• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
  • Events
  • Contact
  • Blog
  • NetBeacon
  • DNSAI Compass
DNS Abuse Institute

ABOUT US

Discover who we are and what we do

INNOVATION

Learn about our innovative solutions to strengthen the DNS.

EDUCATION

Access our resources and discover our projects and research.

COLLABORATION

Learn how to join, contribute, and participate!

Article

  • Home
  • Blog
  • Article
  • DNSAI Bulletin 2023-04: Account Take-Overs

DNSAI Bulletin 2023-04: Account Take-Overs

  • Posted by Graeme Bunton
  • Categories Article, Bulletin, News, Resources
  • Date April 6, 2023

The DNSAI has encountered multiple reports of an increase in account take-overs at retail registrars across the industry. This bulletin is intended to help registrars identify and prevent these attacks. 

Download a shareable PDF version of this bulletin.

Issue Description

Multiple registrars have reported an increase in account take-over attacks. An account take-over is where an attacker logs into a customer account using stolen credentials, and uses that account to purchase domain names.

The attackers appear to be using email addresses and passwords that customers have re-used at other online services and were subsequently leaked online.  

In these cases, the domains purchased by the attacker do not appear to follow a clear pattern so it is difficult to look for obvious abuse characteristics in the domains. Some fraudulently purchased domains appear to have been previously and legitimately registered, used, and expired. The attackers identified these domains as being used for accounts at other online services and available for registration, allowing the attackers to take over social media and other accounts or services.  

The attackers are acquiring large volumes of domains (e.g., hundreds or more, in some cases), often with stolen credit card numbers and generating substantial amounts of credit card chargebacks and domain suspensions and deletes for registrars. 

Identification

Compromised accounts have been identified using one more more of the following criteria:

  • Large orders of domain names, or a large number of small orders for one account
  • Dormant, or accounts that have been inactive for a long period of time reactivating

As well as common anti-fraud criteria:

  • Accounts using multiple credit cards, or adding new cards
  • Account geography not matching credit card geography
  • Accounts coming from multiple IP addresses
  • The same IP being used by multiple accounts
  • IPs coming from VPN or cloud hosting providers

Prevention

Implementing some form of two factor authentication has been the most successful method of preventing these account take-overs, as attackers do not appear to control the email accounts or devices associated with the compromised account.

Many registrars use age-of-account as a factor in assessing the risk of a transaction, however reducing the amount of trust in older accounts has seen more of the fraudulent transactions flagged by anti-fraud systems. 

Implementing warning flags in transactional systems based on the criteria for identification above can be useful for catching account takeovers and other types of fraud and abuse. 

 

Tag:DNS Abuse, DNS Abuse Institute, DNS Abuse Reporting

  • Share:
author avatar
Graeme Bunton

Previous post

DNSAI Newsletter March 2023
April 6, 2023

Next post

DNSAI Releases 2022 Annual Report
April 11, 2023

You may also like

2022 DNSAI Annual Report Image
DNSAI Releases 2022 Annual Report
11 April, 2023
dnsai newsletter image smaller
DNSAI Newsletter March 2023
9 March, 2023
compass-6-months
DNSAI Compass: Six Months of Measuring Phishing and Malware
16 February, 2023

Search

Categories

  • Article
  • Best Practice
  • Bulletin
  • DNSAI Compass
  • News
  • Newsletter
  • Report
  • Research
  • Resources
logo-public-interest-registry-dns-abuse-institute

The DNS Abuse Institute

Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

Institute

  • About the Institute
  • Innovation
  • Education
  • Collaboration

Quick Links

  • Blog
  • Contact
  • Privacy Policy
  • NetBeacon
  • DNSAI Compass

Connect With Us

Newsletter

Get the latest DNS Abuse Institute news delivered to your inbox.


PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

Opt-In *

* indicates required

© 2022 Public Interest Registry. All rights reserved.