Connect with us

Hi, what are you looking for?



German, Austrian ccTLD Registries Accused of Failing to Address Abuse

DENIC and, the country code Top Level Domain (ccTLD) registry operators for Germany’s .de and Austria’s .at domains, have been accused of failing to prevent malicious actors from abusing their services.

DENIC and, the country code Top Level Domain (ccTLD) registry operators for Germany’s .de and Austria’s .at domains, have been accused of failing to prevent malicious actors from abusing their services.

According to anti-spam outfit Spamhaus, cybercriminals are registering .at domains that they are using to provide DNS resolution for their botnets, a practice dubbed by Spamhaus “malware DNS hosting.”

Attackers are hijacking routers and modems, and changing their DNS settings to service botnets such as the ones powered by the Zemot click fraud bot, and the KINS and Gozi banking Trojans. Many of the domains used in these campaigns are hosted on the .at TLD and Spamhaus says it’s difficult to get them suspended.

The anti-spam organization is displeased with the fact that the API for reporting abuse to domain registrars doesn’t work well. Furthermore, Spamhaus says the Austrian authority is among very few ccTLD operators that doesn’t reveal the identity of a domain’s registrar, preventing cybercrime fighters from reporting abusive domain names directly to the registrar. told Spamhaus that it cannot suspend a domain at the request of a third party without a court order, especially if the request only focuses on the content of the targeted website.

After tracking down the Germany-based company through which most of the malicious domains were registered, Spamhaus managed to get some of them suspended, but many of them have simply been moved to a different registrar.

“What we are now seeing within ccTLD .at is ridiculous: Several registrars, mostly German-based, are moving malicious domain names around between each other. Once you report a malicious domain name to one of these registrars, they will just transfer it to a different registrar,” Spamhaus said in a blog post on Wednesday. “Of course you won’t notice that, because does not reveal the registrars name on their whois system. So the only thing you see is that the domain name is still active even many weeks after your abuse report.”

Advertisement. Scroll to continue reading.

Spamhaus accuses of providing malicious actors with “bulletproof” domains by not having proper anti-cybercrime policies.

According to Spamhaus, Germany’s .de domains are also heavily abused for spam, phishing and botnet activity because DENIC doesn’t have a proper mechanism for dealing with abuse, and it doesn’t reveal the identity of a certain domain name’s registrar.

Another problem is that DENIC doesn’t validate the information used to register domains — Spamhaus says it has identified a domain name registered with an email address on a domain that doesn’t exist.

Spamhaus believes DENIC and should follow the lead of the ccTLD registries in Russia and Switzerland, both of which allow registrars to suspend domains based on reports received from trusted and competent organizations.

“If or DENIC are not willing or allowed to implement appropriate mechanisms to deal with abuse of the scale we see, they should present the need for an urgent change to the appropriate regulatory bodies within their countries. In the end, both and DENIC – as every other organisation, service provider and internet user – should accept their responsibility to make the internet a safer and civilized place, and to protect the reputation of their own national ccTLD,” Spamhaus said.

SecurityWeek has contacted both and DENIC, but neither commented on Spamhaus’ blog post by the time of publication.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.