The Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) partnered with Interisle Consulting Group on their year-long study, Cybercrime Supply Chain 2023, Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. M³AAWG co-sponsored Interisle’s study with the AntiPhishing Working Group (APWG) and the Coalition Against Unsolicited Commercial Email (CAUCE). The report was released on Oct. 23, 2023.

Researchers analyzed more than 10 million cybercrime records to identify patterns of exploitation and abuse. Interisle’s analysis concludes current strategies employed by the domain name and hosting industries, governments, and private sector organizations are not significantly impacting the cybercrime supply chain. The study then focused attention on the links in the supply chain where disruption can have a meaningful impact.

“This report is an impressive compendium of relevant data. This presents sound evidence that supply chain disruption is a feasible strategy that should be effective if carried out,” said Chuck Wade, a partner at Interisle Consulting Group.

The Cybercrime Trifecta: Malware, Spam and Phishing

The study examined three categories of cybercrime: malware, spam, and phishing. Often, cybercriminals use these individual offenses in conjunction with each other in a larger criminal scheme. 

• Malware can infect any device connected to a network. Malware attacks, which cost billions of dollars annually, are carried out by criminals or nation-states.
• Spam messages are transmitted from malware (“bots”) that operate from cloud or hosting service accounts or compromised devices. These bots provide delivery methods for messages that contain lures to phishing pages or malware download sites. Modern day spam is rarely benign: as a delivery system, spam is almost always a component of subsequent cybercriminal activity.
• Phishing attacks trick people into visiting fake websites that are controlled by criminals, causing financial losses to millions of internet users annually.

Dave Piscitello, co-author of the study and director of the Cybercrime Information Center project, described how this destructive combination is executed: “An attacker creates or hacks into a cloud or hosting account and installs malware that can send email. They use this malware to send phishing emails that lure users to fake sites where the user discloses their personal data. The attacker may instead send spam text messages to mobile devices that contain links to banking malware. These are but two examples of the kinds of sequences of attacks involving malware, spam, phishing, and more malware. Every incident along the way is a cybercrime. And they all make use of resources that criminals can obtain from inexpensive suppliers.”

For Sale: Malware, Spam, and Phishing Kits

Criminals who perpetrate these cybercrimes enjoy an enormous economic advantage over defenders and responders. They can acquire resources from an online cybercrime supply chain where everything from phishing kits and malicious software, email lists, and mobile numbers, domain names and internet addresses, and places to host attacks are readily and cheaply available.

The Interisle study measured the internet naming and addressing elements of this supply chain.

Major Findings

Interisle collected malware, spam, and phishing reports from eleven publicly and commercially available threat intelligence or reputation services. They analyzed over 10 million cybercrimes to identify the Internet naming, addressing, hosting resources, and where criminals went to acquire attack resources.

Interisle ranked Top-Level Domain (TLD) registries, gTLD registrars, hosting providers, and subdomain resellers that criminals most frequently exploited to obtain resources, according to raw counts and comparative metrics.

Among the major findings from the study data, Interisle reports that:

• Nearly 5 million domain names are serving as a resource for cybercrime.
• Over 1 million domain names that were reported for spam activity were registered in the new gTLDs.
• Over 500,000 subdomain hostnames that served as resources for cybercrime at 229 subdomain resellers.
• Criminals acquire domain names in volume: over 1.5 million domains exhibited characteristics of malicious bulk domain registration behavior.
• Brand infringement is commonplace in domains registered by criminals to perpetrate cybercrimes. Criminals used exact matches of a well-known brand name in over 200,000 cybercrime attacks.

The Strategy: Apply Systems Warfare to Defeat Cybercrime

Systems warfare is a strategy that attempts to disrupt the operations of an adversary’s functions. Interisle argues that applying a similar strategy to mitigate cybercrime can be effective. The study focused attention on the links in the supply chain where disruption can have a meaningful impact.

The analysis revealed distinct and persistent patterns of exploitation and abuse. While some of these patterns are familiar to cybersecurity practitioners and law enforcement, Interisle’s research revealed the wide prevalence of less familiar methods for exploiting domain registration and hosting services such as bulk domain registrations and abuse of user accounts of subdomain resellers.

The findings from this study underscore a previous Interisle finding, that the prevailing uncoordinated and ineffective attempts to curb cybercrime are not working, and that new strategies are required.

The Tactics: How to Disrupt the Cybercrime Supply Chain

Interisle recommends a cooperative, proactive, and cross-sector effort by governments, the private sector, and public policy communities to disrupt the cybercrime supply chain. These recommendations include:

• Require registrars and registries to promptly (within 24 hours) investigate and suspend or cancel domain names that are purposely registered by criminals to commit online crimes, especially for cases where these registrants have amassed large batches of domain names.
• Review the practice of bulk registration and develop policies to prevent abuse.
• Adopt and enforce policies that protect internet users from deceptive domain registrations, e.g., domains that contain exact matches of recognized brands.
• Adopt policy to ensure that new TLDs do not result in a more abundant supply chain.
• Develop a common supply chain disruption strategy for ccTLDs and gTLDs.

Cross-industry collaboration requires hosting operators to develop and promulgate broader web, cloud, and hosting industry best practices, including policies, operational practices, and technical solutions like those recommended for the domain industry.

“This report makes clear the close connections among malware, phishing, spam, and domain abuse, and the strategies we need to combat them,” said M3AAWG expert advisor and CAUCE president, John Levine.

Interisle is engaged in a long-term effort to collect and analyze data on the way criminals obtain resources they use to perpetrate cybercrimes so that Internet policy development can be informed by reliable intelligence based on data. As part of this effort, Interisle publishes quarterly phishing activity reports at the Cybercrime Information Center.

APWG is an international coalition of counter-cybercrime responders, forensic investigators, law enforcement agencies, technology companies, financial services firms, university researchers, NGOs, and multilateral treaty organizations operating as a non-profit organization. Its directors, managers and research fellows advise national and sub-national governments as well as the United Nations (Office on Drugs and Crime) as recognized experts (as defined by the Doha Declaration of 2010 and Salvador Declaration of 2015) as well as multilateral bodies and organizations.

CAUCE is an all-volunteer internet end-user trust and safety advocacy organization. The CAUCE Board of Directors provides internet advocacy and consultation with governments, NGOs, law enforcement agencies, and trade associations. The mission of CAUCE is to defend the privacy rights of internet users and support anti-abuse work in all its forms. CAUCE focuses on messaging security:  email, direct message, text, or social media discourse.

The report is available at https://interisle.net/CybercrimeSupplyChain2023.pdf.