Network News

X My Profile
View More Activity

Govt: Fake Web Site Registrations Churn Online Fraud

The U.S. Government Accountability Office released a report Wednesday that points to a serious problem that is contributing to the proliferation of fraudulent phishing and scam Web sites -- the relative lack of any real policing by the domain-name registrars of the data people must submit to register a new Web site.

GAO estimated that 2.31 million domain names (or slightly more than 5 percent of all currently registered Web site names in the .com, .net, and .org top level domains) have been registered with  false data. The agency found another 1.64 million domains that were registered with incomplete data.

GAO said it selected a random sample of 300 domain names from each of the three top level domains and performed record look-ups to obtain contact information for each domain name. Of the 45 error reports the agency submitted to ICANN (the group charged with overseeing the domain name space) for further investigation-- only about one-quarter were updated with accurate information. Nearly half of those domains were associated with Web search portals and adult content, among other categories, GAO said.

The GAO report concluded that while several tools are available to ICANN and the domain name registries and registrars to better police this space, none are widely implemented.

My gut says GAO's estimates probably low-ball the true number of domains registered with false information. I say this because I've investigated dozens of phishing sites, only to find that they were registered to real people whose information and credit card data had been stolen. My guess is that the study had no way of determining these types of registrations, so it did not include them. I wrote about just such an experience before in a previous post on a phishing scam targeting MasterCard users.

This is most certainly a difficult problem to fix, but ICANN and the many companies that help people register domain names could do everyone a great service if they got better at demanding accurate registration information. Yes, there are privacy and security issues involved in some cases, but most registrars offer some type of service that allows people to keep their contact information hidden from most queries, albeit usually for a fee.

By Brian Krebs  |  December 8, 2005; 11:55 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Govt: Fake Web Site Registrations Churn Online Fraud
Next: Govt: Fake Web Site Registrations Churn Online Fraud


"GAO estimated that 2.31 million domain names (or slightly more than 5 percent of all currently registered Web site names in the .com, .net, and .org top level domains) have been registered with false data."

For prosecution, this statistic is meaningless bits of crimes which cannot be (un)commited.

For security, on the other hand, it shows the futility of social engineering.

Why not fight techno-crime by making the act of having a web address harmless with safe clients (browsers) ?

Posted by: GTexas | December 8, 2005 3:23 PM | Report abuse

It's really very simple. Just stop the registrars from charging (often more than the price of registering the domain itself!) for making the information private. That removes the incentive for honest folks to give false information. Then aggressively go after the folks who give false information.

Posted by: just this guy | December 8, 2005 4:26 PM | Report abuse

Here's the email I got from Network Solutions, so they make some effort. But neither ICANN or the registrars have any financial incentive to enforce the existing policy.

What were the "several tools" you reference identified by the GAO that could address this issue?

Dear Network Solutions Customer:

To comply with the ICANN (Internet Corporation for Assigned Names and Numbers) WHOIS policy, we request each year that you confirm the accuracy of your WHOIS contact information. WHOIS is a publicly accessed database containing contact information associated with every domain name registration.

When you registered your domain name, you agreed to keep your contact information in Account Manager current. Please remember that providing inaccurate or dated contact information may be grounds for domain name cancellation. If your WHOIS information has changed or is inaccurate, please update it through your Network Solutions Account.

You may review the ICANN policy here.

Thank you for your attention to this important ICANN required message. We look forward to helping you grow your business on the Web.


Network Solutions Customer Support

Posted by: Chris Parente | December 8, 2005 5:49 PM | Report abuse

Brian, you said "My gut says GAO's estimates probably low-ball the true number of domains registered with false information" and I think you're absolutely right. I investigate sites hosting malware and spyware, blog comment spamvertized sites and rogue anti-spyware sites and a huge percentage of them have false information. Some are so obviously fake, it's pathetic, like a phone number of 123-456-7890. Anyone can submit a complaint about false registration info here:

I've reported a lot of domains and sometimes the information gets changed and sometimes not. Some of the registrars just don't do anything. Then there are some registrars that are in business with the spyware pushers. Esthost seems to be closely tied with the CoolWebSearch gang and hosts a LOT of CWS sites. They appear have their own registrar - Estdomains. So good luck on getting anything done about those domains.

Posted by: suzi | December 8, 2005 6:10 PM | Report abuse

This is a "Well Duh..." type of article. It is common knowledge that Domain Name Registration is and has been a mess for some time. When cybersquatters and other low-lives are allowed to get domain names that they should never really have, then the whole system will quickly break down as we have seen. There should be only one (or perhaps a couple) authorities that issue domain names, and all domain names issued should go through a review process before being issued, to ensure the person being issued the domain has rights to that domain. It was this way "in the beginning", but then someone decided that they could "make a buck" off something that should have been closely monitored (or even regulated), and we ended up with the domain name registration mess we have today. Sigh.

Posted by: WhatAMess | December 9, 2005 12:04 AM | Report abuse

We need a copy of GAO's list and it would be a great service to make publically available lists of websites with bogus data -- so that they can be filtered out when browsing.

Even better would be for search engines to provide a filter option for bogus websites.

Posted by: Stephen T. | December 10, 2005 8:17 AM | Report abuse

Registrars should be required to keep whois information private but freely available to law enforcement. If it wasn't freely available to law enforcement, there would be no law made to require that it be hidden from the public because that would hurt law enforcement.

This issue was debated by lawmakers a couple of years ago. Why didn't they fix it?

I reported a bogus administrative contact address for to three weeks ago and nothing happened. Yesterday I followed up like internic says to do. No response yet. I complained because Chase provides no way to submit spoof reports and all of their online forms require personal information.

Posted by: Barry | December 10, 2005 11:38 AM | Report abuse

It's no surprise that domain registrants put false data into their whois record. When I was young and foolish I entered the correct data for my domain and I'm sure that 95% of my spam comes from people who farmed my email address out of the whois database.

Posted by: jimand | December 12, 2005 1:31 PM | Report abuse

Hi Brian - Nice article. For another view on this, see my post at, which was picked up by Circle ID at

By the way, that fee to keep your information secret is not cheap, often (as at GoDaddy, for instance), more expensive than the registration itself.

Posted by: Antony Van Couvering | December 14, 2005 1:52 PM | Report abuse

I'd agree that the figures they've produced are much lower than reality. I posted about this at:

Barry - quite a few ccTLDs keep registrant information private by default and would reveal it to law enforcement if the request came via the correct channels.

Posted by: Michele | December 15, 2005 4:30 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company