Compliance Management, Threat Management, Incident Response, Malware, Network Security, Phishing, Privacy, TDR

ICANN cuts ties with Estonia domain registrar

The Internet Corp. for Assigned Names and Numbers (ICANN) has revoked an Estonia-based domain registrar's right to issue any new addresses.

In February, Vladimir Tsastsin, president of EstDomains, was convicted of credit card fraud, money laundering and document forgery, according to a letter (PDF) sent by ICANN to Tsastsin.

Under ICANN rules, the organization can end its accredidation agreement with any registar whose "officer or convicted of a felony or of a misdemeanor related to financial activities...," the letter said.

ICANN said EstDomains, whose website lists a company address in Delaware, managed about 281,000 domains. However, many of those were controlled by cybercriminals to host malware such as rogue anti-virus software, drive-by downloads, rogue codecs and botnet command-and-control centers, Mikko Hypponen, chief research officer of anti-virus firm F-Secure, said Thursday.

"If you want to host bad stuff, you need to have a domain to host it under,"  Hypponen told "You need a registrar willing to ignore the complaints [from users]."

Tsastsin's conviction came to light in a Sept. 8 blog post by Washington Post writer Brian Krebs in his Security Fix column.

ICANN said it will work to avoid any issues that may result during the domain transfer process.

"It was the favorite registrar for the [cybercriminal] underground," Hypponen said. "Now, they'll have to find another one."

It is unlikely one entity will take over all the domain names, Hypponen said. Instead, they likely will be scattered across a number of registrars.

The challenge for legitimate registrars will be determining the "needles from the haystacks," he said, drawing that analogy to the malicious sites that EstDomains had certified.

Requests for comment to EstDomains were unsuccessful. An EstDomains' answering machine did not allow messages to be left and emails sent to two addresses on its website bounced back.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.