Fake online shops – behind the scenes

Registering a .ch domain name couldn’t be easier – and cyber criminals are taking full advantage. A look behind the scenes shows just what SWITCH and the authorities are doing to protect internet users against fake online shops.

Text: Jakob Dhondt, published on 21.10.2020

An open registration policy means that a .ch or .li domain name can be easily set up by anyone. Although this is the legislators’ intention, it also makes it very easy for criminals to register domain names for the purpose of committing internet fraud.

The phenomenon of fake online shops has been around for years, and various authorities have been making constant efforts to fight it in collaboration with SWITCH. SWITCH first drew attention to the problem back in 2017. A lot has changed since then, both in terms of the detection mechanisms and counter measures (in German), but also on the cyber criminals’ side, as they develop ever more sophisticated methods to ensure that their fake e-commerce shops stay under the radar. The responsibility for identifying suspicious domains lies with the registries, while the anti-cybercrime authorities recognised by OFCOM are responsible for prosecuting criminals and implementing prevention measures such as blocks or ID requests. The Ordinance on Internet Domains (OID), especially Articles 15 and 16, serves as the legal basis for the activities of these authorities.

Fake online shops usually have one thing in common: the cyber criminals provide false information about the holder when registering the domain name. How effective the current methods for detecting false holder details are, and what could be done better in the future, is analysed in more detail below using a selection of data.

Evolution of the process

When we first began addressing the topic in more detail at SWITCH, the process for detecting false holder details was based on a manual database query. We looked for registration patterns that had previously appeared suspicious to an analyst, such as a conspicuous holder name in combination with a specific registration attribute. Our search would result in a list of suspicious domain names often containing thousands of entries. This list was then examined in more detail by a recognised authority. Any domain names confirmed as being fraudulent by this authority were subsequently deleted by SWITCH.

Only in certain cases – namely malware and phishing – is SWITCH permitted to block or delete domain names without having been instructed to do so by an official body.

Rule-based scoring system

However, the number of domain names discovered using this technique steadily decreased over time, which made it necessary to refine and automate the method. In consideration of what had and hadn’t worked well in the past, a new, rule-based scoring system was developed in collaboration with the authorities and in close dialogue with other European registries. It involves evaluating each new domain registration according to certain criteria and awarding it a score between 0 and 10. Once this score exceeds a specific value, the registration is classed as suspicious and reported to the Zurich Cantonal Police, where it is subjected to a detailed analysis using the specially developed tool ‘QueenGuard’. If necessary, SWITCH is then notified via the processes defined in the OID.

The set of rules is continuously revised and adapted to the circumstances. It currently comprises nine rules. One of these involves checking if the domain of the holder’s e-mail address is on a list of suspicious domains. Similarly, the holder’s country and the registrar ID are matched against various lists containing countries and registrars that have been associated with higher levels of fraudulent activity in the past. In addition, two different services are used to verify that the holder’s address is correct. These and other criteria are then weighted and added up to arrive at the aforementioned score. As explained at the beginning, criminals are constantly refining their methods to circumvent established rules and procedures. This includes using a valid but stolen address to register a domain, thus making the verification process for the holder’s address redundant.

Data analysis

The following figures and graphs are for the period of 22 March 2020 to 22 June 2020. A total of 90,842 .ch domain names were registered during this time, of which 5,862 (6.5%) were awarded a score of 2 or higher. Due to the relatively low threshold of 2, analysing the domain names involved a lot of work on the part of the cantonal police. This number was chosen intentionally, however, as any new patterns in the data might have slipped through the net and been missed if the threshold had been set any higher. Out of the 5,862 domain names, 450 were eventually reported to us as being fraudulent. We deleted 411 of them.

The two graphs show that the number of registrations decreases as the score rises, and the proportion of deleted domain names increases as the score rises. However, it can be observed that, even with a fairly high score of 5–6, only a small percentage (4.8%) are actually deleted. Only at 6–7 (92.1%) and 7–8 (100%) do we see a significant increase. The graph below shows what percentage of domain names fulfilling a particular criterion are deleted. Two criteria clearly stand out here.

Outlook

This article only provides a very basic overview of the analysis methods. To improve the detection of fraud on the basis of false registration data, it is necessary to analyse the data in ever greater detail. The question also arises as to how long this approach will continue to work. Criminals are getting better and better at imitating legitimate domain registrations. Nevertheless, it is still possible to find cases of misuse with the help of certain criteria, even if it does take more effort. As domains are often bulk registered by the cyber criminals, a certain degree of automation is necessary on their side. These automated processes will inevitably contain recognisable patterns. Whether it will still be possible to recognise fraudulent registrations with a simple set of rules remains to be seen.

We have already started experimenting with a machine learning approach: with the help of a labelled data set, a model is trained to identify patterns that are too complex to be identified using a basic rule. Of course, this also requires a good set of features, which needs to be worked out manually. One option might be to use the existing rules as a basis, but enhance them with additional features such as a time component for the registration. The Dutch registry SIDN already has a lot of experience in this area. We engage in active dialogue with SIDN and other European registries on this topic, which enables us to benefit from each other’s knowledge and come up with solutions more quickly. We would be kidding ourselves if we thought online fraud could be eliminated entirely in Switzerland, especially when we consider how easily available .ch domain names are. Nevertheless, SWITCH will continue to do everything it can to combat such abuse.

About the author
Jakob   Dhondt

Jakob Dhondt

After gaining a masters degree in computer science at the KULeuven, Jakob Dhondt joined SWITCH in 2017. As part of the SWITCH-CERT he is working as a security expert focussing on DNS.

E-mail

#Security

This article was first published at inside-it.ch and inside-channels.ch (in German only) as part of SWITCH's #Security column. The column appears six times a year. Security experts from SWITCH independently express their opinions on topics relating to politics, technology and awareness of IT security.

Other articles