Bulk Registrations Uncovered: Legitimate Uses vs. Cybercriminal Exploits
By Alex Deacon
Executive Summary
Bulk domain name registrations, where numerous domains are registered within seconds or minutes, play a dual role in the digital ecosystem, serving legitimate and malicious purposes. Legitimate uses include protecting brands, enabling marketing campaigns, and facilitating domain name speculation. However, bad actors also exploit bulk registrations to cybersquat and launch cyberattacks, often relying on patterns like random domain generation to evade detection. This study proposes a taxonomy of these registration types, exploring their distinct patterns and purposes.
Introduction
Interisle Consulting Group recently published a new study titled “Cybercrime Supply Chain 2024: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them.” This study included an analysis of so-called “bulk domain name registrations” associated with domain names found to have been used in cybercrimes. Bulk domain name registrations occur when the same registrar and registrant register many domain names within a short period (seconds or minutes) of the previous registration. In this report, the Interisle team asks a seemingly simple question about bulk domain name registrations, essentially asking: Are there any legitimate purposes for domain names registered in bulk?
In this article, I want to start to answer this question and build a draft framework to understand how bulk domain name registrations are currently used beyond those used to perpetrate abuse on internet users. So, unlike previous Exploring DAP articles, this will be more of a qualitative policy analysis rather than a quantitative study. At this stage, my main goal is to define a simple taxonomy of bulk domain name registration “types,” which I hope will aid future work on this subject.
Approach
While the Interisle team searched for characteristics of bulk registration behavior among domains already associated with internet abuse, I wanted to widen the scope and look at all domain name registrations in the zone files from the legacy, new, and country code Top Level Domains (TLDs) in the DNS Research Federations DAP.LIVE data analytics platform. Given the enormous number of daily domain name registrations worldwide, this is a complex and daunting task.
- To minimize processing gigantic data sets, I focused on looking at all domain name registrations for a single day. This data was obtained from the “DAP: Zone File Domains” data feed, which contains the set of known live domains obtained daily from the ICANN CZDS system and other ccTLD zone files.
- I then summarized the registrations by registrar, registrant, and minute. This results in a list of domain names registered to a specific registrant and a particular registrar for a single minute of the day. Registrations that occurred over one or more minutes are listed separately but can be easily correlated.
- For each set of bulk registrations found, I queried the various abuse block lists available on the DAP to see which had been reported as abusive.
Finally, I manually examined the results to understand how bulk domain name registrations are used.
Caveats
As stated above, this article attempts to build a framework to understand how bulk domain name registrations are currently used beyond those used to perpetrate abuse on internet users. I am using an informal and manual study of a small part of a very big data set. Additional analysis and discussion will be needed.
Also, the loss of public identifying registration information associated with domain names, including the widespread use of Privacy/Proxy services by many large registrars, makes it difficult to confirm if a single individual has registered a group of registrations that appear in the same minute. However, it is possible to surmise this based on the similarities of the domain string that has been registered and in other metadata.
Bulk Domain Registration Study
In this study, I randomly chose one day of domain name registrations: September 29, 2024. I focused solely on bulk registration blocks where 20 or more domains were registered within a single minute. This analysis yielded 109 distinct blocks of “bulk registrations,” with the largest containing 163 domain names, averaging 2.72 new registrations per second.
After manually analyzing these registrations, I discovered they fit into one or more categories.
- Brand Registration
- Individual Registrant or Domainer Registrations
- Potentially Abusive or Cybersquatter Registrations
- Abusive Registrations
Brand Registrations
New businesses or brands often register multiple domain names associated with their brand or trademark string. I didn’t find any bulk registrations of a “major” brand this particular day, but I did see the following registration block that could be.
Registration Date: 2024-09-29 00:38
Registrar Name: Porkbun LLC
Registrant String: Whois Privacy + Private by Design, LLC + 500 Westover Dr #9816 + Sanford + NC + US
Total Number of Domains In Block: 34
The domains in this block are all of the form *sparkaccelerator.com with a different prefix string, including strings like all, best, bold, demo, easy, fast, etc.
Because of the use of a Privacy/Proxy service, we don’t know the true reason for this registration block. Indeed, it could have been made by a domainer or individual registrant who hopes to sell the domains on the secondary market. However, given that none of these domains has appeared on any domain name abuse blocklists, we can be assured they haven’t been registered for abusive reasons ... at least for now.
Individual Registrant or Domainer Registrations
The practices of prospective buying and future selling of domain names have existed since the early days of the domain name system. As such, it is unsurprising that we see bulk purchases of related domain names in this data set.
The first block is typical of a domainer, registering various “store”, “shop”, and “vip” domains in the .click TLD.
Registration Date: 2024-09-29 06:33
Registrar Name: SAV.COM, LLC
Registrant String: REDACTED FOR PRIVACY + REDACTED FOR PRIVACY + 2229 S MICHIGAN AVE SUITE 303 + CHICAGO + ILLINOIS + US
Total Number of Domains In Block: 47
Domains in this block include airconditionerstore.click, babiesstoreshop.click, coffeebarvip.click, and 44 additional variations on those themes. None of these domain names have been placed on an abuse block list.
Potentially Abusive or Cybersquatter Registrations
Our ability to know the true intention of a block of registrations is limited, and registrations should be presumed innocent until proven otherwise. However, recent research, including the recently published INFERMAL study, shows that abusers often register domain names used in their campaigns in bulk.
The domain names in this registration block are suspect, given the inclusion of one on an abuse block list.
Registration Date: 2024-09-29 15:55
Registrar Name: NameSilo, LLC
Registrant String: Redacted Name + Redacted Org + Redacted Street + Redacted City + SULAWESI SELATAN + Redacted Country
Total Number of Domains In Block: 26
The domains in this block are all of the form fungame777* or kkslot777* and have been registered in the .com, .net, and .org TLDs. Each has a different suffix, including strings such as langit, pelangi, putih, and others. Given the registrant state field is “Sulawesi Selatan,” a state in Indonesia, it was easy to learn that these strings are the Indonesian words for sky, rainbow, and white. Interestingly, one domain name in this block, kkslot777tiktok.net, was placed on the ScamAdvisor block list on October 1, 2024, two days after it was registered.
Abusive Registrations
The final category of bulk registrations is those found to be abusive. We can determine this by finding many, if not all, registrations on one or more abuse block lists. The following block used a domain generation algorithm (DGA) to generate and register seemingly random domain names in the .com TLD.
Registration Date: 2024-09-29 06:14
Registrar Name: Dynadot Inc
Registrant String: REDACTED FOR PRIVACY + Super Privacy Service LTD c/o Dynadot + PO Box 701, San Mateo + California + 94401 + Redacted Country
Total Number of Domains In Block: 115
All 115 domain names in this block contain exactly 16 alpha-numeric characters. A few examples are 204545cf9c392a6d.com, e2ffaa45ccb56da4.com. A closer look shows that these are a random string of 8 hexadecimal numbers. Importantly, all 115 domain names were detected and placed on a spam block list within 24 hours of registration. I found separate bulk registration blocks with similar characteristics at 07:48, 08:29, 08:32, 08:37, 08:41, 09:59, and 12:25. All 218 registrations across these blocks were placed on a spam block list within 24 hours.
Conclusion
This initial study of bulk domain name registrations reveals a landscape where legitimate uses coexist with malicious practices. Our study provides a draft taxonomy of bulk registration types, allowing for future conversations about their implications for the domain name system and internet abuse.
1 - Diverse Uses for Bulk Registrations:
- Legitimate Purposes: Bulk registrations are often associated with brand protection, marketing initiatives, or domain speculation. These registrations follow identifiable patterns and are generally not linked to abuse block lists.
- Potentially Suspicious Uses: Some bulk registrations show characteristics indicative of cybersquatting or preparation for abusive campaigns. However, conclusive determination often requires more context and data.
2 - Abusive Registrations are Detectable:
- Domains generated using domain generation algorithms (DGA) or exhibiting random patterns are frequently linked to malicious activity. These are swiftly flagged by abuse block lists, highlighting the importance of timely detection and mitigation mechanisms.
3 - Further Research is Needed:
- Continued study of bulk registrations is vital to refining detection systems, balancing legitimate use cases with abuse mitigation, and exploring the potential role of standardized identity verification practices in reducing malicious activities.