthen the DNS.

EDUCATION

Access our resources and discover our projects and research.

COLLABORATION

Learn how to join, contribute, and participate!

Article

  • Home
  • Blog
  • Article
  • Best Practice: Anti-Fraud Tools and Registration Flows for Registrars

Best Practice: Anti-Fraud Tools and Registration Flows for Registrars

  • Posted by Graeme Bunton
  • Categories Article, Best Practice, News, Resources
  • Date December 6, 2022

Introduction 

While improving reactive processes to DNS Abuse is important and the focus of much of the work of the DNSAI, ultimately the DNSAI and industry needs an approach that helps prevent abuse from happening in the first place. But preventing abuse from occurring requires acting on potentially malicious domain names, which can bring its own challenges, including lost customers and false positives. 

This document aims to demonstrate the opportunities for retail domain registrars to prevent abusive registrations while reducing potential impacts to registrants and anti-abuse teams. There are three key components to this work:

  • Understanding the overlap in DNS Abuse and payment fraud;
  • Leveraging existing tools; and
  • Optimizing registration processes

Below we put these together.

You can download a PDF version of this article for your convenience, here.

Reduce Fraud, Reduce DNS Abuse

For most retail registrars, domain registration is a volume-driven, low-touch business, requiring the automated processing of thousands of credit card transactions a day. A domain registrar with half a million names under management would likely be averaging around 1,400 renewal and new registration transactions a day, or 42,000 a month. 

Malicious actors, the people registering domain names explicitly to conduct phishing and other forms of DNS Abuse, do not generally do so using their own identity and payment methods. The most common form of payment for these activities is to use stolen credit card numbers.  Sometimes a charge to a stolen credit card goes unnoticed by the card holder.  But frequently, the cardholder will dispute the charge. 

Credit card chargebacks, where a cardholder disputes a charge with their bank and the bank reverses the charge due to fraud that occurred at the merchant, are deeply problematic for registrars in this context. Not only is the registrar losing revenue and potentially paying the registry for the cost of the domain (depending on the timing of the delete and the registrar’s Add Grace Period status) but also puts their ability to process payment transactions at risk. Being terminated by their payment processor for too many credit card chargebacks, primarily because of fraudulent transactions involving stolen credit cards, is an existential risk for many registrars. 

Consequently, the vast majority of retail registrars already have some form of anti-fraud processes in place and, conveniently for our purposes, by leveraging these tools we can reduce malicious domain registrations, fraud, and chargebacks. 

Registration Flow

Below is a simplified domain registration process for a retail domain registrar. 

  • In blue are the customer led registration processes
  • In yellow are the processes that are used to reduce abuse and fraud
  • In red are the processes that end a transaction
  • In green are the processes to complete a registration
  • In purple are the data that one feeds into an anti-fraud process

This document is primarily concerned with two components of this process:

  • The fraud and abuse check, including what data is passed into it
  • The process for reviewing potentially malicious registrations

Fraud Tools

There are many payment processing services in the market today, most of them offer some form of anti-fraud service, sometimes for a per-transaction fee. These features are more sophisticated than the basic CVV checks that all credit card transactions must pass.  A few of the larger ones are:

  • Radar, from Stripe
  • Risk Manager, from Square
  • Merchant Fraud Protection, from Braintree
  • Fraud Protection Services, from Paypal Payments
  • Fraud protection, from GlobalPayments
  • RevenueProtect from Ayden

Most of these services operate in a similar fashion: the merchant provides them with attributes of the transaction and they return a score that indicates a likelihood of fraud. These scores result in three potential outcomes:

  • The transaction is approved
  • The transaction is denied
  • The transaction is flagged for manual review

In a perfect system, all malicious registrations and fraudulent transactions would be denied and everything else would be approved. In the real world, merchants are in a constant process of responding to risks and balancing and tuning systems to reduce manual review, prevent unhappy customers, and reduce fraud. In the rest of this section, we explore what data elements a registrar should consider adding to their anti-fraud processes to improve detection. In the following section, we detail best practices related to manual review.

In general, reducing fraud is going to also reduce malicious domain registrations, as they frequently go together. However, by leveraging these fraud tools to deliberately also catch malicious registrations, we can increase the detection of both.

This is done by providing the fraud detection services with additional information, not only about the customer and the transaction, but also about the domain itself. Typical anti-fraud attributes passed to fraud detection systems include:

  • Customer details
    • Geography
    • Account age
    • Number of previous transactions
    • Number of declined transactions
    • Frequency of recent transactions 
    • IP address
    • IP address geography
    • Previous IP address(es)
    • Previous IP address geography
    • Is it a renewal transaction
  • Transaction details
    • Amount
    • Amount of discount applied
    • Payment type
    • Payment geography

Depending on the features of the payment processor, the processor can either incorporate  additional data points into a machine learning model, or the registrar can build their own rule sets and weights. For example, the Registrar may wish to create a rule where the inclusion of a frequent phishing term would increase the likelihood of fraud.

We suggest adding attributes of the domain names themselves:

  • Domain name
  • TLD
  • Number of dashes
  • Does it contain non-ASCII characters
  • Does it contain frequent phishing terms or misspellings of these terms, such as: login, support, billing, or gov
  • Does it contain frequently exploited brand names or misspelling of such names, like: Apple, Netflix, Google, Facebook, iCloud, etc.
  • Does it contain frequently exploited names of financial institutions, like Paypal, CitiBank, HSBC, etc

If the registrar sells primarily within a particular geography it should consider adding additional terms and brand names. For example, a French registrar would add the names of French banks and payment services. 

Further, abuse follows current trends and term lists should be updated and adjusted frequently and accordingly. At the time of this publication, there is a general concern with heating costs over winter in Europe and, consequently, there has been an increase in malicious registrations related to heating solutions. 

It will require time and testing to optimize the attributes and how they are used but by providing these fraud tools with domain specific attributes, it is possible to reduce fraud and abuse simultaneously. The DNSAI is considering how to collect and share an optimized set of attributes for the industry to use.

Registration Flow & Manual Review

It is straightforward to deal with transactions that are approved or denied by the payment processor, but the transactions that are flagged for review require more work. Below we suggest an architecture for domain registration flow that can limit the harm malicious registrations can do, while minimizing the impact on customers. 

For transactions that require a manual review we want to meet three goals:

  • Reduce the harm caused by potentially malicious domain registrations
  • Reduce the impact on legitimate registrants
  • Reduce the impact on fraud and compliance teams

The way these three goals intersect with a manual transaction review is found in how the transactions are processed. In discussions with retail registrars, three different approaches have been shared. These were:

  1. A transaction is flagged for manual review and the domain is registered prior to the review.
  2. A transaction is flagged for manual review and the domain is not registered until the completion of the review.
  3. A transaction is flagged for manual review and the domain is registered prior to the review but suspended until the review is complete.

The process with the least impact to legitimate registrants would be to operate a 24/7 anti-abuse team ensuring that all flagged transactions are reviewed prior to registration. This is unfortunately not an option for all but the largest registrars.  A registrar using the first approach above saw increases in abusive registrations on Fridays at 6pm, because malicious registrants knew they would have the weekend to use the domain prior to its likely deletion on Monday. The registrar in the second scenario saw frustrated customers, unable to use their domain immediately, often over a weekend. 

While there is substantial diversity in the approach with the domain registration industry. The DNSAI prefers scenario three. By suspending domains flagged for review the registrar ensures the domain is not lost, but can also prevent harm from malicious registrations. Further, by completing the review before collecting payment, the registrar can reduce the volume of fraud-related chargebacks it receives.

The idealized registration flow diagram above follows this example.

Other Tools & Approaches

Some registrars have found success with other methods that may be less generally applicable. One registrar found a substantial amount of their abuse was coming from countries they neither operated or marketed in, and subsequently refused service to customers from those locations.

Other registrars have found that preventing domain registrations from IP addresses associated with cloud computing providers or VPN(s) has reduced the amount of fraud and abuse they see.

Future Work

There are clear places for future work based on the above. First is a service to optimize and share the domain name attributes used in detecting malicious registrations. Ensuring that domain registrars have access to useful and timely information that can be fed into their systems could make a meaningful difference in reducing malicious registrations.

Second is to investigate if there is sufficient value and interest in malicious-detection-as-a-service in order to develop such a service. A simple API, optimized for the purpose of detecting malicious registrations could prevent substantial amounts of harm. 

Additionally, we would be remiss if we did not acknowledge that any approach will need to be evolutionary.  There is not going to be a single solution that works in perpetuity.  Malicious actors are dynamic and will evolve their tactics in attempts to evade both detection and countermeasures.

Summary

Because of the overlap in malicious registrations and payment fraud, it is possible to use transactional anti-fraud tools to prevent DNS Abuse. This is done by providing and optimizing additional information into the fraud detection tools that most registrars will already have in place.  

This approach leverages tools already at the disposal of most retail registrars, and has the potential to reduce fraud, abusive registration, and credit card chargebacks.   Additionally, these benefits are compounded by reducing the substantially greater costs of reactive anti-abuse efforts in the future.  In short, preventing abuse is a substantially lower cost than mitigating it. 

Further, for domains that are flagged for review, it is generally recommended to register and suspend the domain until the review is completed to prevent malicious use, especially between registrar operating hours.

Tag:anti-fraud, DNS Abuse, DNS Abuse Institute, DNS Abuse Reporting, dnsai best practice, fraud registration

  • Share:
author avatar
Graeme Bunton

Previous post

DNSAI Newsletter November 2022
December 6, 2022

Next post

Best Practice: Making Phishing Reports Useful
December 13, 2022

You may also like

注册商和注册机构的《通用滥用政策》
30 August, 2023

最近,一位注册商联系我,他们真切关注采取更多措施来解决 DNS 滥用的问题,但不确定应该从哪里开始着手。DNS 滥用是一个复杂的问题,没有明确的切入点来着手解决。不止这一家注册商,许多注册机构和注册商越来越担心滥用行为,并需要帮助来着手解决这一问题。 本文是三部分系列文章的第一篇,该系列文章旨在为制定反滥用实践的关键组成部分提供合理、简明的介绍。第一篇文章致力于提供合理的法律依据,或者说基本的 DNS 滥用政策,以解决滥用问题。接下来的两篇文章将讨论管理 DNS 滥用的有效手段以及实际缓解程序。 本政策是与互联网和司法管辖区政策网络 (I&J) 共同制定的,我们对他们的贡献和支持表示感谢。I&J 在这一领域有很多非常好的内容,其中包括他们的 Toolkit: DNS Level Action to Address Abuses(工具包:DNS 层面应对滥用的行动),我建议任何对减少滥用感兴趣的人士都要读一下。DNS 滥用研究所也是 I&J 域名联络小组的积极参与者。  DNS 滥用具体政策 大多数注册商都会在其网站上发布某种形式的“服务条款”或“可接受的使用政策”。这些政策条款通常赋予注册商出于多种原因而终止服务的自由裁量权。 发布和采用特定的滥用政策提供了几个优势,主要是在于明确性和保护性方面。明确的滥用政策以及对其执行的声誉,可以对不良行为者使用该服务构成威慑。如果注册商或注册机构的相关政策涵盖了滥用行为,那么在对滥用行为采取行动时也会得到更有力的法律保护。  在我们详细介绍通用政策如何发挥作用之前,我想先说明一下它是如何制定的。首先,我们专门制定了这一通用政策,这样所有注册商或注册机构都可以根据具体情况来使用/修改/实施此政策。这就是为什么该政策采用创意共享许可,特别是 CC By 4.0 license(CC By 4.0 许可)的原因,这些许可允许任何人在注明 DNSAI 的情况下分享和调整材料。其次,我们正在将其转换为 Markdown 格式并将存放在 …

dnsaicompassinset
A New Phase of Measuring DNS Abuse
9 June, 2023
2022 DNSAI Annual Report Image
DNSAI Releases 2022 Annual Report
11 April, 2023

Search

Categories

  • Article
  • Best Practice
  • Bulletin
  • DNSAI Compass
  • News
  • Newsletter
  • Report
  • Research
  • Resources
logo-public-interest-registry-dns-abuse-institute

The DNS Abuse Institute

Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

Institute

  • About the Institute
  • Innovation
  • Education
  • Collaboration

Quick Links

  • Blog
  • Contact
  • Privacy Policy
  • NetBeacon
  • DNSAI Compass

Connect With Us

Newsletter

Get the latest DNS Abuse Institute news delivered to your inbox.


PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

Opt-In *

* indicates required

© 2022 Public Interest Registry. All rights reserved.