Namecheap refines strategy to fight malicious domains

Security researchers this month noted drastic improvements in the domain registrar's effort to respond to and mitigate reports of malicious and fraudulent sites.

Domain registrar Namecheap, Inc. is being commended for its improved reporting and remediation strategy for malicious domains, though it is unclear what spurred the changes for the company.

Security researchers took to Twitter recently, citing a significant improvement in response time by Namecheap to take down URLs used for phishing attacks, business email compromise and other threats. For example, security researchers at MalwareHunterTeam, which runs the free malware service ID Ransomware, discovered a domain spoofing the National Health Service under the guise of signing up for a digital coronavirus passport. This time, Namecheap took down the phony site within an hour.

And according to MalwareHunterTeam, that wasn't the only incident that Namecheap responded to quickly. "Today informed Namecheap about ~40 phishing / malware spreading domains. All of them was solved within an hour," the researchers said last week on Twitter. "More than the half of them are less then 30 minutes, some less than 10 mins, at least 1 in < 3 mins. Obviously the avg could be better, but compared to the past, great."

Other security researchers noted the improvement as well. Andrew Thompson, senior manager at Mandiant, said Namecheap's faster responses make it more difficult for threat campaigns to succeed. "We should expect all registrars act this way," he said in a Tweet. "I would say we should go further and say they should do better at limiting who and how domains get registered in the first place, but this is a start. Make adversaries struggle again."

A new focus on preventing fraud and abuse, which rose dramatically during the COVID-19 pandemic, may account for the changes in Namecheap's response time.

In a blog post earlier this month, Namecheap CEO Richard Kirkendall outlined new ways the company is acting against malicious domains. That includes increased investing, switching up strategies, introducing validation, maintaining newly established reporting channels for law enforcement, enacting a COVID-19 task force and more. 

Kirkendall said Namecheap has invested heavily in efforts to combat online fraud and digital abuse. That investment increased by 52% from 2019 to 2020. Additionally, the company switched up its approach by investigating and responding to the latest tickets first, rather than working from the oldest ticket back. According to the blog, it reduced Namecheap's response time to a matter of hours.

These changes appear to have been enacted in response to COVID-19, when cybercriminals took advantage of the pandemic by creating fake coronavirus-related domains.

"In 2020 alone, Namecheap received 1.27 million abuse reports, representing an 85% increase in support tickets over the prior year," Kirkendall wrote in the blog.

It's unclear why Namecheap decided to drastically overhaul its processes for remediating fraud and abuse. A spokesperson for Namecheap told SearchSecurity the company wants to get better at fighting malicious domains, and to make the internet as safe as possible for everyone.

"I wouldn't say we think of it as a competitive advantage," the spokesperson said. "Our goal is to identify, investigate and stop all forms of fraud as quickly as possible, while also ensuring the right to due process for all our customers."

Past issues for Namecheap

While fraudulent domains and cyberthreats overall skyrocketed during the pandemic, impacting organizations of all kinds, many domain registrars have been slow to respond to reports of abuse or fraud. Sometimes, such slow or nonexistent efforts can result in legal action from organizations whose legitimate domains are being spoofed.

Namecheap ran into such issues last year when it was hit with multiple complaints, both filed in March.

The Department of Justice filed a temporary restraining order against Namecheap over the domain name "coronavirusmedicalkit[.]com," registered by the company. The domain was used under false pretenses, promoting fake coronavirus kits for purchase.

"Namecheap, Inc. plays a critical role in the scheme by serving as the domain registrar of the website, which allows potential victims to access the website," the complaint said.

Facebook also filed a lawsuit, this time against a proxy service offered by Namecheap called Whoisguard. The social networking giant claimed the service was being used by threat actors behind 45 domain names that appeared to be affiliated with Facebook apps. Christen Dubois, director and associate general counsel of IP litigation at Facebook, published a blog on March 5 citing the reasons for the lawsuit.

"We sent notices to Whoisguard between October 2018 and February 2020, and despite their obligation to provide information about these infringing domain names, they declined to cooperate," Dubois wrote in the blog.

According to the lawsuit, Namecheap repeatedly failed to take steps to investigate and respond appropriately to any reports of abuse as required by the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement.

In June, Kirkendall published a blog in response, claiming that if Facebook won the lawsuit, it would create a backdoor through the General Data Protection and Regulation (GDPR) to users' personal information.

"We refuse to hand over your private information unless the company requesting it has established a legal right to it. For many companies, this is good news and a standard they practice as well. A small group, however, believe they are entitled to your information just because of who they are and because they ask," Kirkendall wrote in the blog.

However, last year wasn't the only time Namecheap was on the domain abuse radar. According to The Spamhaus Project, a database of spam addresses, Namecheap was the most abused domain registrar for the third quarter of 2019.

The Spamhaus Project also cited Namecheap in 2020 for its bulk registration services, called "Beast Mode," which it said are beneficial for spam and ransomware campaigns, as well as criminal infrastructure operations. According to a blog post by infosec expert Dave Piscitello, botnets and ransomware or phishing as a service particularly benefit from the ability to use bulk registration services offered by domain name registrars.

"Beast Mode, offered by the registrar Namecheap, Inc., illustrates how easily and cheaply domains can be acquired in this manner," Piscitello wrote in the blog.

Still, security researchers applauded Namecheap for the recent changes, though they hope those efforts continue.

"Update about Namecheap after the last week: compared to some months ago, it's like a different company, so much positive changes. But compared to what I would like to see from them, (but it's the same for all other registrars/hostings obviously) they still have a lot to do…" the MalwareHunterTeam wrote on Twitter.

Dig Deeper on Threats and vulnerabilities