Phishing expeditions in the Cocos Islands
Sitting midway between Perth and Sri Lanka, with groves of coconut palms and white sand beaches, the Cocos (Keeling) Islands are every bit as gorgeous as you would expect a pair of Indian Ocean atolls to be. They rise from the ocean just enough to be inhabitable by a hundred or so families.
But in cybersecurity circles, this tiny Australian territory has developed an outsized notoriety.
Ashish Thapar, who heads the Threat Research Advisory Center in the Asia-Pacific and Japan region for telecommunications multinational Verizon, says that after .com domains “the Cocos Islands’ top-level domain is the No. 1 choice for criminals to make use of to defraud their victims”.
Part of the reason for this is that the Cocos Islands’ top-level domain, the identifier that goes at the end of a web address, is easily confused with the common .com. Cocos sites end in .cc. “There is definitely a visual similarity,” Thapar says, “that makes this domain – the .cc domain – a thing of choice for impersonating legitimate domains.”
Some scammers use these .cc addresses to imitate legitimate websites and trick users into entering their details. “In a long URL, three characters replaced by two – .com to .cc – it’s very easy for a victim to lose sight of that.”
A global survey by the Anti-Phishing Working Group found Cocos-registered sites, operating in Australian digital territory, were responsible for 6 per cent of phishing attacks worldwide in 2016. No country was worse.
In 2011 alone, Google reportedly banned 11 million malicious sites registered in the Cocos Islands. This year, the Spamhaus Project gave the Cocos webspace a “badness” score more than 20 times higher than Australia’s.
This is not to say that Cocos-registered sites cannot be legitimate, or that .com and other top-level domains don’t have issues with phishing. But it is clear that Cocos’s registry has a reputation disproportionate to its physical size.
“Because anyone, anywhere could register a .cc worldwide without restrictions, it became huge,” says Pär Brumark, an expert in the rules that govern top-level domains and a member of ICANN, the international body that oversees them.
“But after a couple of years, it came to be known as a mismanaged top-level domain regarding security et cetera, and got a pretty bad reputation.”
And it is not just phishing scams. Cocos URLs have also proved attractive to gambling operators.
In what appear to be repeated and ongoing breaches of Australia’s Interactive Gambling Act, dozens of internet casinos and online bookmakers are operating in the islands’ webspace. When I visited one of them recently, I was offered in-play betting on a range of local soccer matches, including reserves grade games on the Sunshine Coast and under-20 state league competitions.
Live online betting had been available for the AFL, NRL and NRLW grand finals a few weeks earlier, along with thousands of other matches from around the world. Whatever the sport, the odds continually update to reflect the scoreboard and either side’s chances of winning.
This type of betting is explicitly prohibited online in Australia. Yet the site’s secretive and unlicensed owner, which appears to be based in Russia’s Mordovia region, had been approved to operate a Cocos URL.
At another site, roulette, slots and keno are advertised alongside greyhound racing. “Sign up to play for real money,” the site recommends, and a web traffic analysis shows that almost 200,000 visitors may do so each month.
Craps, poker, keno and blackjack are available on other sites, and while some are more professional than others, all would appear to operate outside Australian law – but inside Australian territorial webspace.
“The websites using Cocos Islands domains to host casinos and sports betting are clearly in breach of Australian law,” says Andrew Wilkie, the independent MP from Hobart, who is calling on the Australian Communications and Media Authority (ACMA ) to intervene.
“ACMA should shut them down. After all, ACMA is responsible because the Cocos Islands is an Australian territory and the responsibility of the Australian government,” he says. “Indeed it should move quickly to shut down any website providing illegal gambling services to Australian customers.”
ACMA did investigate three similar sites in 2018, including one operating through a Christmas Island web address, which uses the .cx suffix.
Two of the sites were found to be in breach of the Interactive Gambling Act, and were subsequently relocated to other jurisdictions. One also geoblocked Australian customers, at least initially.
It’s believed to be the first time such action was taken by ACMA; but in the period since, registry records show that dozens of similar sites have been approved to have a Cocos web address, or have had their existing registration renewed.
A spokesperson for the authority told The Saturday Paper they hadn’t investigated any Cocos- or Christmas Island-registered sites in the past two years. “In general, the ACMA reviews information received, including complaints about illegal gambling services being provided to Australians. The information is assessed and a decision is made whether to investigate.”
The spokesperson said no complaints have been made since its original investigations.
The sites themselves have little to do with the Cocos Islands. They typically use servers based in North America or Europe, and their owners may not even realise that .cc is an internet country code.
The .cc suffix was marketed as “the next .com” in the 1990s and 2000s, thanks to Brian Cartmell, the American tech entrepreneur who got the keys to the registry and transformed it into one of the world’s largest. The Saturday Paper is not suggesting Cartmell intended the domain to be misused.
Cartmell’s company was then bought out by registry giant Verisign, which, via a local subsidiary, runs the Cocos registry on behalf of the island’s shire.
“Cocos Islands Shire should know full well that they can’t facilitate what amounts to an unlawful activity,” says Charles Livingstone, an associate professor at Monash University who specialises in gambling policy. “Certainly, the domain registry should be aware of its obligations under Australian law.”
In a statement, the shire said its memorandum of understanding with the registry “states very clearly that Verisign needs to operate in strict accordance with all Australian laws. If you have evidence that it is not, you should direct your concerns to the relevant law enforcement agency.”
Verisign, which declined the opportunity for an interview, said in a statement that it simply provides infrastructure that allows websites to operate, and while it does co-operate with law enforcement agencies when required, it “has no control over how domain names are used, or website content”.
Pär Brumark disagrees with this proposition. “They can absolutely shut down domains who break national law or contractual conditions,” he says. “But none of this is probably in the manager’s financial interests. It might even be the case that they know that .cc has a customer profile looking for absence of regulations.”
For almost a decade, Brumark has been leading a delegation on behalf of the Pacific microstate of Niue to try to get its .nu domain back in local hands. He uses the term “digital colonisation” to describe the situation facing Niue, and other microstates across the Pacific.
He is not aware of the commercial arrangements in place between the Cocos Islands Shire and Verisign, but their recent annual reports show no revenue stream to the islands from the sale of internet domains.
When asked how it satisfies ICANN’s principle that registries have “a duty to serve the local internet community”, Verisign said contractual matters should be directed to the shire.
A spokesperson for the shire said the registry’s owners have always provided generous support to the islands to help with its internet and telecommunications needs – and that would continue into the future. He also pointed out the difficulty and expense of getting the islands connected to the internet and said this arrangement had worked well for 24 years.
It is unclear if that support is proportional compensation for the millions in revenue the .cc registry would generate, or if that is a concern to islanders. In comparison, Verisign pays the government of Tuvalu $US5 million a year for the rights to its popular .tv registry.
For his part, Andrew Wilkie says ACMA needs to do more. “It is patently ridiculous that the regulator is not responding proactively to these dodgy online gambling sites.”
Wilkie says there’s “a pattern of behaviour” among Australian regulatory agencies “failing to reliably achieve their mission”.
He points to ACMA as well as the Australian Securities and Investments Commission. “ACMA needs to get cracking and shut down these illegal gambling sites and if there’s any regulatory impediment to that then it needs to tell its minister so the relevant legislation can be improved.”
This piece was supported by funds from the Google News Initiative.
This article was first published in the print edition of The Saturday Paper on Nov 21, 2020 as "Teach a man to phish".
A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.