About the Project
When discussing Internet abuse, we often think of DNS abuse. However, numbering resources are also misused in cybercrime. The DNS Research Federation (DNSRF) has conducted some preliminary research on how IP addresses and Autonomous System Numbers are used to facilitate phishing and ransomware attacks with URLs directly using numbering resources. Specifically, through its blog entitled “Use of Subdomain Providers Gains Popularity as a Mechanism to Launch Phishing Attacks” (August 2023), DNSRF found that when it comes to malware attacks, most malware URLs avoid using domain names and use a raw IP address directly. This was further explored in a second blog article, where the DNSRF explored what percentage of malware and phishing attacks relied directly on IP addresses.
With the support from ARIN’s Community Grant programme, this project seeks to shed light on this issue by developing live indicators that provide information about how numbering resources are misused in phishing and malware attacks. The end goal is to raise awareness among network operators and incident response teams to enable informed action.
Project objectives are to:
- Develop live, online indicators to provide up-to-date data analysis on Internet abuse that relies on numbering resources.
- Provide network operators and incident response teams with data on reported phishing and malware URLs that directly use IP addresses for these entities to devise mitigation strategies.
- Provide RIR-specific data, including ARIN-specific stats, using geolocation.
Project Team and ARIN Funding
Team members behind this project include Alex Deacon, Mark Robertshaw, Carolina Caeiro, Joanna Grant and Katie Miles. This project was possible thanks to the generous support of ARIN’s Community Grant Program.