Home / Blogs

Phishing in the New gTLDs

The new Anti-Phishing Working Group (APWG) Global Phishing Survey has just been released. Written by myself and Rod Rasmussen of IID, the report is the “who, what, where, when, and why” look at phishing, examining the second half of 2014. The report has many findings, but here I’ll concentrate on the new gTLDs.

The second half of 2014 was when an appreciable number of new gTLDs entered general availability and started to gain market share. Phishing in the new gTLDs started slowly and is rising. We expect to see phishing levels in them rise further, and predict that a small number of these new TLDs will attract significant numbers of malicious registrations.

Phishing can be on domain names registered by phishers, and can be on compromised (hacked) domains, where the phishers broke into the web servers. As of December 2014, the new gTLDs had less phishing relative to the legacy gTLDs and ccTLDs. But this was to be expected, since the new gTLDs are very young and didn’t have a lot of web sites that can be compromised by phishers. As they mature and garner more adoption, more new gTLDs will inevitably see more of their domains compromised for phishing, and phishing levels in the new gTLDs as a group may approach levels see in ccTLDs and the legacy gTLDs.

From 1 July to 31 December 2014:

  • About 295 new gTLDs opened for registration by the public. Phishing occurred in 56 of those new gTLDs.
  • A total of 454 new gTLD domain names were used for phishing.
  • Almost two-thirds of the phishing in the new gTLDs—288 domains—was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in a new gTLD, and we are seeing more examples in 2015.

The expansion of the TLD space is creating new locations where phishing occurs in the DNS. Cyber-criminals have always moved from TLD to TLD over time, especially when they find low prices or vulnerable registries. What it means is that monitoring and mitigation efforts by registries and registrars matter, and all new gTLD operators need to remain vigilant about phishing.

Two important notes:

  1. Into 2014, cybercriminals were able to get cheaper domain names in legacy TLDs. But the TLD market is now more crowded and competitive than at any time in history, and some registries are competing aggressively on price. Some new gTLDs are dropping their prices lower than .COM and other generally available TLDs, and that will attract phishing and other kinds of abuse.
  2. Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.

The new report contains statistics for all TLDs, including number of domains used, uptimes, and more.

By Greg Aaron, President, Illumintel Inc.

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API