German, Austrian ccTLD Registries Accused of Failing to Address Abuse

DENIC and Nic.at, the country code Top Level Domain (ccTLD) registry operators for Germany’s .de and Austria’s .at domains, have been accused of failing to prevent malicious actors from abusing their services.

According to anti-spam outfit Spamhaus, cybercriminals are registering .at domains that they are using to provide DNS resolution for their botnets, a practice dubbed by Spamhaus “malware DNS hosting.”

Attackers are hijacking routers and modems, and changing their DNS settings to service botnets such as the ones powered by the Zemot click fraud bot, and the KINS and Gozi banking Trojans. Many of the domains used in these campaigns are hosted on the .at TLD and Spamhaus says it’s difficult to get them suspended.

The anti-spam organization is displeased with the fact that the Nic.at API for reporting abuse to domain registrars doesn’t work well. Furthermore, Spamhaus says the Austrian authority is among very few ccTLD operators that doesn’t reveal the identity of a domain’s registrar, preventing cybercrime fighters from reporting abusive domain names directly to the registrar.

Nic.at told Spamhaus that it cannot suspend a domain at the request of a third party without a court order, especially if the request only focuses on the content of the targeted website.

After tracking down the Germany-based company through which most of the malicious domains were registered, Spamhaus managed to get some of them suspended, but many of them have simply been moved to a different registrar.

“What we are now seeing within ccTLD .at is ridiculous: Several registrars, mostly German-based, are moving malicious domain names around between each other. Once you report a malicious domain name to one of these registrars, they will just transfer it to a different registrar,” Spamhaus said in a blog post on Wednesday. “Of course you won’t notice that, because Nic.at does not reveal the registrars name on their whois system. So the only thing you see is that the domain name is still active even many weeks after your abuse report.”

Spamhaus accuses Nic.at of providing malicious actors with “bulletproof” domains by not having proper anti-cybercrime policies.

According to Spamhaus, Germany’s .de domains are also heavily abused for spam, phishing and botnet activity because DENIC doesn’t have a proper mechanism for dealing with abuse, and it doesn’t reveal the identity of a certain domain name’s registrar.

Another problem is that DENIC doesn’t validate the information used to register domains — Spamhaus says it has identified a domain name registered with an email address on a domain that doesn’t exist.

Spamhaus believes DENIC and Nic.at should follow the lead of the ccTLD registries in Russia and Switzerland, both of which allow registrars to suspend domains based on reports received from trusted and competent organizations.

“If Nic.at or DENIC are not willing or allowed to implement appropriate mechanisms to deal with abuse of the scale we see, they should present the need for an urgent change to the appropriate regulatory bodies within their countries. In the end, both Nic.at and DENIC – as every other organisation, service provider and internet user – should accept their responsibility to make the internet a safer and civilized place, and to protect the reputation of their own national ccTLD,” Spamhaus said.

SecurityWeek has contacted both Nic.at and DENIC, but neither commented on Spamhaus’ blog post by the time of publication.