Home / Blogs

New gTLDs Are Great for Pump-and-Dumps, Phishes and More…

Yesterday, egregious financial truth-tellers (a client of ours at easyDNS) ZeroHedge broke the news that parties unknown, engineered what looks to be a textbook “pump-and-dump” on Twitter’s stock by putting up a fake “Bloomberg Financial News” site on the domain bloomberg.market and proceeded to run a story on it about Twitter being acquired.

The story spread and shares of Twitter stock promptly spiked on volume, Twitter finishing the day on nearly double the average daily volume.

TWTR Stock Pumps-and-Dumps After Fake ‘Bloomberg’ Report – The fake site from ‘Bloomberg.market’ domain with a misspelling of the former CEO’s name (Click to Enlarge / Source: Zero Hedge)The reason it can be safely assumed that this was a pretty ingenious pump-and-dump was the purchase, (as Zerohedge reveals), the day before of quite a few near-the-money call options on Twitter stock with a strike price of $37. Those calls went solidly into the money on the circulation of the fake story. (You know, sort of like all those put options some lucky parties unknown bought on American Airlines just before 9/11)

As news of the ruse spread (theDomains reported on it as did many other domaining sites), the price reverted back to it’s pre-pump value and later in the day the .market registry operator Rightside took down the domain and released a statement that the action was in accordance with their standard operating procedures.

This case underscores one of the biggest headaches about the new gTLDs: the sudden, dramatic expansion of the root namespace (now over 1,000 top level domains and counting) making it effectively impossible to “defend one’s marks” in all available TLDs.

TLDs such as .email, .company, .support are attractive phishing targets. Remember that when you get the next “reset your apple ID” email from “apple.support”.

It’s a double edged sword in many respects: even if a company wanted to move some of their functionality out to an aptly matching TLD, say perhaps, ‘http://easydns.support’, there are more public incidences of this type of thing being a phish or a hoax than there are legitimate rebrands or function shifts to new TLD URLs—companies wanting to do this face an uphill battle.

Twitter Stock Jumps Nearly 8 Percent on Fake Bloomberg News Post (Click to Enlarge)It makes me realize that I left out a couple important “winners and losers” from my guest editorial on Domain Name News a few years ago “Who Will Be The Winners and Losers of the New TLDS?

The Losers

Legitimate Companies: that really do want to rebrand or use new TLDs but will have to shout louder and spend more on marketing to out muscle the ever increasing background hum of phishers, scams and frauds passing off on new TLDs.

Target Companies: who will face ever increasing phishing attacks. As Canadian antispam legend (who now works for Apple’s abuse department) Neil Schwartzman told me after, I suggested Apple re-register a new TLD phishing domain we had just deleted:

Would that we could re-register all the cousins. We see literally hundreds/day.

It becomes effectively impossible to defend one’s marks via defensive registrations (something I said a long time ago which new TLD players are beginning to understand)

So what happens now?

The Winners

Criminals: When you combine all these new perfectly named labels for spearphishing your targets and combine it with ICANN mandated policies that effectively make it mandatory to be vulnerable to them, a new golden age has begun.

DANE: There’s going to have to be a way to authenticate the “reality” of any given website other than looking at the domain name and guessing that it’s legit. This goes beyond DNSSEC signed zones—which basically guarantees that when you ask for a DNS response for “example.com” you really get a response from “example.com”‘s nameservers and that they’re real responses. Somebody could register example.support and email all of example.com’s customers and simply DNSSEC sign example.support as well.

No, you need something else, something you can hook into the website your customers are used to visiting and somehow asserting that “it’s the real site”. SSL typically fills this role, but SSL costs money, even the cheap certs, which in a 1000+ channel TLD-verse makes it “expensive” by definition.

I think what we’ll see happen is major browser support for DANE (DNS-based Authentication of Named Entities) and a major adaptation of it across the industry.

But we’re not there yet. There’s a big

{{{{ SOMEHOW }}}}

which still needs to be filled in, where example.com will (see above: somehow) “assert” which associated domains in other TLDs are legit and which ones aren’t. Almost like a Sender Policy Framework (SPF) (which specifies what hostnames, domains and IP blocks are permitted to originate email for a given domain) for “related domains”—like:

example.com asserts that:

  • example.ca is the Canadian portal for Example Co
  • example.support is a real support site for Example Co.
  • example.xxx is a blocking website under .xxx
  • example.wtf is reserved for Example Co’s April Fool’s japes
  • etc.

Either this already exists and I don’t know about it, or it should exist and the absolute clusterfsck of grief these new TLDs are already causing will make it happen.

By Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.

Filed Under


Really? David Goldstein  –  Jul 16, 2015 4:08 AM

Really? This is an argument against new gTLDs? Come on. These schemes have been happening long before domain names even existed. And have happened without new gTLDs since domain names have come into existence. Maybe the author needs to get off their anti-new gTLD bandwagon and look at what happens in the real world.

No, not really. Mark Jeftovic  –  Jul 16, 2015 5:19 AM

Hi David, There is no point arguing against new TLDs since that ship has clearly sailed. My point around them has always been that the traditional (and tired) models of "register your name under .BLARGH before somebody else does" and "you need to defend your mark in every TLD" has been killed by them. (And I don't think that was widely anticipated going into this). Protocols are going to emerge to deal with some of the more pernicious aspects of new GTLDs (such as what I wrote about here). I'm not saying I know exactly what they're going to look like, but they'll likely happen. As I've stated numerous times in the past, I consider myself in the DNS business more than in the domain business. As such I couldn't really care less if my nameservers are resolving categorykiller.com or kjshrdi8w7445h45hjkhgkd855.wtf, it's all the same to me. regards, - mark But the new TLDs have certainly changed the landscape.

Yes, really David Goldstein  –  Jul 16, 2015 5:39 AM

These scams have existed with fax machines. A few years ago there was an issue with a mine and a bank and a fake news release in Australia. For one. But it seems also a case that if you’re gullible to a marketing department, you’ll defensively register oodles of domains in the new gTLDs. But brands haven’t registered their domains in the 200+ ccTLDs, or even all the pre-existing gTLDs. They are selective. And brands will continue to be selective.

Scams will always exist Christopher Hofman Laursen  –  Jul 16, 2015 7:36 AM

Agree with David here. Scams will always exist, if not on a new gTLD then on a .com or .org.
I actually think that new gTLDs can do the opposite - increase security. The bank sector at large suffers phishing attacks, and today they are all on different open TLDs from .com to ccTLDs. .Bank offers a united safe haven. I think fTLD Registries has done an amazing job to get some of the biggest banks to support this new TLD, and I’m convinced it will be standard in the US inside the next years. The rest of the world is a bit slower, some have adopted dot brands (.barclays, .bnpparibas). Let’s see what the rest will do.

The latest APWG report (2H14) says that Kevin Murphy  –  Jul 16, 2015 10:15 AM

The latest APWG report (2H14) says that 54% of phishing attacks use .com domains.

DPML Andrew McConachie  –  Jul 16, 2015 3:37 PM

I believe the way in which mark holders are expected to protect their marks in new gTLDs is to register their mark at the Trademark Clearinghouse. Then purchase DPML services from every new gTLD registry.

So if Bloomberg owns the ‘Bloomberg’ mark, and they have it registered at the TMCH, then they can purchase DPML from Rightside. Had all of that happened, this event would have been prevented.

I’m not agreeing with this as the means to protect one’s marks. Nor am I chastising Bloomberg for not doing this. I just think it’s important to mention that there are mechanisms in place to prevent this exact event from happening, and those mechanisms need to be a part of the conversation.

It was recognized with the new gTLD rollout that defensive registrations were no longer going to be feasible. That’s why we have the Trademark Clearinghouse and DPML.

Not quite Mark Jeftovic  –  Jul 16, 2015 6:09 PM

The trademark clearing houses are not that effective (as the poor participation numbers demonstrate). It would have been better to have a single TMCH that covered all new gTLDS but instead you have separate registry operators running their own TMCH's and they only cover you for discrete terms (i.e. 6 months). Also, they don't actually block registrations on your mark. They just make you acknowledge that the mark exists and stipulate that you won't infringe on it. Considering bloomberg.market was a criminal scam, I doubt they would have had very much compunction about lying about their intentions when they got to the trademark clearing house waiver screen.

Unless I'm mistaken, and that's a possibility, Andrew McConachie  –  Jul 17, 2015 11:56 PM

Unless I'm mistaken, and that's a possibility, there is only one TMCH. It's the DPML service that is offered by different registries. In the case of .market this would be Rightside. Their ToS states, "Once a DPML is in place, that string is blocked from registration on all Rightside TLDs, except premium names, for the time period required." Again, I'm not arguing that TMCH and DPML is the right way to prohibit this kind of behavior. I merely want to point out that the TMCH and DPML were created to address this behavior, and so should be a part of the conversation.

Schemes and TLDs Mason Cole  –  Jul 16, 2015 6:36 PM

One could consider giving Mark the benefit of the doubt if he were new to the Internet, but he’s been around and knows the history.

The lament about new TLDs being a ripe source for abusive behavior comes off as a “these kids these days” point of view.  There were many arguments of this type at the outset of the Internet—that scammers used it to manipulate stocks, trick people into handing over financial information and dupe good souls into donating to fake charities.  All in the legacy TLDs that were the only game in town back then and continue to be fertile ground today for scams.

“Pump and dump” stock schemes via domain names, regrettably, has been happening for years.  Remember the Internetwire.com fiasco (see http://hoaxes.org/archive/permalink/the_emulex_stockmarket_hoax/) — the one that sent Emulux shares plunging?  It got so bad at one point that the SEC created its own investment scam site (https://www.sec.gov/news/headlines/scamsites.htm) to warn people not to fall into the trap.

And gasp, prior to the Internet the phone was the favored technology for tricksters—in 1987 an investment adviser called up and duped the Dow Jones News Service into reporting a $6.8 billion offer for retailer Dayton Hudson that sent the stock surging.  We didn’t hear calls for the end of the telephone.

There is also something else here that is not new: people who have a vested interest in legacy technology creating fear, uncertainty and doubt to stop innovation. New TLDs represent an innovative way to express yourself online—whether you’re a company or individual—and that worries those who have a lot wrapped up in the current .com-dominated system.

One-off headlines can stir the emotions and be used as fresh chum for the .com crowd to feast on but the abuse stats of Mark’s cited three new TLDs show that since their delegation they are safer than .com:

In .EMAIL:  3 domains were verified as used for phishing (of 5 received reports), out of a total registration volume of 49,097.

In .COMPANY:  3 domains were verified as used for phishing (of 12 reports received), out of a total registration volume of 40,459.

In .SUPPORT:  6 domains were verified as used for phishing (of 15 reports received), out of a total registration volume if 14,492.

In fact, thus far the evidence (see the APWG report that 48% of phishing happens in .com) suggests that .com remains the runaway winner when it comes to venues for fraud and scams. But that was the price for progress in 1998 and we’ll continue to adapt and learn in 2015. That’s what we do with innovation. What we don’t do is run away from it because someone figures an angle.

Many More WInners Kurt Pritz  –  Jul 16, 2015 6:42 PM

As well-stated in the comments above, such scams are hardly a product of the new domain extensions, the attention getting headline notwithstanding.  We firmly believe the value and benefits of wider domain name choice far outweighs the potential annoyance of the inevitable bad actors – that bad behavior is going to occur regardless of whether new domains were going to be made available or not.

As more and more brands roll out web presences under their name.brand addresses, it will introduce a new layer of trust that hasn’t been available before. Additionally, new domain owners will be able to create and build customer awareness of additional zones of trust.

Also, as the article points out, new tools assuring the security and reliability of websites are being developed and will be made available for existing and new domain names registries. New registries, in particular, come with enhanced protections that are either required by their contract or delivered as new products such as Donuts’ DPML. Are these perfect? No, but they are an improvement.

The addition of many new players is creating a critical mass – the larger numbers of participants in the Domain Name Industry are coming together to create initiatives to build an even safer Domain Name environment. Some of those are just being launched under the Domain Name Association banner and elsewhere.

On the positive side, the new markets are resulting in new entrepreneurial efforts. For some examples see www.inthewild.domains. In addition, the uptake of .bank domains as well as the uptake and successes in geographic names, the .news launch, and recent publications by Marriott, General Motors, Barclays and other brands indicate a fulfillment of the program’s promise.

Kurt Pritz
Domain Name Association

Furthermore Mason Cole  –  Jul 16, 2015 6:59 PM

Apple IS the registrant for Apple.SUPPORT.  Apple is NOT the registrant for AppleSupport.COM.  Remember that when you get a “reset” message from Apple.

How the landscape has actually changed Christian Dawson  –  Jul 17, 2015 10:00 PM

It gets frustrating to read old arguments as if they are new, especially when the frame used makes it seem like the gTLDs precipitated all of this. While there may be some increased discomfort for large brand holders, that has to be seen in light of the gains, which this article doesn’t fully consider.  The far greater proliferation of IDNs is one huge example of this - bringing a simpler, more constructive path to more of the world’s population in their own languages and character sets.

In the past three years that I’ve been engaged in this community I’ve seen it as one that’s doing way more to solve longstanding problems than to precipitate them. Kurt outlined some of these initiatives in the comments, and he’s right. The Universal Acceptance efforts is a clear additional example.

Though I firmly disagree with the author’s broad based assessment of the gTLD program, it’s fine to want to continue to improve the processes of how we deal with all sorts of abuse measures. I am extremely sympathetic to the needs of the anti-abuse community who fight SPAM, phishing and malware, and have worked to bring more resources to the table to help them do their good works. I’ve worked (and will continue to work) alongside registrars and other Internet infrastructure providers to try to make a diference. There’s a community of Internet infrastructure providers trying to make the Internet a better, safer place because problems are expanding - not in the wake of the gTLD program but in the wake of the general expansion of the Internet as a tool for humanity.

Focusing our attentions on what the gTLD program has or hasn’t wrought is an area that’s as unproductive as it is, in my mind, unfocused and unfounded. Instead, I encourage the author to implore the infrastructure players who are a part of this ecosystem to continue their ongoing efforts to try to aid abuse communities to fix longstanding (and sometimes growing) problems that exist because the Internet is growing. Painting registries and the gTLD programs with a broad brush doesn’t accomplish anything. Encouraging continued responsible engagement does.

This community has grown a lot. The author should note that we’ve seen the biggest influx of brand holders into the multistakeholder participant body in history that are likely to represent his views expressed here. Luckily we’ve seen other community gains in diverse areas as well - because the ecosystem benefits from diverse prospectives when it comes to trying to make a better, safer ecosystem for all, including gTLD operator and brand owner alike. Let’s forget about calling winners and losers. There are a lot of {{{{ SOMEHOW }}}} issues left out there, and we can do a better job of addressing them if we all work together.

I apologize. Mark Jeftovic  –  Jul 18, 2015 2:26 AM

I’ve been thinking about the nerve this article seems to have struck and realize that there is a big difference between posting to the company blog (where the ex-punk rock gtrist in me tends to wax hyberbolic) and posting here, which is more of a serious industry discussion forum. I should have put more thought into it when Ali asked me if I wanted any edits.

For starters, a less inflammatory headline would probably have gone over better, something like “New gTLDs underscore need for new mechanisms to signal legitimate association across TLDs”

I’m not against new gTLDs - I may have made some past predictions about their second order effects that are unsettling, and I may lament a certain lack of real innovation, but I could also be fairly criticized as complaining about it instead of contributing to solutions.

I do think there needs to be some mechanism that will emerge along the lines outlined above and my guess is DANE will factor in. Thanks to all who took the time to chime in here.

not solvable in DNS Carl Byington  –  Jul 18, 2015 3:22 PM

where example.com will (see above: somehow) “assert” which associated domains in other TLDs are legit and which ones aren’t

I don’t think that problem is solvable via DNS. Consider a (spam run / pump and dump / phishing / fraud / malware / whatever) that references example.market, where different legitimate organizations own/operate example.com, example-market.com and example.finance. Which of those three domains (and many others) should some code inspect for DANE or other DNS records in an attempt to determine whether example.market is legitimate in any sense of the word?

quantum "something" Mark Jeftovic  –  Jul 18, 2015 3:33 PM

Yeah not sure how that happens. There would have to be co-ordination with browsers and other clients. Perhaps (off the top of my head) some kind of “association indicator” triggered by the presence of those records in legit cases and it’s absence combined with a form asking for PII triggers an alert.

“You are being asked for info by an entity you’ve never dealt with”

type deal. Ideally, if you are a netflix junky and find yourself filling out a password reset on netflix.company (which is under DPML block, bad example) you would think “hey wait a minute”.

triggered by presence of which records? Carl Byington  –  Jul 18, 2015 4:27 PM

Given a password reset form on netflix.company, where should the browser or other client code look for dns records? In

or many other variations

netflix.com has no extra dns records. But netflix.video (also under the control of the same folks that sent you the link to netflix.company) has a record asserting that netflix.company is where they do password resets.

Also, depending on user alerts such as “you are being asked…” does not help much. See

It would have to be at the Mark Jeftovic  –  Jul 18, 2015 5:16 PM

It would have to be at the point where you originally create the account with your vendor, that domain would have to provide a list of assertions which your client would store (similar to cookies, etc) I'll look at the google pdf

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix