[ Home | Weather | Wiki | HN | RSS | xkcd ] [ Search | Settings | About ] [ Light | Dark ]

Phishing domains tanked after Meta sued Freenom

---

[ Top | New | Ask | Show | Same poster | Same domain | Source site ]

Posted on Friday, May 26th 2023 by todsacerdoti

https://krebsonsecurity.com/2023/05/phishing-domains-tanked-...

90 comments

---

[ Threaded | Oldest | Newest ]

@ Friday, May 26th 2023 by talhah While freenom did genuinely have issues with spam and the like. I must say it played a pivotal role in my life, it allowed me to do my passion and have a domain name in my early teens when I couldn't pay for anything. Being able to toy with a domain name led me down many rabbit holes and led to me trying out self-hosting and system administration. Sad we can't have free things.

@ Friday, May 26th 2023 by 5e92cb50239222b | parent I am still using a couple of .cf and .tk domains for semi-serious mail, haven't had any issues with delivery.

@ Friday, May 26th 2023 by throwawayadvsec | parent that's actually really weird

@ Friday, May 26th 2023 by jeroenhd | parent These domains apply a serious bonus to spam scores, but if you do everything else right (send a normal but not too large amount of email, get your mail server from a domain with high reliability, set up SPF/DKIM/DMARC/etc.) you shouldn't fall below the spam line in most spam filters.

@ Monday, May 29th 2023 by breakingcups | parent Given .tk's known practice of seizing domains for their own use, it might be wise to migrate to a more stable TLD.

@ Friday, May 26th 2023 by seszett | parent I have mixed feelings as well, for the same reason, but I find it absolutely terrible that the citizens of Mali, RCA, Gabon, and Equatorial Guinea have basically been robbed of their TLD by their (mostly failed) governments.

@ Saturday, May 27th 2023 by esperent | parent .io is similarly problematic. Although at this point I think the best solution would be to retroactively set .io to mean Input/Output and give the Chagossians a new TLD. https://tamouse.github.io/blog/politics/2019/10/02/why-is-th... EDIT: it could also be argued that this controversy is beneficial for the Chagossians I guess. I didn't know anything about them until I purchased a .io domain a few years ago.

@ Saturday, May 27th 2023 by TheCleric | parent Do you not see the obvious irony in taking a people who were forcibly removed from their home so it could be given to others, issuing them a TLD, and now you're suggesting forcibly removing that from them and giving it to others?

@ Saturday, May 27th 2023 by pxc | parent That is really painful. But if those TLDs don't even bring them any money and they're not named after something in the Chagossian's own language, do they even own them in any meaningful sense? Aside from the right to return to their homelands, these people should be given some actual royalties from .io domain purchases. And then maybe also a new TLD that is more meaningfully connected to them and less likely to be hijacked.

@ Saturday, May 27th 2023 by dchftcs | parent It's something they didn't really ask for, never meaningfully utilized anyway, and ultimately is an entry in a table on some servers they can't really care less about. You can fantasize about the hardships the citizens suffered for the appropriation of the .io TLD and draw any analogy you want, but there are probably more pressing needs of the people you're not addressing by spending time to supply this sort of sympathy. Worse, imagine a world where you actually advocate for the displaced indigenous people to care about this problem. Probably you'd be asking them to divert attention from real problems such as being able to afford food tomorrow.

@ Saturday, May 27th 2023 by TheCleric | parent No, the real problems are obviously more important. I'm just pointing out the minor insult that echoes the major injury that would be this plan.

@ Saturday, May 27th 2023 by esperent | parent When I wrote that I wasn't imagining any forcing going on. Rather I was thinking about dialogue happening with the ethnic group in question to try and find a TLD that makes sense in their own language rather than English.

@ Saturday, May 27th 2023 by seanhunter | parent I don't buy this at all. Country-specific tlds are more or less a total failure. To the extent they still have a role, it is in having official government sites (eg "gov.uk" in the uk) Firstly the US never bought into it so all the original successful internet companies are ".coms". For this reason if you are a global company, chances are you would prefer a ".com" to anything else. Most companies want to address a global audience and part of the point of e-commerce is to make this happen. So they don't necessarily want a parochial-seeming national tld but would prefer a global one. This makes country-specific tlds redundant for commerce. Secondly the people running the national TLDs are (in my experience) often doing so to further their own egos and personal interests and so tend to offer a shitty service. This is why I gave up my ".co.uk" domain some years back. The UK NIC were just annoying in a bunch of different ways.

@ Saturday, May 27th 2023 by Fgehono | parent 'more or less'. In Europe they are working very well and are used constantly. .de is used by most Germans. .fr french, .at etc.

@ Saturday, May 27th 2023 by talhah | parent In Qatar national services use ".qa", and these are not necessarily official government sites. For example our community schools uses a .qa domain and the biggest telecom provider among various other sites. What you're saying does not apply to all countries.

@ Saturday, May 27th 2023 by raverbashing | parent >Firstly the US never bought into it "Never bought into is" as never bothered and never cared about other countries (main character syndrome)

@ Saturday, May 27th 2023 by changethe | parent not sure what world you live in, but ccTLDs are widely used across the world, and in a lot of countries much preferred over .com. german people, for example, will trust a business running on a .de domain much more than a .com one. in most cases it is much preferred for an international company to run the country-specific website on the according ccTLD. companies that "want to address a global audience" are a specific set of companies that might prefer a "global" website, but most businesses will run country specific sites, not "global" sites. also not sure what the UK NIC being "annoying in a bunch of different ways" has to do with anything, or even means. seems to me like you are living in your own world, far detached from reality.

@ Saturday, May 27th 2023 by seanhunter | parent I'm happy to be wrong about this and hear about the thriving ccTLD scene but there's no reason to get personal and say I'm detached from reality. The way in which the UK nic used to be annoying that is relevant for this is that they used to make it much harder to register, transfer and renew domains. So at some point even though I had a .co.uk and a .com I just stopped trying to transfer the .co.uk and let it lapse at the next renewal date.

@ Saturday, May 27th 2023 by changethe | parent yeah you're right that some registries might have some weird quirks about certain things like transfers or additional mandatory requirements etc. UK transfers are surely more complicated than they have to be (push vs. pull logic). and I can also see where you're coming from, since in the UK it doesn't seem to be such a big thing. but in most other non-english speaking countries (or even .com.au or co.nz), ccTLDs are actually a big trust factor. also for example high-end keyworddomains sell for a multiple of the respective .com domain price. sometimes as much as 5-10 times.

@ Saturday, May 27th 2023 by oaw-bct-ar-bamf | parent Germany absolutely LOVES their .de TLD. .de has more weight than .net or .com for most people in Germany.

@ Saturday, May 27th 2023 by seszett | parent It might be different for the UK, but as others have said ccTLDs in my experience are much preferred over .com. .com is basically used for generic US multinational companies, which means a handful of websites you care about but locally relevant sites are going to be .fr or .be for me. .fr and .be are as easy to manage as any other TLD, and they have the advantage that you're probably not going to be price gouged as they are not run for profit.

@ Saturday, May 27th 2023 by Boltgolt | parent A failure in the US maybe, but in countries like The Netherlands it's weird if a Dutch site does NOT have a .nl TLD

@ Friday, May 26th 2023 by TheFreim | parent Same here, running little websites using a free hosting provider and a tk domain was a great experience.

@ Friday, May 26th 2023 by davchana | parent I recently recovered password for my 2002 era davinder.8m.net free website. It is still hsoted all these 20 years for free.

@ Friday, May 26th 2023 by lathiat | parent Yes! My freeservers site from the same era (2000, when I was 15 ) is also somehow still alive. I don't have the password though. So I cannot fix the error haunting me for all time that I listed Generations as a TV series of Star Trek rather than a movie. http://stvoyager.iwarp.com/ I'd love to know how/why they've managed to keep all of those alive so long. I am very appreciative but equally surprised.

@ Saturday, May 27th 2023 by belltaco | parent Storage and bandwidth has gotten orders of magnitude cheaper since then so that might be part of it. Identifying and deleting inactive websites might have deemed to be more expensive than just letting them stay on.

@ Friday, May 26th 2023 by nine_k | parent >the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains If the way to have there things is defrauding others, then they are not as free as they seem. I'd say that a third-level domain is fine for teenage projects; was fine for me even past teens.

@ Friday, May 26th 2023 by Beached | parent can you link me some free third level domain services that allow full control over all records? while I don't need it now, in the past I have wanted such a service and was unable to find them.

@ Friday, May 26th 2023 by VWWHFSfQ | parent for $8 a year you can get a regular domain and then have as many free 3rd level domains with full DNS control as you want. or do you really just mean free free

@ Friday, May 26th 2023 by TremendousJudge | parent based on the top level comment, I guess free free; something a child without a credit card can use on his own while playing around

@ Friday, May 26th 2023 by p1necone | parent Yeah, the refrain is usually "anyone should be able to afford $8 a year", but I remember being teenager and even when I was making an income I still couldn't get a credit card. It's less about the money and more about the ability to pay.

@ Friday, May 26th 2023 by 5e92cb50239222b | parent You don't really need credit cards, we found ways to pay for domains and hosting back in the day when we weren't legally able to get one (due to being minors). Some smaller companies accept other ways to pay that can be used anonymously. I definitely couldn't afford $8 a year thought, so others were covering that.

@ Saturday, May 27th 2023 by mminer237 | parent Even if you can't get a credit card, most banks will give you a debit card at 13.

@ Saturday, May 27th 2023 by talhah | parent Not in the part of the world I lived in, plus debit cards here work on local only sites whereas registrars are non-local.

@ Friday, May 26th 2023 by ajosh | parent Sitelutions.com still offers this. Without a paid account, the only limitation is the TTL.

@ Friday, May 26th 2023 by nine_k | parent "All records" makes an important difference indeed. I mostly thought about web projects where you need A / AAAA and CNAME. I do remember that I had access to MX and TXT at some free provider around 1995; GeoCities? Can't remember.

@ Saturday, May 27th 2023 by Anunayj | parent So far I've only found https://nic.eu.org/ but it works, and I assume it's unlikely to go anywhere for the foreseeable future.

@ Saturday, May 27th 2023 by tinus_hn | parent It requires specific care because in the DOM security model, third level sites are all in the same security domain and can read each others cookies and control each others pages. The browsers have a special list with gov.uk, co.uk etc so it knows these are special. That wasn't a concern in 2002 but today it should be.

@ Saturday, May 27th 2023 by ajsnigrutin | parent >have a domain name in my early teens yep, being a kid iterested in tech and having parents, that are not, is probably a huge pain... internet at home and a computer.. sure... giving your credit card info to your kid for some name on the internet? No way s/he's getting that. Having a free option (and dynamic dns, and possibly even a free virtual machine somewhere) makes a lot of learning and experimenting possible for kids.

@ Saturday, May 27th 2023 by plugin-baby | parent >giving your credit card info to your kid for some name on the internet? I'd guess that in many cases, being interested in tech might make people _less_ likely to do this.

@ Friday, May 26th 2023 by obituary_latte Now I just wish Google would get googleusercontent.com and googleapis.com under control...

@ Friday, May 26th 2023 by caretoelaborate | parent What's going on here?

@ Saturday, May 27th 2023 by abwizz | parent i suspect that, in absolute numbers, most of spam and phishing and malware is homed there

@ Saturday, May 27th 2023 by iamacyborg | parent Think of all the email spam you get from cold sales outreach.

@ Friday, May 26th 2023 by IMSAI8080 Any phishing domain in my spam folder is NameCheap 9 times out of 10.

@ Friday, May 26th 2023 by eli | parent Isn't it the biggest after godaddy?

@ Friday, May 26th 2023 by IMSAI8080 | parent No idea. It might just be they are lower priced than other places that attracts miscreants wanting domains in bulk.

@ Saturday, May 27th 2023 by TechBro8615 | parent So spammers are attracted to the same low prices and quality of services as anyone else? The subtext of this comment chain is a pretty weird take. The fact a domain is registered at Namecheap does not by itself make it any more likely to be a source of spam.

@ Saturday, May 27th 2023 by Emiledel | parent Would you have evidence of this?

@ Saturday, May 27th 2023 by TechBro8615 | parent Yes, I have domains at Namecheap that don't host spam.

@ Saturday, May 27th 2023 by johndough | parent I think it is more likely that spammers favor Namecheap because Namecheap ignores spam reports (at least mine). So far, I received the same kind of spam from ~500 of their domains.

@ Saturday, May 27th 2023 by KomoD | parent In my experience they handle abuse amazingly, suspended within 30min most of the time

@ Saturday, May 27th 2023 by zinekeller | parent It was just a relatively recent development in large part due to Facebook (https://domainnamewire.com/2022/04/25/meta-platforms-drops-l...), after this settlement the response to abuse reports did markedly improve.

@ Saturday, May 27th 2023 by KomoD | parent They've handled abuse great for me, even before that

@ Saturday, May 27th 2023 by TechBro8615 | parent What kind of evidence do you need to provide when reporting spam to a domain registrar? Could I get your domain banned by spoofing spam emails and sending screenshots of them to Namecheap?

@ Saturday, May 27th 2023 by KomoD | parent Screenshots are not enough, they ask for eml

@ Saturday, May 27th 2023 by TechBro8615 | parent Can't that still be pretty trivially faked?

@ Saturday, May 27th 2023 by KomoD | parent Not too sure, not sure of the process how they validate it

@ Sunday, May 28th 2023 by IMSAI8080 | parent That wasn't the intent of the comment. The original article was suggesting Freenom was popular with spammers. I was adding my observation that it has often been Namecheap that is prolific in my spam folder. We then go on to discuss why that may be.

@ Friday, May 26th 2023 by paulpauper It's funny how meta actually takes spam somewhat seriously, unlike google.

@ Friday, May 26th 2023 by rayval | parent Yes, Google launching .ZIP and .MOV domains is yet another sign of the moral rot at a once ethical company.

@ Friday, May 26th 2023 by acheron | parent "Once ethical"? How far back do you have to go for that? 1999?

@ Friday, May 26th 2023 by yjftsjthsd-h | parent I dunno, I feel like you could make that case right up until they merged with doubleclick.

@ Friday, May 26th 2023 by stonogo | parent You could, but you cold make it the other way too. https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...

@ Friday, May 26th 2023 by 100721 | parent ~~Do no evil.~~

@ Monday, May 29th 2023 by arsome | parent Personally I find .com and .sh to be much worse as it refers to actual executable files.

@ Friday, May 26th 2023 by amerkhalid | parent I was about to order something from a website[1] that showed as first page result on Google Search. Spending couple of minutes on the site, it became obvious that it is a scam website. Confirmed further by another search on domain[2]. I wanted to report it but there is no easy way to report this. So I gave up and hope no one falls for it. [1]: https:// littletikes . savemoney . store [2]: https://forums.dansdeals.com/index.php?topic=119138.0

@ Friday, May 26th 2023 by eli | parent You can report phishing sites really easily here https://safebrowsing.google.com/safebrowsing/report_phish/... Or alternatively report an abusive google ad here https://support.google.com/ads/troubleshooter/4578507

@ Friday, May 26th 2023 by paulpauper | parent And likely nothing will happen.

@ Friday, May 26th 2023 by BenjiWiebe | parent Ymmv but I've got very good results reporting websites to Google safe browsing and them getting blocked.

@ Friday, May 26th 2023 by jeroenhd | parent Every third of fourth technical Google search I try lists about 10 to 20 fake sites. Many of them using .it for some reason, but there are plenty of other TLDs with this problem as well. At this point I'll click a .biz before I click a .it. I'm not going to report hundreds of domains every month. Google needs to get their crap together. The same is very much true for other parts of Google as well. Youtube comments are hilariously full of spam. There's a pretty good tool out there to get rid of the spam, which just runs the comments through a basic spam filter, but for big channels you can't let the tool run for too long because of API call limits.

@ Friday, May 26th 2023 by amerkhalid | parent Thank you, I tried to report it from the search page. I clicked on the 3 dots menu. The options were not perfect for this kind of scam reporting but I selected something close enough. Then it took me to another page where there was a huge form to fill out. It should be easier to report scams or phishing sites from search page, imo.

@ Friday, May 26th 2023 by Thoreandan | parent Google's ignoring spam is especially egregious through side channels, e.g. spammers adding you to Photos message shares.

@ Friday, May 26th 2023 by herbst | parent This is super annoying. I get mentioned in random documents all the time... No idea why

@ Friday, May 26th 2023 by kevin_thibedeau | parent I've had people open up Facebook and Instagram accounts using my email address. They don't bother with requiring verification to use their services. Before I took over the accounts I'd get periodic notices about "friend" activity but never a nag to verify the e-mail.

@ Saturday, May 27th 2023 by ipaddr | parent Don't they verify by phone number these days

@ Saturday, May 27th 2023 by KomoD | parent Unless it happens on their own platform, then they dont care

@ Friday, May 26th 2023 by nubinetwork I wish they would do .cc next. I see a lot of spam from them on my personal mailboxes. Followed by all those google gtlds.

@ Saturday, May 27th 2023 by ipaddr | parent Hoping for .facebook and .google

@ Friday, May 26th 2023 by throwawayadvsec Note: they "stopped phishing" by basically forbidding almost anyone from registering a domain, I've been trying to get a new domain there for months without success

@ Friday, May 26th 2023 by GordonS | parent Existing domains stopped working too, I lost the one I've been using for 10+ years :( The most annoying part is there has been zero communication from Freenom - not a single email. They also never replied when I asked what was going on.

@ Saturday, May 27th 2023 by matoro | parent This is the real answer, I have a paid domain and am still unable to get contact or transfer off (I have attempted this with all known registrars that support .tk, Freenom simply fails to respond to the transfer request)

@ Saturday, May 27th 2023 by Spivak | parent I mean that's basically the point. The barrier to entry of $10/yr and breaking anonymity is enough to price out bad actors. If anyone at all has a way to combat this stuff that doesn't rely on "bad actors need disposable identities to get around blocks and don't usually have money" will basically win the internet.

@ Monday, May 29th 2023 by throwawayadvsec | parent LLM?

@ Friday, May 26th 2023 by thayne The title is a little deceptive. From near the end: >Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years. >Piscitello said despite the steep drop in phishing domains coming out of Freenom, the alternatives available to phishers are many.

@ Friday, May 26th 2023 by Nextgrid Facebook is playing double-standards here. They are knowingly allowing card fraud and other cybercrime groups to operate openly on there. We're not talking about criminals that use the platform while trying to appear sneaky and flying under the radar - we're talking about groups outright advertising their wares in the group name: https://krebsonsecurity.com/2018/04/deleted-facebook-cybercr... >Some had existed on Facebook for up to nine years; approximately ten percent of them had plied their trade on the social network for more than four years. >KrebsOnSecurity's research was far from exhaustive: For the most part, I only looked at groups that promoted fraudulent activities in the English language. Also, I ignored groups that had fewer than 25 members. As such, there may well be hundreds or thousands of other groups who openly promote fraud as their purpose of membership but which achieve greater stealth by masking their intent with variations on or mispellings of different cyber fraud slang terms. I have my own personal experience with this. I came across a page promoting Snapchat (and maybe other services) hacking services that in exchange for a fee claimed it would email you the credentials of the target account, with plenty of obviously compromised accounts posting comments claiming it works. Obviously very illegal in the vast majority of jurisdictions, but the double whammy there is that the service was itself a scam. Reporting the aforementioned group and a few of the fake comments yielded that none of this activity goes against their community standards.

@ Saturday, May 27th 2023 by shashashasha___ | parent i love reading the comment in HN, not the articles. but this is a strange one. >They are knowingly allowing card fraud and other cybercrime groups to operate openly on there. i wonder if you believe yourself when you write stuff like that? as if that company has a policy to allow fraud and cybercrime and they really believe its good for their business. if you do... well... watch out from those black helicopters

@ Saturday, May 27th 2023 by Nextgrid | parent You don't need an explicit policy to allow it (putting it in writing would be stupid). There's plenty of ways to effectively allow it without saying it, like not encouraging/deprioritizing projects that aim to crack down on this kind of behavior, effectively turning a blind eye to the bad content without ever explicitly "allowing" it so they retain plausible deniability when confronted.

@ Saturday, May 27th 2023 by 8organicbits What alternative options exist for low budget passion projects, toy projects, and the like? It's such a tough space to exist, trying to offer a free service while also combating spam. The best list I'm seeing is: https://free-for.life/#/?id=domains

@ Saturday, May 27th 2023 by joemazerino Maybe this is the way. I'm no fan of Meta but harping on lax domain setup controls might put the right pressure to lower malware installs.

Search Hacker News

---

Hacker News provided by Y Combinator and Algolia.
These pages best viewed with Netscape Navigator 1.1 or later.
Privacy policy and session data management.