Europe’s top 35 hosting providers collectively host more than three million domains that are either malicious or potentially malicious according to a KYBC.eu analysis of data from DomainTools, the world’s leading brand protection, domain monitoring, domain valuation, and cybercrime investigation company.
This figure represents approximately 15% of all domains hosted by the major EU hosting providers – a staggeringly large threat to legitimate EU consumers and businesses.
Of these three million domains, the large majority – more than 2.7 million – can be described as “malicious” in that they have DomainTools risk scores of 50 or above (out of a possible 100). More than 750,000 additional domains can be classified as “potentially malicious” because they score 40 or above. These risk scores are based on the company’s proprietary threat assessment technology, which examines a wide range of characteristics to identify high-risk domains.
This data comes from a November 2021 KYBC.eu analysis of the company’s database, which is widely regarded as the world’s biggest and most reliable IP/WHOIS/Network dataset.
Case in point – KYBC would be a simple and transparent solution to address this issue in the Netherlands
According to a recent article published by leading Dutch paper NRC, the Netherlands ranks number 2 in the world for hosting child pornography. A study published by TU Delft that was commissioned by Minister Ferd Grapperhaus identifies Dutch hosting provider NFOrce as the most egregious offender. And while Operations Director Dave Bakvis wants to “…hang the makers [of such sites] from the tallest tree…” he also doesn’t want to lose these customers because “…that’s a fifth of our revenue. Then there will be layoffs here…”.
In the article Bakvis outlines in great detail how he works with law enforcement. “We work well with everyone. With the police, the Public Prosecutors’s Office, Interpol, the reporting check point of the Expertise Centre Online Child Abuse (EOKM)…”. According to him a tedious and time-consuming effort. In the article Bakvis outlines that NFOrce’s services are also used for other illegal activities, these include “...the copyright stuff, the scams, the fake websites, terrorism – everything comes through here”.
When asked how well he knows his customers, he responds that “…they must provide a name, address, email and possibly telephone numbers. We try to get more details for dubious customers, but I’m not going to make that [process] a day job”. Well maybe he should! By introducing simple KYBC obligations that verify business user details against existing databases such as the European Business Register (EBR) and the Ultimate beneficial owners register (UBO register), there will be minimal administrative burdens and no onerous process of trying to track down anonymous operators offering illegal products and services.
KYBC obligations would certainly also help with NFOrce’s reputational issue. According to Bakvis, since the publication of the study, “…we ran into problems with the bank that handles our credit card payments, a data center where our servers are located slammed the door…”.
Read the complete interview on NRC here.
DK Hostmaster: how KYBC is already working in Denmark
In Denmark, the case of DK Hostmaster demonstrates that verification of business customers is a simple and effective way to create a safer, transparent and trustworthy internet for all users. Since DK Hostmaster has started implementing the verification of business user details through NemID, illegal activities were reduced from 700 instances in 2016 to just 8 in 2019.
DK Hostmaster is a small organization that is authorized to administer Denmark’s .dk domain names. It found that in 2017, nearly 7% of active .dk websites were illegal sites selling counterfeit products and the operators behind these sites were unidentifiable. This anonymity led to a burdensome, time-consuming and costly process for DK Hostmaster to confiscate the domain names. The Danish organization therefore introduced a mandatory identity verification procedure for business customers applying for .dk domain names based on the Danish verification system NemID. Benefiting from the publicly accessible databases existing at national level in Denmark, the procedure immediately reduced the number of .dk sites operating illegal activities, and false webshop/scams sites have almost disappeared from the .dk zone on the internet.
The DK Hostmaster example demonstrates that verification can be carried out simply, as part of a business sign-up process, by checking publicly accessible databases that already exist at national level – just as would happen in the offline world when a business is seeking to rent physical retail space. Similar databases exist at European level, including the European Business Register (EBR) and the Ultimate beneficial owners register (UBO register). They render KYBC obligations easy to implement, with minimal administrative burdens, as part of a business sign-up process.
For more information, read here.
Online business anonymity is putting EU citizens’ health at risk – the COVID-19 pandemic makes it impossible to tolerate the status quo, it’s costing us lives
It is an undisputed fact that EU citizens are put in harm’s way as the sale of falsified and substandard medicines is rampant and growing on the Internet. This is clearly recognised by the European Commission in its Impact Assessment for the Falsified Medicines Directive, which clearly states that the Internet is a major source of falsified and substandard medicines. According to the WHO, in over 50% of cases, medicines purchased over the Internet from illegal sites that conceal their physical address have been found to be counterfeit. Similarly, a study conducted under a strict protocol by the European Alliance for Access to Safe Medicines, found that 62% of medicines purchased from sites found by way of common search engines were substandard or counterfeit.
Unscrupulous operators prey on citizens’ fears, especially during the COVID-19 pandemic which have created opportunities for cyber criminals to capitalize on increased demand for COVID-19 cures and preventatives. In fact during March 2020, at least 100,000 new domain names were registered containing terms like “covid,” “corona,” and “virus”, plus more domains registered to sell items such as medical masks. Other domains have been registered and used to spam out advertisements for COVID-themed scams.
The catalogue of patient harm and deaths due to falsified and substandard medicines bought online is well documented.
Falsified medicines are not only a threat to patients’ safety, and sometimes life, but also lead to a significant increase of public expenditure on preventable hospitalisation. The Digital Services Act has to upgrade internet accountability across all intermediaries, not just online marketplaces, as the vast majority of rogue pharmacy websites transact their illegal business via their own network of websites not platforms.
To prevent this illegal business and to protect the EU citizen from harm, KYBC obligations should be required by all infrastructure service providers and not be limited to marketplaces.
It is our right to have a safe and secure internet environment that protects EU citizens from dangerous and substandard medicines. The global pandemic makes it ever more urgent to act.
 OECD/EUIPO report Illicit trade – Trade in Pharmaceutical products https://euipo.europa.eu/ohimportal/en/web/observatory/trade-in-counterfeit-pharmaceutical-products
 2.10.2015 SWD(2015) 189 final COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document COMMISSION DELEGATED REGULATION (EU) – supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use. https://ec.europa.eu/smart-regulation/impact/ia_carried_out/docs/ia_2015/swd_2015_0189_en.pdf
 The Counterfeiting Super Highway EAASM report https://eaasm.eu/wp-content/uploads/CtCreport2012.pdf
 Internet Drug Outlet Identification Program, National Association of Boards of Pharmacy, 2016
 The Internet Pharmacy Market in 2016, LegitScript and the Center for Safe Internet Pharmacies, January 2016
 How Covid-19-related crime infected Europe in 2020 11 November 2020 https://www.europol.europa.eu/publications-documents/how-covid-19-related-crime-infected-europe-during-2020
 Don’t Panic: COVID-19 Cyber Threats.” Palo Alto Networks Unit 42 blog, 24 March 2020, at: https://unit42.paloaltonetworks.com/covid19-cyber-threats/
 Examples of patients harmed by medications purchased online https://buysaferx.pharmacy//wp-content/uploads/2020/06/Patient-Harms-Tracker-6-4-2020.pdf
Taking the Profit Out of Intellectual Property Crime
Piracy content distribution models have become more sophisticated and professionalised over time, with piracy operations now perpetrated by a mixture of technically skilled and well-coordinated crime groups or individual offenders. That’s what independent security and defence think tank, the Royal United Services Institute (RUSI), stated in its recent report “Taking the profit out of intellectual property crime”, which looks at how and why transnational organised crime networks perpetrate online audio-visual piracy.
The report emphasises how this type of IP crime, which threatens the creative industries by profiting to the tune of hundreds of millions of pounds every year off the backs of those who create intellectual property, can also cause direct harm to consumers, delivering age inappropriate advertising, malware, fraud, and surreptitious cryptomining.
Currently law enforcement and civil actions seeking to tackle this type of criminal activity are often undermined because these services do not verify their business customers. One of the solutions recommended by the RUSI report is the implementation of “Know Your Business Customer” (KYBC) requirements for online service providers to record and verify customer identity. RUSI also calls for a more coordinated policy approach, bringing together law enforcement, regulators, financial institutions, and the private sector with the aim of contributing to the ‘demonetisation of piracy’.
Despite the report’s focus on the film and TV sector in the UK, almost all the recommendations are applicable internationally.
The complete report is available here.
Openload is a notorious pirate service – listed on the European Commission’s piracy and counterfeiting watch list. An investigation revealed that Openload operated within the European Union using infrastructure and hosting services provided by EU companies.
A court ordered the European hosting company to identify customer details for Openload, but it turned out that the listed customer was a defunct shell entity. The hosting provider admitted the customer data they hold is “purely declarative” and that it had no way of tracing or authenticating the identity of Openload. This is despite the hosting company having received more than €19 Million in fees paid through a PayPal account linked to a Costa Rican advertising agency and various untraceable credit cards.
Learn more on this video
Domains of Danger: How Website Speculators and Registrars Trade Internet Safety for Profit
Following reports of increasing fraud related to the COVID-19 pandemic, the Digital Citizens Alliance conducted a three-month investigation that found that “little to no effort” is made to police domains whose sole purpose would be to scam, endanger those most vulnerable, or entice those seeking dangerous drugs. During this investigation, the DCA found it easy to register domains such as “coronavaccinefree.com” and was even encouraged to bid on domains such as “coronavaccine.com”.
The report outlines how the domain name industry frequently puts profits over consumer safety and describes an industry that bases its dealings on what it can, rather than what it should do to foster a healthy internet. Furthermore, the report shines a light on the lack of due diligence conducted by a number of these companies with respect to their commercial customers – and how that indifference could have real world consequences for consumers.
Read more here.
Moonwalk was considered one of the largest content sources for a significant number of infringing streaming sites. The Moonwalk network particularly focused on serving the majority of the largest Russian piracy sites, attracting millions of end-users. ACE, together with BREIN, conducted an investigation that revealed the technical infrastructure, based in the Netherlands. BREIN and ACE obtained an injunction against the Dutch hosts which resulted in taking down the Moonwalk service. In order to effectively take action against the operators, BREIN also obtained a court order allowing BREIN to seize the necessary information to identify the responsible people behind Moonwalk in the administration of the three Dutch hosting providers. Subsequently, the hosts voluntarily provided identifying information which proved either false or not traceable. For example, the data led to people in Russia and Ukraine who clearly lacked the technical skills for such an operation.
The court case regarding the received information continues in the Netherlands: effective piracy operations are undermined by the fact that some hosting providers currently do not verify their customer data and/or do not require that their (mostly foreign-based) resellers keep verified data. It is important that hosting providers adapt their business practices, general terms and conditions and administration in such a way, to ensure that customer information is verified, authenticated and available at all times.
For more information read here.