Not in Our Domain: How EURid is Using AI and Global Cooperation to Tackle Cybercrime

Domain names are a key link in the chain that facilitates abusive online activity. If cybercriminals are able to register a domain name, they have a platform from which to target their victims, whether via phishing, spam, botnets, or malware.

Fighting domain name abuse is a constant challenge for EURid, whose .eu is an attractive domain for ambitious businesses looking to reach other markets and secure future growth: the .eu top-level domain represents 30 countries (EU and EEA member states), EEA citizens around the world, and around 450 million people with one clear extension. A tempting opportunity for cybercriminals.

EURid’s answer is the Abuse Prevention and Early Warning System (APEWS), a groundbreaking solution that uses AI and professionally curated incident lists to analyze domain name registrations and delay potentially abusive ones – catching them before they can be used to carry out any attacks. EURid began working on the project in cooperation with KU Leuven in 2017, and APEWS finally went online in December 2019.

APEWS vs. abuse

If the APEWS system flags a domain name registration as possibly linked to misuse, it is placed on hold pending further verification before it is delegated to the .eu zone file. This means that any services attached to the domain name (such as a website or email) will not function until the registrant’s identity has been fully corroborated.

“If we detect that a domain which has been registered shares some similarities with something that was abusive in the past, we ask the registrant about their identity – are you really the person that you say you are? Could you please identify yourself?” says Jordi Iparraguirre, Innovation Manager at EURid.

Suspicious cases are not only reviewed by EURid itself – the organisation also shares details of the registration with cybersecurity experts and law-enforcement bodies like Europol. But what makes a registration suspicious?

“We’re not just looking at the domain name itself,” explains Iparraguirre, whose role at EURid is to lead the development of new products and services so as to better serve .eu users. “We’re looking at lots of metadata around that domain. The system is fed with lists of domains that, for instance, have been used for spam or phishing in the past.”

This kind of historical data helps the system to tag a registration as potentially abusive – even if the domain is not the same as a previous offender. In most cases further checks are necessary, says Iparraguirre, but “when you see sites that are selling counterfeit products, you can be almost certain. Or a clone of a bank webpage – we’ve seen that – or the tax office, then that’s clear.”

Some cyber criminals make amateurish attempts to prove their identity by submitting expired ID cards or retouching dates and information – “We’ve seen masters of Photoshop sending very interesting ‘proof’,” says Iparraguirre – but the people behind most suspicious registrations disappear and the registrations are subsequently suspended.

EURid is setting up systems so registrants can self-validate their identification using eIDAS (a European-wide system for electronic identification) or a credit card, as well as other methods. EURid does not keep personal data, it simply checks whether the registrant’s identity has been validated by these trusted ID schemes.

Change is the challenge

According to Sameh Mannai, a data scientist and AI software developer at EURid, APEWS has shown excellent performance in detecting malicious campaigns – 80% recall (the proportion of actual positive labels correctly identified by the model) and 80% precision – but while it is capable of self-training, the system still requires input when cybercriminals suddenly alter their approach – as they often do.

“The main challenge is that the behavior of abusers is continually changing, and the data is different, the performance of APEWS will naturally degrade over time, and we have to feed the system with new data so that it can recover and improve its performance,” she explains.

“It needs to be constantly updated with new training data to remain accurate over time, but this is the case for most machine learning models. And this is what APEWS does: it automatically retrains regularly to catch up with these changes.”

Global events such as Covid-19 are a gift to abusers as they are usually impossible to predict, making it essential for cybersecurity bodies to react quickly to new threats. The coronavirus outbreak in 2020 and the ensuing global pandemic saw an explosion in fraudulent online activity as cybercriminals around the world seized upon the health crisis to exploit people’s fears by selling them fake tests, certificates, masks or sanitizers. 

In response, EURid updated APEWS to protect end-users from potential misuse of domain names by programming it to perform additional checks if newly registered domain names contained keywords related to the pandemic.

Educating the younger generation

Beyond its own in-house projects, EURid collaborates actively with a number of other organizations on initiatives to combat online abuse. One is the Youth IGF, created and administered by TaC-Together against Cybercrime International, a global non-profit anti-cybercrime organization based in Geneva and Paris. The main goal of the Youth IGF, which has been the leading youth movement on Internet governance since 2011, is to help victims of Internet crime and develop educational tools on online safety and cybersecurity for various stakeholder groups.

“As one of the partners of the Youth IGF, EURid is helping the Youth IGF to bring the voice of youth on the digital world to policy makers,” explains TaC founder and director Yuliya Morenets. “Cybersecurity is a strong focus of the Youth IGF’s work.”

By supporting the Youth IGF, EURid contributed to the implementation of innovative solutions like CyberVictim.Help, which provides victims of cybercrime with assistance.

“At the beginning of the pandemic, we launched CyberVictim.Help because cases were rising and there was a need to provide victims with an immediate response. Our trained Youth IGF Ambassadors made this real-time assistance possible, as they are located in different time zones and different linguistic regions.”

Protecting brands from abuse

When it comes to abuse prevention, businesses can also reduce risk by protecting their intellectual property rights at the European Union Intellectual Property Office (EUIPO).

EURid has collaborated closely with the EUIPO for several years and in 2020 it strengthened its efforts by helping users of the EU IP system to obtain trademark and domain name protection so that their brands are secure.

“We’re well aware of the risks entrepreneurs encounter when they launch and run their businesses,” says Ingrid Elisabeth Buffolo, Director of EUIPO’s Customer Department.

“Here at the EUIPO, we are fully committed to supporting EU business. For example, when a company registers a European trademark, the applicant can immediately access information in order to understand whether an identical or similar .eu domain name is already registered. Offering this information to a European trademark applicant will facilitate the registration of the company´s .eu domain name, avoiding cybersquatting or domain name abuse.”

An AI on the future

EURid is also working on a number of other applications of AI technology. It is developing automatic multilingual web page classification, and has implemented a system that offers new registrants a choice of alternative available domain names if the one they want is already registered.

Cybercriminals may be constantly improving their tactics, but EURid is showing that, through the intelligent use of innovation and strategic alliances, it is possible to stay one step ahead in the game.

*Alastair Gill is a British journalist and editor focusing on geopolitics, culture and technology.