All to often we see people that should know better, claiming that Advance Fee Fraud (AFF) is purely content issues. A while back a senior person at a company offering security services, which includes email filtering, expressed his surprise that AFF uses bespoke domains to defraud.

More recently a community member of ICANN denied that domains and DNS abuse is seen in consumer facing threats. When he was shown such, he was surprised.

What is DNS?

DNS is an abbreviation for Domain Name System. A domain name is a name that is registered and is used to link to various resources on the internet such as a website or an email server. If a user sends an email to somebody at a domain name, let’s say joebloggs@aa419.org, your email system will look up the internet address for the email server for aa419.org and then forward your email to this address, commonly called an IP address. Likewise if you go to https://aa419.org, your system will look up the IP address of aa419.org, then fetch the content from this address using this domain name. We can also have a sub-domain. If you go to our database, you will type in https://db.aa419.org. Sub-domain db.aa419.org can be at the same address as aa419.org or a different address.

To partake in this system, called the DNS system, you have to obtain a domain name through a registration process. While certain providers may give you such a domain name for free, typically these names are not as wanted as they have less desirable domain name endings, called Top Level Domains (TLDs) due to abuse and credibility. Other domain names in TLDs such as .com, .org, .info and the more popular ones typically have to be formally registered on an per annual basis. This registration is via Registrars and controlled through ICANN (Internet Corporation for Assigned Names and Numbers) who sets the policies and procedures for such registrations which the Registrars have to abide by. These policies are found in a documents called the Registrar Accreditation Agreement (RAA). This policy includes supplying valid and complete registration details. There is also a clause which states that the person registering a domain name shall not use it directly or indirectly in a manner which infringes on the legal rights of any third party.

Protection Mechanisms

There is an acknowledgement that a domain name may infringe of the rights of a brand name in trademark issues. The mechanisms to deal with these can either be court processes (extremely expensive), or a process within ICANN called the Uniform Domain-Name Dispute-Resolution Policy (UDRP).

Various dispute providers are listed and, if the complaint of a rights holder in a dispute is found to be valid, the domain name will be transferred to the complainant. The cost, although faster and cheaper than a formal court procedures, is not free.

For domain names registered in some of the newer top level domains, a newer equivalent procedure exists that is cheaper, called the Uniform Rapid Suspension (URS).

These two mechanisms essentially address commercial issues which companies may face. These are not directly aimed at protecting consumers.

Consumer Protection

While much has been said about consumer protection in the domain name system, ICANN considers any form of consumer protection to be beyond their remit. This view is made extremely clear on ICANN’s page under an article titled ICANN Is Not the Internet Content Police. Much as this article may make sound sense to the unenlightened who has never had to deal with internet fraud, it still does not address where DNS abuse starts and what is not merely content issues.

Many innocents consider illegality on the internet to purely be in the gambit of law enforcement and the courts. ICANN follows this same logic. Due process is a word commonly used (abused?) with little understanding of the constraints of such processes. The ICANN article mentions issues of illegality that may not be illegal in another country. We are not talking about those types of activities when we look at AFF. We are not trying to stop free speech.

Advance Fee Fraud is illegal internationally. Yet unlike spam, phishing and botnets, there is no recognition for AFF at ICANN. Yet AFF is a global plague on the internet and the forerunner of Business Email Compromise (BEC), sometimes going hand in hand with it, with the same groups being involved in many cases. This has created a separate industry where domains are part and parcel of the offerings of the parties facilitating AFF. These parties are both downstream hosting providers and domain name resellers.

Advance Fee Fraud is not Phishing!

Many ignorant parties conflate phishing and AFF. It’s not uncommon to even see UDRP decisions being won where a domain name was abused for AFF, yet the complainant claims the defendant (who normally never defends the case) was imposing on their brand to target their clients in phishing attacks! Not true!

While it would be easy mitigating fake bank domains being used in AFF and spoofing a bank as phishing, it would be unethical. We recently again saw a news article “Man who targeted Colorado women in ‘Nigerian romance scam’ arrested” stating:

“He convinced two women in El Paso County to send him money in excess of $78,000 between April 2017 and February 2018, and he used fake bank websites to convince them he had the means to pay them back,” the sheriff’s office said in a statement.

https://www.fox21news.com/news/crime/man-accused-of-scamming-two-el-paso-county-women-out-of-78-000/170994391

Such a fake bank may not even spoof a real bank, but may be a totally fictitious bank. While a spoof may be mitigated by the real bank owners using UDRP or URS processes, acting as a proxy for consumer protection, this rarely happens, whereas it does not allow for more fake banks impersonating other brands such a party may impersonate. With a totally fake bank there is no such protection for consumers in ICANN processes currently.

In a recent incident, more than 250 associated domains were found belonging to one party. Using the ‘phishing mantra’ would not have worked and would never assist in understanding what was uncovered. While a single domain spoofed the Bank of America, the exact same content was used with another domain and the fake bank name and logo was changed to create a new fake brand. This could not be seen as phishing. Further we saw fake couriers, that are hardly phishing, being used. These fake tracking systems to complete the illusion of being a real company. Bogus couriers have become extremely insidious in AFF. We only have to look at the phenomena of the infamous Parcel Scam. This type of fraud has also been responsible for enormous losses leaving victims destitute, especially in the Far East:

Victims of the parcel scam, he said, were usually women who were single or single mothers.

https://www.thestar.com.my/news/nation/2017/12/21/parcel-scams-still-an-open-pandoras-box-woman-cheated-of-rm135000-in-parcel-scam/

It would also be difficult explaining fake oil company websites on bespoke domains and even fake veterinarians as “phishing”. Yet they are all deliberately created to complete the illusion, a stolen photograph placed on the director or staff page, the very supposed person the victim is talking to. This is not phishing, yet it is malicious. Fake attorney websites were equally found in this scam nest. Many were stolen websites, copied from lawyers in the Mediterranean, given a new name, posted on a bespoke domain, then abused to further the illusion. This is not phishing either. Yet all these domains had patently fake registration details. The domain names were all carefully and deliberately selected to complete the illusion in a role play to defraud consumer victims. More to the point, the content was designed by the same party, a hosting provider who was also a domain name reseller.

Domain Names Solely for Fraud

Let’s consider a malicious party registering a domain name with the sole purpose of defrauding consumers with such a domain name. The domain name is carefully chosen based upon the type of fraud he wishes to commit. During the registration process, this party registers the domain with inaccurate or fake registration details. Once registered, he hosts malicious content on a hosting account using this domain name. He may even go as far as to use sub-domains to hide the content from casual scrutiny, yet supply the hidden sub-domain name and associated content to victims. Likewise he can set up an email server with email accounts linked to this domain. Having access to the DNS of the domain name, the malicious party can further undermine trust mechanisms intended to avoid abuse in email messages, using mechanisms such as SPF and DKIM, meaning there is less chances that the mechanisms designed to protect users from abuse will be triggered. The malicious party can now even abuse DNS based SSL authentication mechanisms (the little green padlock) to further exploit the confusion that exists between trustworthy and secure.

If the hosting provider suspends the hosting account associated with this domain, the malicious party has thousands of hosting providers he can chose from and where he can change the address to. Likewise he can alter the DNS records to change the destination for all emails.

What are these domain names used in this way but abusive? All the promises made during the registration process are deliberately violated, these domain names have no legitimate purpose and are intended to undermine the rights of consumers in fraud. How can this not be DNS abuse?

These are the types of domains Artists Against 419 has been listing and reporting since 2003. The usage is illegal globally and they have zero rights of existence in a healthy DNS ecosystem. While abusive content may associated with these domain names, the abuse is driven from the DNS level. If a domain can survive 27 host suspensions to re-appear again on yet another host, how is this not DNS abuse? If a Bank of America spoof can be host suspended, the associated web page disappears and the DNS records rapidly changed to a professional email provider to facilitate further fraud with bespoke email addresses, how is this not DNS abuse? If a vehicle escrow fraud domain can continuously hop around to be re-hidden 19 times on different sub-domains with zero content on the index page, how is this not DNS abuse? How do we stop email fraud if the SPF record is set to ‘+any‘? If fraudsters have free reign at DNS level, the enemy is within the DNS gates.

We have long surpassed the old “content issues” definition here. It should be laid to rest when it comes to Advance Fee Fraud. BEC, at the hands of the very same parties, has long since proven this defense well past the point of self blinding.