← Back to Glossary

Domain Abuse

Domain abuse (also called DNS abuse) refers to the malicious use of domain names to conduct phishing, distribute malware, impersonate brands, or perpetrate fraud. ICANN defines five categories of DNS abuse: phishing, malware, botnets, pharming, and spam used to deliver other forms of DNS abuse.

Types of Domain Abuse

ICANN's DNS Abuse Categories

ICANN formally recognizes five categories of DNS abuse in its contractual agreements with registrars and registries:

  1. Phishing — Using a domain to host a website that impersonates a legitimate entity to steal credentials or personal data
  2. Malware — Using a domain to distribute malicious software or serve as a command-and-control server
  3. Botnets — Using a domain as part of a network of compromised computers controlled remotely
  4. Pharming — Redirecting users from a legitimate website to a fraudulent one by manipulating DNS resolution
  5. Spam — Using a domain to send unsolicited messages that deliver or facilitate other forms of DNS abuse

Brand-Specific Domain Abuse

Beyond ICANN's formal categories, brand owners face additional forms of domain abuse:

Typosquatting — Registering common misspellings of a brand's domain (e.g., goggle.com, amazom.com). Exploits inevitable user typing errors to redirect traffic to malicious sites.

Combosquatting — Adding words to a brand name to create plausible-looking domains (e.g., brand-login.com, brand-support.com, brand-clearance-sale.com). Research has shown combosquatting to be more prevalent than typosquatting.

Homograph attacks — Using Unicode characters that visually resemble Latin letters to create domains that appear identical to legitimate ones. For example, using Cyrillic 'а' (U+0430) instead of Latin 'a' (U+0061).

TLD squatting — Registering a brand's name under different top-level domains (e.g., brand.shop, brand.online, brand.xyz). With over 1,200 gTLDs available as of 2025, this attack surface has expanded significantly.

Subdomain abuse — Using a brand name as a subdomain of a domain the attacker controls (e.g., brand.attacker-site.com). This doesn't create a new domain registration and is therefore invisible to zone file monitoring.

Expired domain hijacking — Acquiring legitimately branded domains that have lapsed (e.g., a brand's old campaign domain) and repurposing them for malicious use. These domains may retain search engine authority and backlinks.

The Domain Abuse Lifecycle

Domain abuse typically follows a pattern:

1. Registration

The attacker registers a domain that contains, resembles, or is associated with the target brand. Bulk registration tools allow hundreds of domains to be registered in minutes. Privacy/proxy services or false WHOIS data obscure the registrant's identity.

2. Infrastructure Setup

DNS records are configured — A records point to hosting, MX records enable email (for phishing), SSL certificates are obtained (Let's Encrypt provides free, automated certificates with no identity verification). This stage can be completed in under an hour.

3. Content Deployment

The malicious content goes live — a phishing page, fake shop, scam site, or malware distribution point. Content is often cloned from the legitimate brand's website.

4. Attack Execution

The domain is used for its intended malicious purpose — sending phishing emails, running ads, appearing in search results, or being shared on social media.

5. Rotation

When the domain is detected and reported, the attacker abandons it and activates another from a pre-registered pool. Sophisticated operations maintain hundreds of domains at various stages of this lifecycle.

ICANN's Role in Combating Domain Abuse

Contractual Requirements (Updated April 2024)

Since April 5, 2024, ICANN's updated Registrar Accreditation Agreement (RAA) and Base Registry Agreement contain strengthened requirements for DNS abuse mitigation:

  • Registrars must investigate and respond to well-evidenced abuse reports
  • Registrars must maintain records of abuse reports and provide them to ICANN
  • Registry operators must take mitigation actions against well-evidenced DNS abuse
  • Both must publish abuse contact information and procedures

In April and May 2024 alone, ICANN received 1,558 complaints related to DNS abuse under the new framework.

ICANN Programs and Tools

  • Domain Abuse Activity Reporting (DAAR) — ICANN's system for studying and reporting on domain name abuse across top-level domains
  • Domain Metrica — Launched February 2025, provides improved domain data capture, measurement, and analysis
  • Centralized Zone Data Service (CZDS) — Provides access to gTLD zone files for authorized parties to monitor domain registrations

New gTLD Round

ICANN's next round of new gTLD applications is expected in 2026, which will further expand the domain name landscape. Each new TLD creates additional monitoring requirements for brand owners.

Enforcement Against Domain Abuse

Registrar Abuse Complaints

The most direct route for domain-level takedowns. File an abuse complaint with the domain's registrar, providing:

  • Evidence of the abusive use (screenshots, URLs, technical data)
  • Identification of the relevant DNS abuse category
  • Reference to the registrar's obligations under RAA Section 3.18

UDRP and URS

For trademark-based domain disputes:

  • UDRP — Covers all gTLD domains, results in transfer or cancellation (~60 days, $1,500+)
  • URS — Faster suspension mechanism for new gTLDs (~30 days, $375)

Law Enforcement

For domains involved in criminal activity (fraud, identity theft, counterfeiting):

  • Reports to national cybercrime units
  • Reports to the FBI's Internet Crime Complaint Center (IC3)
  • Reports to Europol's European Cybercrime Centre (EC3)

Multi-Vector Enforcement

The most effective approach targets domain abuse from multiple angles simultaneously:

  1. Registrar — Request domain suspension
  2. Hosting provider — Request content removal
  3. SSL certificate authority — Report certificate misuse
  4. Search engines — Request delisting
  5. Email providers — Report phishing source domains
  6. Payment processors — Report fraudulent merchant accounts (for fake shops)

This multi-vector approach minimizes the time a malicious domain can operate and makes it more costly for attackers to rotate to new domains.

Related terms

Cybersquatting

Cybersquatting is the bad-faith registration of a domain name that is identical or confusingly similar to a trademark, typically with the intent to profit by selling it to the trademark owner or exploiting their brand recognition.

Typosquatting

Typosquatting is a cyberattack where bad actors register domain names that closely resemble legitimate brands — exploiting common typing errors to redirect users to malicious websites, phishing pages, or scam shops.

UDRP

The Uniform Domain-Name Dispute-Resolution Policy (UDRP) is an administrative proceeding established by ICANN in 1999 for resolving disputes over domain names that are alleged to be registered in bad faith. It provides a faster and cheaper alternative to court litigation for trademark owners.

DNS Monitoring

DNS monitoring is the practice of continuously tracking Domain Name System records and changes to detect potential brand threats — including new domain registrations that impersonate a brand, DNS record changes that signal malicious activity, and infrastructure patterns associated with phishing and counterfeit operations.

Your brand is likely already being impersonated somewhere online.

In the demo we show you:

  • How many active threats target your brand right now

  • How quickly Astra detects them

  • How fast they can be removed with instant approval

Get Started Now
Get Started Now

Fight AI with AI

hello@astraobp.com

How it worksPricingLogin
For law firmsFor brands
BlogGlossary
About us
© 2026 Astra OBP Inc