Connect with us

Hi, what are you looking for?



Domain Registrars ID Cyber-Criminals With Secure Domain Foundation API

Tech Experts Unite to Launch Secure Domain Foundation

The Secure Domain Foundation will protect the domain industry from abuse by helping domain registrars and other Internet infrastructure operators identify cyber-criminals setting up criminal networks, the non-profit’s founder said in an interview.

Tech Experts Unite to Launch Secure Domain Foundation

The Secure Domain Foundation will protect the domain industry from abuse by helping domain registrars and other Internet infrastructure operators identify cyber-criminals setting up criminal networks, the non-profit’s founder said in an interview.

Launched Monday at ICANN’s 49th Public Meeting in Singapore, the Secure Domain Foundation offers tools to look up a domain registration or a hosting request to identify potential criminal activity. The foundation will use its API to provide the registrar with an instant “credit score” indicating the likelihood of the domain being part of a criminal network, said Chris Davis, the president of SDF. Davis, a director at security company Crowdstrike, is known for his work identifying the Mariposa botnet.

Secure Domain FoundationSDF will “increase the pain for the bad guys” by making it harder to switch providers, Davis said.

Currently, if a domain registrar or hosting provider shuts down a domain for malicious activity, it’s no big deal for the criminal to move to a different provider and resume operations, Davis said. SDF will provide a WHOIS lookup via its API product so that registrars such as GoDaddy can look at an application and know that the email address has been previously associated with a command-and-control server, or that the person had been shut down by a different provider just a few days ago.

The SDF’s service “not only validates the contact registration data provided but also lets the registrar and registry know if we have seen that data used previously in relation to cyber crime,” said Norm Ritchie, chairman of SDF.

Over the past two years, SDF has been pulling together postal addresses, email addresses, malware indicators, botnet activities, and other domain-related information to compile an extensive database about malicious domains and actors. The data validation service will draw upon this extensive database. ICANN recently mandated that domain registrars must start validating contact information provided during domain registration. SDF’s service makes this easier to implement.

Registrars can incorporate the data validation services directly into the registration process, or query the list of known-bad actors as part of a batch process run at a later time. The goal is to provide registrars with information to make their own decisions, not to force registrars to take certain steps. If a registrar learns that a certain domain is malicious and associated with a botnet, it is up to the registrar to decide whether to monitor the account closely, shut it down immediately, or not do anything at all. It is up to the registrar what it wants to do, as the SDF just provides tools and information, Davis said.

SDF will also take a pro-active role in identifying bad actors and notifying law enforcement and registrars with sufficient evidence to get the domain shut down, Davis said. Other organizations with research on malicious servers can also contact SDF. The foundation will act as a “clearinghouse for abuse complaints,” Davis said.

Advertisement. Scroll to continue reading.

Some of the industry’s biggest brands back this foundation, including the Anti-Phishing Working Group (APWG), Blacknight Solutions, CIRA (.ca), CO Internet (.co), CoCCA, Crowdstrike, DomainTools, Emerging Threats, Enom, ESET, Facebook, Foreground Security, Internet Identity, Mailshell,, SecDev Group, Verisign, and Verizon.

While the current market focus is on domain name registrars, registries, ccTLD operators, and gTLD operators, SDF plans to expand services to include hosting providers, DNS operators, CERTS, law enforcement, and other key stakeholders in Internet infrastructure.

While SDF will provide just the data validation service via the API as part of the initial launch, Davis said the focus was on a staged approach to expand its services. One approach is to work with these providers on setting up locks and other protective security features to make it harder for domain name system records to be maliciously modified.

“We are going to save the world one step at a time,” Davis said.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.