ICANN’s new study examines attacker preferences in domain registration

Cybercriminals often rely on fake websites to carry out phishing attacks, scams where people are tricked into giving away passwords, financial data, or other sensitive information. These fake sites usually look like legitimate ones but are designed to deceive.

The INFERMAL Study (Insights and Clarifications on the INFERMAL Study), carried out by KOR Labs for ICANN’s Office of the Chief Technology Officer, looked into how malicious domains are registered and what makes some domain providers more appealing to attackers. The study analysed over 29,000 domains, half used for phishing, half legitimate, and examined 73 features related to the registration process.

What the study found

Several factors stood out in explaining why some registrars and top-level domains (TLDs) are used more frequently for phishing:

• Low cost attracts abuse: Domains used for phishing were often registered at a much lower cost, around $4.71 on average, compared to $8.62 for legitimate domains. Discounts and bulk registration options made it easier for attackers to register many domains quickly.
• Automation makes scaling easier: When registrars allow users to register domains using automated tools (via APIs), abuse rates increase significantly. This is because attackers can register and configure large numbers of domains without manual effort.
• Identity checks reduce abuse: Registrars that require verification of user identity, such as Know Your Business Customer (KYBC) processes, saw much lower rates of abuse. These checks added friction for attackers but did not seem to discourage legitimate users.
• Quick takedowns are not very effective: Removing domains after they’re reported as malicious had limited impact. Since phishing campaigns often operate for only a few hours, preventing bad domains from being registered in the first place is more effective.

Why does this matter for the general public?c

This study is relevant to anyone who uses the internet. When malicious websites are easy to register and remain online long enough to carry out scams, the risk to individuals increases. Phishing attacks can lead to stolen credentials, financial loss, or identity theft.

The findings show that some registrar practices make abuse more likely, while others help reduce it. Understanding these patterns can support more effective policy decisions and operational changes.

Why should civil society care?

Civil society groups, especially those working on human rights, digital literacy, online safety, and access to justice, have a big stake in this issue. Here’s why:

• Protection of vulnerable populations: Many phishing targets are individuals with limited digital literacy or fewer resources to recover from fraud. Policies that make malicious domain registration harder can reduce harm.
• Transparency and accountability: The study points to differences in how domain providers handle abuse. Civil society can advocate for stronger oversight and encourage practices that prioritise user safety.
• Participation in policy processes: As ICANN and other internet governance bodies consider changes to domain registration rules, civil society input helps ensure that solutions are balanced and take user rights into account.
• Evidence-based advocacy: The study provides data that can be used to push for practical reforms, such as requiring identity checks for domain registrations or limiting access to bulk registration tools.

The INFERMAL study helps explain how and why attackers choose certain registrars and domain services. It shows that preventative measures, especially around pricing, automation, and identity verification, can reduce abuse.

Rather than responding after harm occurs, the focus should be on making abuse more difficult from the start. Civil society actors and internet users have a stake in how these systems are designed and regulated, and this research provides useful insight for that ongoing work.