Back on the 22nd of February, I wrote an entry on this blog called "Does Anybody Know WHOIS Out There?". This entry was about the very slack or even non-existent verification of identification information (sheesh, try saying THAT with a few beers under your belt!) provided by individuals and organizations registering domain names on the Internet. I pointed out that it was far too easy for scammers & crooks to set up malicious websites without having to provide valid, or even real, and in some cases ANY information regarding their identity & location.
Well it seems they must read this blog site in Russia. Somebody's read my entry and has taken up my advice!
Okay, okay…. Yes, you're right. Somehow I don't think I've got that much influence. But I did read with interest today a news report that claims that the organization responsible for administering Russia's .ru top-level domain names is tightening its procedures.
As from the 1st of April this year, anyone who wishes to register a .ru domain will need to provide a copy of the organization's legal registration papers or a copy of a passport for individuals. The aim here is to better verify the identity of the owners of domain names and to make it more difficult for scammers to set up dodgy websites using the .ru domain.
Bravo! I say…. There should be more of it!
In fact, I've just read that the day after my blog entry was posted, a news article appeared stating that China's Ministry of Industry and Information Technology had announced that web site owners in China will have to start submitting personal photos to register their sites with the government under new trial regulations. This is China's latest move in an Internet clampdown focused on porn & malware. The new regulations dated the 8th of February but only posted on the Web sites of certain provincial telecom regulators a week or so later, require Internet service providers that help people register a Web site with authorities to meet the applicant in person and collect a personal photo. Applicants must also submit other information and a description of their site's content, including anything that needs "advance or special approval."
Now I must say that this is a step in the right direction.
I must also admit that it is not the perfect solution and will not fix the problem in a hurry. It may be relatively easy to create good enough fake copies of the official documents required in Russia to satisfy the authorities. I don't know if that might be the case. And I'm certain that both Russia & China won't be retrospectively going through all the current, active domain names to check their validity. And it doesn't mean the bad guys can't just apply for a different domain name from another country with less stringent verification processes. But it is a good start.
But what it does mean is that it just might make things just a little bit harder for the bad guys. And that's what we have to do. We're not going to fix the problem overnight. We have to just keep chipping away at it.
Hang on, did I say the more stringent requirements in Russia were to be implemented on the 1st of April…? I hope they don't make an April Fool out of me!
Senior Cybercrime Research Analyst
Author ESET Research, ESET