
☐ ☆ ✇ Troy Hunt

To Infinity and Beyond, with Cloudflare Cache Reserve

By Troy Hunt — March 10th 2023 at 06:35
To Infinity and Beyond, with Cloudflare Cache Reserve

What if I told you... that you could run a website from behind Cloudflare and only have 385 daily requests miss their cache and go through to the origin service?

To Infinity and Beyond, with Cloudflare Cache Reserve

No biggy, unless... that was out of a total of more than 166M requests in the same period:

To Infinity and Beyond, with Cloudflare Cache Reserve

Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. Actually, it was 99.9998% but we're at the point now where that's just splitting hairs, let's talk about how we've managed to only have two requests in a million hit the origin, beginning with a bit of history:

Optimising Caching on Pwned Passwords (with Workers)- @troyhunt -

— Cloudflare (@Cloudflare) August 9, 2018

Ah, memories 😊 Back then, Pwned Passwords was serving way fewer requests in a month than what we do in a day now and the cache hit ratio was somewhere around 92%. Put another way, instead of 2 in every million requests hitting the origin it was 85k. And we were happy with that! As the years progressed, the traffic grew and the caching model was optimised so our stats improved:

There it is - Pwned Passwords is now doing north of 2 *billion* requests a month, peaking at 91.59M in a day with a cache-hit ratio of 99.52%. All free, open source and out there for the community to do good with 😊

— Troy Hunt (@troyhunt) May 24, 2022

And that's pretty much where we levelled out, at about the 99-and-a-bit percent mark. We were really happy with that as it was now only 5k requests per million hitting the origin. There was bound to be a number somewhere around that mark due to the transient nature of cache and eviction criteria inevitably meaning a Cloudflare edge node somewhere would need to reach back to the origin website and pull a new copy of the data. But what if Cloudflare never had to do that unless explicitly instructed to do so? I mean, what if it just stayed in their cache unless we actually changed the source file and told them to update their version? Welcome to Cloudflare Cache Reserve:

To Infinity and Beyond, with Cloudflare Cache Reserve

Ok, so I may have annotated the important bit but that's what it feels like - magic - because you just turn it on and... that's it. You still serve your content the same way, you still need the appropriate cache headers and you still have the same tiered caching as before, but now there's a "cache reserve" sitting between that and your origin. It's backed by R2 which is their persistent data store and you can keep your cached things there for as long as you want. However, per the earlier link, it's not free:

To Infinity and Beyond, with Cloudflare Cache Reserve

You pay based on how much you store for how long, how much you write and how much you read. Let's put that in real terms and just as a brief refresher (longer version here), remember that Pwned Passwords is essentially just 16^5 (just over 1 million) text files of about 30kb each for the SHA-1 hashes and a similar number for the NTLM ones (albeit slight smaller file sizes). Here are the Cache Reserve usage stats for the last 9 days:

To Infinity and Beyond, with Cloudflare Cache Reserve

We can now do some pretty simple maths with that and working on the assumption of 9 days, here's what we get:

To Infinity and Beyond, with Cloudflare Cache Reserve

2 bucks a day 😲 But this has taken nearly 16M requests off my origin service over this period of time so I haven't paid for the Azure Function execution (which is cheap) nor the egress bandwidth (which is not cheap). But why are there only 16M read operations over 9 days when earlier we saw 167M requests to the API in a single day? Because if you scroll back up to the "insert magic here" diagram, Cache Reserve is only a fallback position and most requests (i.e. 99.52% of them) are still served from the edge caches.

Note also that there are nearly 1M write operations and there are 2 reasons for this:

  1. Cache Reserve is being seeded with source data as requests come in and miss the edge cache. This means that our cache hit ratio is going to get much, much better yet as not even half all the potentially cacheable API queries are in Cache Reserve. It also means that the 48c per day cost is going to come way down 🙂
  2. Every time the FBI feeds new passwords into the service, the impacted file is purged from cache. This means that there will always be write operations and, of course, read operations as the data flows to the edge cache and makes corresponding hits to the origin service. The prevalence of all this depends on how much data the feds feed in, but it'll never get to zero whilst they're seeding new passwords.

An untold number of businesses rely on Pwned Passwords as an integral part of their registration, login and password reset flows. Seriously, the number is "untold" because we have no idea who's actually using it, we just know the service got hit three and a quarter billion times in the last 30 days:

To Infinity and Beyond, with Cloudflare Cache Reserve

Giving consumers of the service confidence that not only is it highly resilient, but also massively fast is essential to adoption. In turn, more adoption helps drive better password practices, less account takeovers and more smiles all round 😊

As those remaining hash prefixes populate Cache Reserve, keep an eye on the "cf-cache-status" response header. If you ever see a value of "MISS" then congratulations, you're literally one in a million!

Full disclosure: Cloudflare provides services to HIBP for free and they helped in getting Cache Reserve up and running. However, they had no idea I was writing this blog post and reading it live in its entirety is the first anyone there has seen it. Surprise! 👋

☐ ☆ ✇ The Register - Security

Acronis downplays intrusion after 12GB trove leaks online

March 10th 2023 at 03:45

Cyber-thief said goal was to 'humiliate' data-protection biz

The CISO of Acronis has downplayed what appeared to be an intrusion into its systems, insisting only one customer was affected, using stolen credentials, and that all other data remains safe.…

☐ ☆ ✇ The Register - Security

Catholic clergy surveillance org 'outs gay priests'

March 10th 2023 at 02:30

Religious non-profit allegedly hoovered up location data from dating apps to ID clerics

A Catholic clergy conformance organization has reportedly been buying up tracking data from mobile apps to identify gay priests, and providing that information to bishops around America.…

☐ ☆ ✇ The Register - Security

FBI and international cops catch a NetWire RAT

March 10th 2023 at 01:33

Malware-seekers were diverted to the Feds, severing a Croatian connection

International law enforcement agencies have claimed another victory over cyber criminals, after seizing the website, and taking down the infrastructure operated by crims linked to the NetWire remote access trojan (RAT).…

☐ ☆ ✇ WIRED

‘Pig Butchering’ Scams Are Now a $3 Billion Threat

By Lily Hay Newman — March 10th 2023 at 01:32
The FBI’s latest Internet Crime Report highlights the stunning rise of investment-themed crimes over the past 18 months.
☐ ☆ ✇ The Register - Security

AT&T blames marketing bods for exposing 9M accounts

March 9th 2023 at 22:30

Says it was old and boring data, so that's OK, then ...

AT&T has confirmed that miscreants had access to nine million of its wireless customers' account details after a vendor's network was broken into in January.…

☐ ☆ ✇ WIRED

Congressman Darin LaHood Says FBI Targeted Him With Unlawful 'Backdoor' Searches

By Dell Cameron — March 9th 2023 at 21:59
Representative Darin LaHood's claim that he was the subject of “backdoor” searches comes at a dicey moment for the bureau.
☐ ☆ ✇ The Register - Security

US House reps, staff health data swiped in cyber-heist

March 9th 2023 at 21:27

Data for sale via dark web, Senate in line of fire, too

Health data and other personal information of members of Congress and staff were stolen during a breach of servers run by DC Health Care Link and are now up for sale on the dark web.…

☐ ☆ ✇ Verisign Blog

Verisign Domain Name Industry Brief: 350.4 Million Domain Name Registrations in the Fourth Quarter of 2022

By Verisign — March 9th 2023 at 20:57

Today, we released the latest issue of The Domain Name Industry Brief, which shows that the fourth quarter of 2022 closed with 350.4 million domain name registrations across all top-level domains (TLDs), an increase of 0.5 million domain name registrations, or 0.1%, compared to the third quarter of 2022.1,2 Domain name registrations have increased by 8.7 million, or 2.6%, year over year.1,2

Check out the latest issue of The Domain Name Industry Brief to see domain name stats from the fourth quarter of 2022, including:
Top 10 Largest TLDs by Number of Reported Domain Names
Top 10 Largest ccTLDs by Number of Reported Domain Names
ngTLDs as Percentage of Total TLDs
Geographical ngTLDs as Percentage of Total Corresponding Geographical TLDs

To see past issues of The Domain Name Industry Brief, please visit

  1. All figure(s) exclude domain names in the .tk, .cf, .ga, .gq, and .ml ccTLDs. Quarterly and year-over-year trends have been calculated relative to historical figures that have also been adjusted to exclude these five ccTLDs. For further information, please see the Editor’s Note contained in Vol. 19, Issue 1 of The Domain Name Industry Brief.
  2. The generic TLD, ngTLD and ccTLD data cited in the brief: (i) includes ccTLD internationalized domain names, (ii) is an estimate as of the time this brief was developed, and (iii) is subject to change as more complete data is received. Some numbers in the brief may reflect standard rounding.

The post Verisign Domain Name Industry Brief: 350.4 Million Domain Name Registrations in the Fourth Quarter of 2022 appeared first on Verisign Blog.

☐ ☆ ✇ Naked Security

S3 Ep125: When security hardware has security holes [Audio + Text]

By Paul Ducklin — March 9th 2023 at 18:58
Lastest episode - listen now! (Full transcript inside.)

☐ ☆ ✇ Krebs on Security

Who’s Behind the NetWire Remote Access Trojan?

By BrianKrebs — March 9th 2023 at 18:52

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau of Investigation (FBI). While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.

Typically installed by booby-trapped Microsoft Office documents and distributed via email, NetWire is a multi-platform threat that is capable of targeting not only Microsoft Windows machines but also Android, Linux and Mac systems.

NetWire’s reliability and relatively low cost ($80-$140 depending on features) has made it an extremely popular RAT on the cybercrime forums for years, and NetWire infections consistently rank among the top 10 most active RATs in use.

NetWire has been sold openly on the same website since 2012: worldwiredlabs[.]com. That website now features a seizure notice from the U.S. Department of Justice (DOJ), which says the domain was taken as part of “a coordinated law enforcement action taken against the NetWire Remote Access Trojan.”

“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the DOJ today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”

Neither the DOJ’s statement nor a press release on the operation published by Croatian authorities mentioned the name of the accused. But it’s fairly remarkable that it has taken so long for authorities in the United States and elsewhere to move against NetWire and its alleged proprietor, given that the RAT’s author apparently did very little to hide his real-life identity.

The WorldWiredLabs website first came online in February 2012 using a dedicated host with no other domains. The site’s true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in historical Domain Name System (DNS) records for WorldWiredLabs that point in the same direction.

In October 2012, the WorldWiredLabs domain moved to another dedicated server at the Internet address, which was home to just one other domain: printschoolmedia[.]org, also registered in 2012.

According to, printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address DomainTools further shows this email address was used to register one other domain in 2012: wwlabshosting[.]com, also registered to Mario Zanko from Croatia.

A review of DNS records for both printschoolmedia[.]org and wwlabshosting[.]com shows that while these domains were online they both used the DNS name server ns1.worldwiredlabs[.]com. No other domains have been recorded using that same name server.

The WorldWiredLabs website, in 2013. Source:

DNS records for worldwiredlabs[.]com also show the site forwarded incoming email to the address Constella Intelligence, a service that indexes information exposed by public database leaks, shows this email address was used to register an account at the clothing retailer, using the password “123456xx.”

Running a reverse search on this password in Constella Intelligence shows there are more than 450 email addresses known to have used this credential, and two of those are and

A search on in Skype returns three results, including the account name “Netwire” and the username “Dugidox,” and another for a Mario Zanko (username zanko.mario).

Dugidox corresponds to the hacker handle most frequently associated with NetWire sales and support discussion threads on multiple cybercrime forums over the years.

Constella ties to a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, and to IP addresses in Croatia for both. Constella also shows the email address used the password “dugidox2407.”

In 2010, someone using the email address registered the domain dugidox[.]com. The WHOIS registration records for that domain list a “Senela Eanko” as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia[.]org, which is registered in Mr. Zanco’s name.

Prior to the demise of Google+, the email address mapped to an account with the nickname “Netwire wwl.” The dugidox email also was tied to a Facebook account (mario.zanko3), which featured check-ins and photos from various places in Croatia.

That Facebook profile is no longer active, but back in January 2017, the administrator of WorldWiredLabs posted that he was considering adding certain Android mobile functionality to his service. Three days after that, the Mario.Zank3 profile posted a photo saying he was selected for an Android instruction course — with his dugidox email in the photo, naturally.

Incorporation records from the U.K.’s Companies House show that in 2017 Mr. Zanko became an officer in a company called Godbex Solutions LTD. A Youtube video invoking this corporate name describes Godbex as a “next generation platform” for exchanging gold and cryptocurrencies.

The U.K. Companies House records show Godbex was dissolved in 2020. It also says Mr. Zanko was born in July 1983, and lists his occupation as “electrical engineer.”

Mr. Zanko did not respond to multiple requests for comment.

A statement from the Croatian police about the NetWire takedown is here.

☐ ☆ ✇ The Register - Security

Refreshed from its holiday, Emotet has gone phishing

March 9th 2023 at 18:27

Notorious botnet starts spamming again after a three-month pause

Emotet is back. After another months-long lull since a spate of attacks in November 2022, the notorious malware operation that has already survived a law enforcement takedown and various periods of inactivity began sending out malicious emails on Tuesday morning.…

☐ ☆ ✇ The Hacker News

Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware

By Ravie Lakshmanan — March 9th 2023 at 14:54
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. This includes the Sliver post-exploitation framework, XMRig cryptocurrency
☐ ☆ ✇ The Hacker News

IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks

By Ravie Lakshmanan — March 9th 2023 at 14:01
A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8), according to
☐ ☆ ✇ The Hacker News

Does Your Help Desk Know Who's Calling?

By The Hacker News — March 9th 2023 at 12:25
Phishing, the theft of users' credentials or sensitive data using social engineering, has been a significant threat since the early days of the internet – and continues to plague organizations today, accounting for more than 30% of all known breaches. And with the mass migration to remote working during the pandemic, hackers have ramped up their efforts to steal login credentials as they take
☐ ☆ ✇ The Hacker News

Iranian Hackers Target Women Involved in Human Rights and Middle East Politics

By Ravie Lakshmanan — March 9th 2023 at 12:20
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. "Notably the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The cybersecurity
☐ ☆ ✇ The Hacker News

New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic

By Ravie Lakshmanan — March 9th 2023 at 08:10
The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. Crypters are a type of software that can encrypt,
☐ ☆ ✇ The Hacker News

New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access

By Ravie Lakshmanan — March 9th 2023 at 05:23
Fortinet has released fixes to address 15 security flaws, including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610, is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in
☐ ☆ ✇ The Register - Security

Suspected Chinese cyber spies target unpatched SonicWall devices

March 9th 2023 at 02:26

They've been lurking in networks since at least 2021

Suspected Chinese cyber criminals have zeroed in on unpatched SonicWall gateways and are infecting the devices with credential-stealing malware that persists through firmware upgrades, according to Mandiant.…

☐ ☆ ✇ The Register - Security

Dems, Repubs eye up ban on chat apps they don't like

March 9th 2023 at 01:28

Clock is ticking for TikTok and other foreign natter-ware

On Tuesday a bipartisan group of a dozen US senators introduced a bill to authorize the Commerce Department to ban information and communications technology products and services deemed threats to national security.…

☐ ☆ ✇ WIRED

The FBI Just Admitted It Bought US Location Data

By Dell Cameron — March 8th 2023 at 19:45
Rather than obtaining a warrant, the bureau purchased sensitive data—a controversial practice that privacy advocates say is deeply problematic.
☐ ☆ ✇ The Hacker News

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

By Ravie Lakshmanan — March 8th 2023 at 16:30
A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are
☐ ☆ ✇ WIRED

The US Air Force Is Moving Fast on AI-Piloted Fighter Jets

By Tom Ward — March 8th 2023 at 15:52
After successful autonomous flight tests in December, the military is ramping up its plans to bring artificial intelligence to the skies.
☐ ☆ ✇ The Hacker News

Syxsense Platform: Unified Security and Endpoint Management

By The Hacker News — March 8th 2023 at 12:26
As threats grow and attack surfaces get more complex, companies continue to struggle with the multitude of tools they utilize to handle endpoint security and management. This can leave gaps in an enterprise's ability to identify devices that are accessing the network and in ensuring that those devices are compliant with security policies. These gaps are often seen in outdated spreadsheets that
☐ ☆ ✇ The Hacker News

Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity

By Ravie Lakshmanan — March 8th 2023 at 10:34
The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the
☐ ☆ ✇ WeLiveSecurity

‘A woman from Mars’: Life in the pursuit of space exploration

By Alžbeta Kovaľová — March 8th 2023 at 10:30

An astrobiologist, analog astronaut, author and speaker, Dr. Michaela Musilova shares her experience as a woman at the forefront of space exploration and from her quest for scientific and personal excellence

The post ‘A woman from Mars’: Life in the pursuit of space exploration appeared first on WeLiveSecurity

☐ ☆ ✇ The Register - Security

Securing ways to share workplace passwords

March 8th 2023 at 09:30

Keeper protects your team’s credentials without slowing down business

Sponsored Feature When the first computer system passwords were set in 1961, few people needed to carry personal credentials to get through daily life. Nowadays, login credentials are ubiquitous across nearly every application, software and web service.…

☐ ☆ ✇ The Hacker News

Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments

By Ravie Lakshmanan — March 8th 2023 at 07:57
High-profile government entities in Southeast Asia are the target of a cyber espionage campaign undertaken by a Chinese threat actor known as Sharp Panda since late last year. The intrusions are characterized by the use of a new version of the Soul modular framework, marking a departure from the group's attack chains observed in 2021. Israeli cybersecurity company Check Point said the "
☐ ☆ ✇ The Hacker News

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

By Ravie Lakshmanan — March 8th 2023 at 06:30
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability CVE-
☐ ☆ ✇ The Register - Security

Boeing signs off design of anti-jamming tech that keeps satellites online

March 8th 2023 at 06:27

China and Russia won't be jammin' US sats no more

Boeing said on Tuesday its anti-jam ground-based satellite communications system had passed the necessary tests to validate its design for use in the U.S. Space Force’s Pathfinder program.…

☐ ☆ ✇ The Register - Security

Aussie tech worker payroll scheme operators found guilty of tax fraud

March 8th 2023 at 04:04

Contractors left hanging while principals splurged on luxury goods

Three of the principals of an Australian scheme that offered free payroll services to tech contractors have been found guilty of conspiring to defraud the Commonwealth and conspiring to deal with the proceeds of crime.…

☐ ☆ ✇ The Register - Security

Acer confirms server intrusion after miscreant offers 160GB cache of stolen files

March 8th 2023 at 01:12

Customer info safe, or so we're told

Acer has confirmed someone broke into one of its servers after a miscreant put up for sale a 160GB database of what's claimed to be the Taiwanese PC maker's confidential information.…

☐ ☆ ✇ The Register - Security

Alert: Crims hijack these DrayTek routers to attack biz

March 8th 2023 at 00:01

Workaround: Throw away kit? Hope there's a patch?

If you're still using post-support DrayTek Vigor routers it may be time to junk them, see if they can be patched, or come up with some other workaround, as a malware variant is setting up shop in the kit.…

☐ ☆ ✇ Krebs on Security

Sued by Meta, Freenom Halts Domain Registrations

By BrianKrebs — March 7th 2023 at 23:19

The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.

Freenom’s website features a message saying it is not currently allowing new registrations.

Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.

Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.

On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different “John Does” — Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.

The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.

“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” the complaint charges. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”

Meta further alleges that “Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,” and that it monetizes the traffic from infringing domains by reselling them and by adding “parking pages” that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.

Freenom has not yet responded to requests for comment. But attempts to register a domain through the company’s website as of publication time generated an error message that reads:

“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.”

Image: Interisle Consulting Group, Phishing Landscape 2021, Sept. 2021.

Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit are incorporated in the United States.

Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.

According to Meta, this isn’t just a case of another domain name registrar ignoring abuse complaints because it’s bad for business. The lawsuit alleges that the owners of Freenom “are part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.”

“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta charged.

It remains unclear why Freenom has stopped allowing domain registration. In June 2015, ICANN suspended Freenom’s ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANN’s determination that Freenom “has engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.”

A spokesperson for ICANN said the organization has no insight as to why Freenom might have stopped registering domain names. But it said Freenom (d/b/a OpenTLD B.V.) also received formal enforcement notices from ICANN in 2017 and 2020 for violating different obligations.

A copy of the amended complaint against Freenom, et. al, is available here (PDF).

March 8, 6:11 p.m. ET: Updated story with response from ICANN. Corrected attribution of the domain abuse report.

☐ ☆ ✇ Naked Security

Serious Security: TPM 2.0 vulns – is your super-secure data at risk?

By Paul Ducklin — March 7th 2023 at 19:59
Security bugs in the very code you've been told you must have to improve the security of your computer...
