What is going on?
Since 2020, criminal groups from Vietnam have re-registered domain names and set up forwarding services for such domains to obtain social media credentials and more.
What is the size?
Our conservative estimate is that these criminals re-register around 50.000 domain names each week since 2020.
Why is it a problem?
They mostly use stolen credit cards to pay for these domain names, but we have witnessed other forms of payment fraud.
What is the impact on a reseller or registrar?
We have seen registrars and resellers incur massive financial losses.
Sometimes, we see resellers or registars have a registration increase of 5000% outside of their regular baseline.
We are aware that some resellers and registrars had to suspend their automatic domain name registrations and manually review every order to avoid losses that sometimes amount to millions of dollars. Of course, a manual review of every order is also costly and not sustainable in the long term.
Which TLDs are affected?
The legacy gTLDs and ccTLDs are mostly affected. In 2023, we witnessed one ccTLD, with 95% of its new registrations being re-registered by these forwarding criminals.
Any good news?
Our monitoring system is not just designed to detect, but to be proactive in identifying registrations made by Forwarding criminals. Criminology allows us to identify the specific need of Forwarding criminals, which is the re-registration of domain names that were previously registered, deleted and then made available again. Our system is equipped to identify if a domain name has been registered in the past. This crucial indicator is effective for detecting re-registrations and applies to various other types of cybercrime involving domain names. Our analysts are highly skilled at understanding Forwarding criminals' tactics, techniques, and procedures (TTPs), ensuring you receive the best possible assistance. If you need more information or assistance, please get in touch with us.
What can you do as a registrar/reseller?
KYC is essential here to prevent these criminals. Be vigilant on how many domain names new customers can register each day.
Blocking traffic from countries where you do not do business is also a solution.
Apply zero trust to all your customers. Even legitimate customers who have been with you for over 20 years might be subject to account takeover. Forwarding criminals have access to stealer logs available on the dark web, and we have seen multiple times that legit, trusted accounts have been taken over and started to register massive amounts of domain names.
We suspect stealer logs will be used more and more for criminal activities, and prices for them are dropping fast.