DNSAI Compass: Six Months of Measuring Phishing and Malware

The DNS Abuse Institute recently published our sixth monthly report for our project to measure DNS Abuse: DNSAI Compass (‘Compass’). Compass is an initiative of the DNS Abuse Institute to measure the use of the DNS for phishing and malware.

The intention is to establish a credible source of metrics for addressing DNS Abuse. We hope this will enable focused conversations, and identify opportunities for improvement. 

DNS Abuse impacts everyone. We want to use this initiative to improve the overall health of the DNS ecosystem. Fundamentally, we want to prevent or quickly mitigate harm to end users, businesses, governments, civil society organizations, public services, and the general public while preserving the benefits and principles of an open Internet.

This February 2023 report includes data from May through December 2022 and we now have eight months of data available on our interactive dashboards. Our methodology for this report is the same as all prior reports (v1.0) and we encourage feedback, questions, ideas, or suggestions to help us improve this initiative.

To ensure Compass is independent, reliable, and uses academically robust methodology we work with an experienced independent third party who designed the methodology and conducts the data gathering. The technical analysis for this project is performed by KOR Labs, led by Maciej Korczynski from Grenoble INP-UGA.

Our methodology observed an increase in domains involved in malware distribution in December 2022 when compared to the previous month of reporting. For all domains identified as related to malware in December 2022, our methodology observed high levels of mitigation (97%), and a high proportion (83%) of compromised domains. Observed numbers of domains identified as related to phishing are similar to previous months. 

This report marks six months since our first report in September 2022. During this journey we have spoken with a range of stakeholders in various corners of the world, both virtually and in person. Our discussions have included representatives of registrars, registries, law enforcement agencies, governments, trade and consumer organizations, financial and intellectual property interests, hosting providers, civil society, and the security and research community. 

This outreach has been far-reaching as we seek to include the global community interested in keeping the internet safe. We welcome opportunities to share our work with new audiences around the world and hear about others’ experience in measuring and fighting DNS Abuse. 

Throughout this experience we’ve learnt several important lessons on how we measure and communicate about DNS Abuse: 

One recurring theme we observed in our outreach is the importance of using specific language and granular measurement. Sometimes ‘DNS Abuse’ can be used as shorthand for ‘mitigation is appropriate at the DNS level’. While this is sometimes true, it isn’t always the case and to move the conversation forwards, we need to get more specific. We can do this by recognizing the need to determine whether the registration is malicious or compromised, understanding the evidence available, and considering the potential for collateral damage if the registration is removed from the DNS. 

Secondly, purpose and scope are important. Compass is intended to reliably and consistently measure the prevalence and persistence of the use of domains in phishing and malware; it is not intended to capture all harm on the Internet, or to measure the impact of this harm on end users. We measure unique domains (not URLs) because registrars and registries only have (limited) actions they can take which all apply at the domain level (not at the URL level). 

Finally, context is essential. It’s worth remembering that our project identifies evidence of phishing and malware on a small portion, less than 1%, of all domains currently registered. The vast majority of domains registered are not engaged in phishing activity or malware distribution.  

As Compass matures, we’re working towards public reporting on individual TLD and registrar performance. Our aim is to celebrate and recognize good practice, as well as shine a spotlight on potential for areas of improvement in the industry. 

We hope to understand through these reports which factors, policies, and processes are effective, and empower the industry with evidence. 

We are currently considering how best to achieve individualized performance reporting while recognizing nuance and context, and incentivizing behaviors that reduce and prevent DNS Abuse with minimal unintended consequences. We look forward to gradually expanding the granularity of our data with future iterations of public reports. As we do this, we’ll be reaching out to individual registries and registrars prior to publication.  

We have considerably more data than we have currently published. We encourage all registrars and registries to get in contact with us and take the opportunity to view the data associated with their registrar or registry. These meetings typically yield insights for both the registry or registrar and the DNSAI. 

These meetings can take place virtually, or for those headed to ICANN76 in Cancun, you may like to take this opportunity to meet with us in person.