Home / Blogs

Which Domains Stand the Strongest Against Phishing Attacks?

Highlights from the latest research published by the Anti-Phishing Working Group (APWG)

Criminals behind phishing attacks are constantly looking for new vulnerabilities.

The latest Anti-Phishing Working Group (APWG) Global Phishing Survey, which analyzed over 100,000 phishing attacks in the first half of 2014, examines the progress that top level domains (TLDs) are making in responding to phishing attacks that use their TLDs.

The report finds the .INFO domain has the lowest average phishing uptimes as compared to other TLDs, such as .COM and .NET.

Key Findings

  1. Apple became the world’s most-phished brand in 2014
  2. The introduction of new top-level domains did not have an immediate major impact on phishing
  3. Chinese phishers were responsible for 85% of the domain names registered for phishing
  4. Malicious domains and subdomain registrations continue at historically high levels, largely driven by Chinese phishers
  5. The average uptimes of phishing attacks remain at historic lows, pointing to some success by anti-phishing responders
  6. The companies and brands targeted for phishing were diverse, with many new targets, suggesting that e-criminals are looking for new opportunities in new places
  7. Mass hackings of vulnerable shared-hosting providers accounted for 20% of all phishing attacks

Quick Phishing Takedowns Matter

The first day of a phishing attack is the most lucrative for the phisher, so quick takedowns are critical. Large, generic top-level domains are usually big targets for phishers, because these TLDs are the most familiar to the average Internet user. Among these domains, .INFO (owned and operated by Afilias), .ORG (owned by PIR and operated with Afilias technology), and .BIZ (operated by Neustar) have formal notification and takedown programs in place, according to the APWG report.

With .INFO and .ORG, Afilias proactively monitors and looks for malicious or compromised domains (see next section for more details), allowing for efficient detection, analysis, and confirmation of phishing. Evidence of the phishing is then immediately reported to registrars to quickly mitigate the abuse.

.INFO has the shortest average phishing uptimes in June 2014:

Source: Anti-Phishing Working Group (APWG) Global Phishing Survey
Trends and Domain Name Use report (PDF)

Rigorous Scrubbing Matters

While the majority of attackers use compromised websites to host their attacks, a quarter of all attacks (25.8%) are carried out via domain names registered by phishers. Rigorously watching domain name portfolios, and scrubbing them quickly to get rid of phishing domains, makes a big difference. For example, Afilias uses proprietary abuse-detection and pattern-recognition systems to monitor registrations, usage, and queries, on a daily basis, along with alarms and alerts. Other registries use different methods to achieve similar end-goals. Strong working relationships with registrars are crucial, since they have the ability to respond quickly to problems.

The APWG reports use two particularly useful metrics:

Phishing Domains per 10,000. This ratio shows how many domain names were used for phishing in a TLD as compared to the total number of registered domain names in that TLD, revealing whether a given TLD has a higher or lower incidence of phishing relative to others.

Malicious Domains per 10,000 Domains. This ratio reveals how many domains in a TLD were “malicious” registrations (domains reported for phishing shortly after being registered) as compared to the total number of registered domains names in that TLD, revealing whether a TLD has a higher or lower incidence of malicious registrations relative to others.

TLDPhishing Domains/10,000Malicious Domains/10,000

Source: Anti-Phishing Working Group (APWG) Global Phishing Survey
Trends and Domain Name Use report (PDF)

New TLDs Not (Yet?) Attractive to Phishers

The introduction of hundreds of new generic TLDs in 2014 did not create a new phishing haven. In fact, most of the new generic TLD domains used for phishing were not themselves malicious domains, but were on compromised web sites. As the APWG report points out, phishers usually don’t register domains that contain brand names, since most brand owners proactively scan internet zone files for their brand names and can quickly identify these phishing sites.

Some of the new “restricted” generic TLDs offer an additional layer of protection against malicious registrations—with their verification requirements. The .ORGANIC domain, for example, is available only to producers of organic products and services, and to others who serve the organic community. Similarly, .NGO and .ONG will be available only to qualified NGO organizations. Few, if any, phishing criminals will pass the verification process, and most won’t even try.


Registries must stay on top of the new tricks and tactics employed by phishers, and constantly improve their security measures to make top-level domains safe.

By Ram Mohan, Chief Operating Officer at Afilias

Mr. Mohan brings over 20 years of technology leadership experience to Afilias and the industry.

Visit Page

Filed Under


But... Jean Guillon  –  Dec 9, 2014 9:30 AM

...isn’t .TRUST new gTLd supposed to change all this?

The .TRUST TLD is also likely to Ram Mohan  –  Dec 9, 2014 12:56 PM

The .TRUST TLD is also likely to be subject to phishing campaigns; they will also need to have a robust response mechanism when this happens.

"Reign supreme" Jean Guillon  –  Dec 9, 2014 1:36 PM
Well, there's marketing and there's what happens Ram Mohan  –  Dec 9, 2014 5:29 PM

Well, there’s marketing and there’s what happens in real life :)

Correctly citing the numbers Greg Aaron  –  Dec 9, 2014 5:30 PM

As a co-author of the APWG report, I must note that .INFO did not have “the lowest average phishing uptimes” as the above article states.  Among the large legacy gTLDs—the TLDs represented on the cited chart—.BIZ had both the lowest average and median uptimes during the study period.  .ORG also had average and median uptimes that were lower than .INFO.  The only time .INFO had the lowest average in its peer group was in the month of June, as the chart illustrates.

The stats for all gTLDs and ccTLDs can be seen in the APWG report’s appendix. 

—Greg Aaron

Greg, thanks for providing clarity on this. Ram Mohan  –  Dec 9, 2014 5:33 PM

Greg, thanks for providing clarity on this. I’ll see how to revise the article to more accurately reflect the results.

Greg, corrected Ram Mohan  –  Dec 9, 2014 7:20 PM

Greg, corrected

Interesting summary Ram, glad you continue to Danny McPherson  –  Dec 9, 2014 11:47 PM

Interesting summary Ram, glad you continue to provide these (albeit a little dated :-). 

FWIW, your heading ‘New TLDs Not (Yet?) Attractive to Phishers’ is dangerously misleading and conveys a false sense of security. Security professionals have already documented the use of new gTLDs such as .SUPPORT to enhance the effectiveness of phishing attacks by giving the appearance of a legitimate “support” site, and the fact that legitimately-issued SSL certificates are uniquely available to registrants in new gTLDs for use in giving phishing attacks cryptographic legitimacy is arguably confusing users. 

For an example see CSO Online’s recent article titled “Recently introduced TLDs create new opportunities for criminals” for an example.

Also, other key observations this APWG report highlighted (but not in your summary) included:

“Second, most of the new gTLDs have been in their early phases of introduction. Those that have been available for purchase by the general public have usually been priced higher than .COM and other popular legacy TLDs. Phishers and spammers have been able to get cheaper domain names in the legacy TLDs.

This situation will certainly change, though. As autumn 2014 begins, the new gTLD market is becoming more crowded and competitive, and some registries have begun to compete aggressively on price. As prices drop and the new gTLDs gain more adoption, we are seeing an increase in phishing on new gTLD domains, due to both malicious registrations and compromised domains on hacked servers. Anecdotal discussions in the security community also indicate that malware authors and other miscreants are experimenting with registering domains in some of the new gTLD domains for various malicious activities.”

I look forward to the APWG’s continued work product in this area, they’re doing good stuff!

Hi Danny, thanks for the excellent comments. Ram Mohan  –  Dec 10, 2014 12:21 AM

Hi Danny, thanks for the excellent comments. Blush re. quoting the report from summer, it’s just how things roll sometimes!

I agree that all new gTLDs are going to be targets. I was summarizing from the APWG report that didn’t find evidence of large scale phishing on new gTLDs, although as you can see from my conclusion as well as comments above, I believe that it’s a matter of when, not if. Anyone who gets a sense of security reading this is going to be in for a surprise, sooner than later.

Yes, the APWG work in this area is useful and illustrative of the need to keep a clear focus on security when working with TLDs.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC


Sponsored byVerisign