The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which so-called the self-ruling domain name provider has a long history of ignoring vituperate complaints well-nigh phishing websites while monetizing traffic to those wiseacre domains.
The volume of phishing websites registered through Freenom dropped considerably since the registrar was sued by Meta. Image: Interisle Consulting.
Freenom is the domain name registry service provider for five so-called country lawmaking top level domains (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has unchangingly waived the registration fees for domains in these country-code domains, but the registrar moreover reserves the right to take when self-ruling domains at any time, and to divert traffic to other sites — including sultana websites. And there are myriad reports from Freenom users who’ve seen self-ruling domains removed from their tenancy and forwarded to other websites.
By the time Meta initially filed its lawsuit in December 2022, Freenom was the source of well increasingly than half of all new phishing domains coming from country-code top-level domains. Meta initially asked a magistrate to seal its specimen versus Freenom, but that request was denied. Meta withdrew its December 2022 lawsuit and re-filed it in March 2023.
“The five ccTLDs to which Freenom provides its services are the TLDs of nomination for cybercriminals considering Freenom provides self-ruling domain name registration services and shields its customers identity, plane without stuff presented with vestige that the domain names are stuff used for illegal purposes,” Meta’s complaint charged. “Even without receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta pointed to research from Interisle Consulting Group, which discovered in 2021 and then last year that the five ccTLDs operated by Freenom made up half of the Top Ten TLDs most longwinded by phishers.
Interisle partner Dave Piscitello said something remarkable has happened in the months since the Meta lawsuit.
“Weve observed a significant ripen in phishing domains reported in the Freenom commercialized ccTLDs in months surrounding the lawsuit,” Piscitello wrote on Mastodon. “Responsible for over 60% of phishing domains reported in November 2022, Freenoms percentage has dropped to under 15%.”
Interisle collects data from 12 major blocklists for spam, malware, and phishing, and it receives phishing-specific data from Spamhaus, Phishtank, OpenPhish and the APWG Ecrime Exchange. The visitor publishes historical data sets quarterly, both on malware and phishing.
Piscitello said it’s too soon to tell the full impact of the Freenom lawsuit, noting that Interisle’s sources of spam and phishing data all have variegated policies well-nigh when domains are removed from their woodcut lists.
“One of the things we don’t have visibility into is how each of the blocklists determine to remove a URL from their lists,” he said. “Some of them time out [listed domains] without 14 days, some do it without 30, and some alimony them forever.”
Freenom did not respond to requests for comment.
This is the second time in as many years that a lawsuit by Meta versus a domain registrar has disrupted the phishing industry. In March 2020, Meta sued domain registrar giant Namecheap, alleging cybersquatting and trademark infringement.
The two parties settled the matter in April 2022. While the terms of that settlement have not been disclosed, new phishing domains registered through Namecheap declined increasingly than 50 percent the pursuit quarter, Interisle found.
Phishing attacks using websites registered through Namecheap, surpassing and without the registrar settled a lawsuit with Meta. Image: Interisle Consulting.
Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years. Piscitello said the phishers tend to gravitate toward registrars that offer the least resistance and lowest price per domain. And with new top-level domains constantly stuff introduced, there is rarely a shortage of super low-priced domains.
“The vituperate of a new top-level domain is largely the result of one registrar’s portfolio,” Piscitello told KrebsOnSecurity. “Alibaba or Namecheap or flipside registrar will run a promotion for a unseemly domain, and then we’ll see flocking and migration of the phishers to that TLD. It’s like strip mining, where they’ll buy hundreds or thousands of domains, use those in a campaign, frazzle that TLD and then move on to flipside provider.”
Piscitello said despite the steep waif in phishing domains coming out of Freenom, the alternatives misogynist to phishers are many. Without all, there are increasingly than 2,000 accredited domain registrars, not to mention dozens of services that let anyone set up a website for self-ruling without plane owning a domain.
