22,000 malicious .uk domains suspended in past year

Nominet, the UK’s domain name registrar, suspended a total of 22,158 .uk internet domains for criminal activity in the 12 months from 1 November 2019 to 31 October 2020, down almost 7,000 on the previous year, and with less impact from the Covid-19 pandemic than might have been expected, given its domination of the 2020 security landscape.

The organisation, which acts to suspend domains following notifications from law enforcement when they are being used for criminal activity, and puts on hold domains at registration if potential criminal activity is suspected, said the suspensions represented about 0.22% of the total .uk internet domains currently registered.

Nominet works with 13 reporting organisations, and received requests from eight of these in the past year, the vast majority from the Police Intellectual Property Crime Unit (Pipcu), which deals with IP infringements and flagged 21,632 domains, down from 28,606. The National Fraud Intelligence Bureau (NFIB) flagged 266, the Financial Conduct Authority (FCA) 232, the Medicines and Healthcare Products Regulatory Agency 13, and Trading Standards seven.

Nominet CEO Russell Haworth said the drop in suspensions was clearly driven by fewer Pipcu referrals. “This suggests that their work to stop counterfeit goods reaching .uk domains is having an effect,” he said. “Criminal groups are also starting to realise .uk domains used for scams will be suspended promptly. While that is good news, we remain focused on playing our part to take swift action when alerted to any criminality in the namespace.”

Eleanor Bradley, MD of registry and public benefit at Nominet, added: “While we have seen a decline in Pipcu requests for suspensions, there have been some increases year on year for other key [organisations] that we work with to keep the UK domain safe and secure for the millions of individuals and businesses that use it every day.

“Increases in suspensions from the FCA and NFIB show that we cannot sit on our hands as the fight to keep up with the criminals is ongoing and ever evolving.”

Joanne Ferguson of the City of London Police’s Cyber Prevention and Disruption Team of the National Fraud Intelligence Bureau said: “Our main goal is to make the UK a hostile environment for fraud, and working together with Nominet is one of the key ways we can achieve this. Our partnership allows us to disrupt criminals by identifying domains being used in fraud and taking action to stop further people falling victim.

“It also allows us to prevent fraud from happening in the first place by predicting opportunities for criminals and working with Nominet to suspend domains before they are even used.”

Ferguson added: “A recent example of this is the work we did with Nominet around coronavirus-related fraud, where we blocked the registration of unofficial domains linked to Covid-19. Protecting the public is our number one priority and we would like to thank Nominet for their continued support in helping us do this.”

With regard to Covid-19, Nominet rapidly stepped up its checks on new domain registrations in the spring, which may have done much to head off cyber criminals before too much damage could be done. Up to 28 October, it had placed 3,811 new domains related to Covid-19 on hold pending further registrant checks, of which 1,568 have passed due diligence and are now live. Just eight of the domains suspended for criminal activity related to the coronavirus.

“New anxieties are a bounty for cyber criminals who look to take advantage of others online for their own gains, not least by exploiting the pandemic,” said Haworth. “This year, we proactively sought to weed out coronavirus-related domains registered for criminal intent and had put on hold almost 4,000 by the end of October. With less than half passing the due diligence we require to reinstate them, it is clearly helping to keep scams at bay.”

More widely, Nominet’s Domain Watch anti-phishing initiative, which suspends suspicious domains when they are registered, saw 5,006 domains suspended, more than double the previous year’s total.

Nominet shared a number of other data points relating to its activity in the past year, revealing that 47 suspension requests were made that did not result in a suspension. This can be for reasons such as the domain having already been suspended in a parallel process, or the registrant having become complaint. It also reversed a total of 15 suspensions for domains where offending behaviour was judged to have ceased.

It also updated domains flagged under its proscribed terms policy, which was introduced six years ago. In the past 12 months 1,060 new domains were identified as a possible breach, but no suspensions were made. Nor did it receive any suspension requests from the Internet Watch Foundation on Child Sexual Abuse Images.