The new Anti-Phishing Working Group (APWG) Global Phishing Survey has just been released. Written by myself and Rod Rasmussen of IID, the report is the “who, what, where, when, and why” look at phishing, examining the second half of 2014. The report has many findings, but here I’ll concentrate on the new gTLDs.

The second half of 2014 was when an appreciable number of new gTLDs entered general availability and started to gain market share. Phishing in the new gTLDs started slowly and is rising. We expect to see phishing levels in them rise further, and predict that a small number of these new TLDs will attract significant numbers of malicious registrations.

Phishing can be on domain names registered by phishers, and can be on compromised (hacked) domains, where the phishers broke into the web servers. As of December 2014, the new gTLDs had less phishing relative to the legacy gTLDs and ccTLDs. But this was to be expected, since the new gTLDs are very young and didn’t have a lot of web sites that can be compromised by phishers. As they mature and garner more adoption, more new gTLDs will inevitably see more of their domains compromised for phishing, and phishing levels in the new gTLDs as a group may approach levels see in ccTLDs and the legacy gTLDs.

From 1 July to 31 December 2014:

• About 295 new gTLDs opened for registration by the public. Phishing occurred in 56 of those new gTLDs.
• A total of 454 new gTLD domain names were used for phishing.
• Almost two-thirds of the phishing in the new gTLDs—288 domains—was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in a new gTLD, and we are seeing more examples in 2015.

The expansion of the TLD space is creating new locations where phishing occurs in the DNS. Cyber-criminals have always moved from TLD to TLD over time, especially when they find low prices or vulnerable registries. What it means is that monitoring and mitigation efforts by registries and registrars matter, and all new gTLD operators need to remain vigilant about phishing.

Two important notes:

1. Into 2014, cybercriminals were able to get cheaper domain names in legacy TLDs. But the TLD market is now more crowded and competitive than at any time in history, and some registries are competing aggressively on price. Some new gTLDs are dropping their prices lower than .COM and other generally available TLDs, and that will attract phishing and other kinds of abuse.
2. Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.

The new report contains statistics for all TLDs, including number of domains used, uptimes, and more.