Co-authored by Dr. David Barnett, Brand Monitoring Subject-Matter Expert and Justin Hartland, Global Director of Account Management at CSC.

In the first article¹ of this two-part blog series, we looked at how frequently domains were used by bad actors for phishing activity across individual top-level domains (TLDs) or domain extensions, using data from CSC’s Fraud Protection services, powered by our DomainSec^SM platform. In this second article, we analyze multiple datasets to determine the highest-threat TLDs, based on the frequency with which the domains are used egregiously for a range of cybercrimes.

In this deeper dive, we look at the following datasets:

1. Spamhaus’ 10 most abused TLDs², reflecting information in its domain blocking list and containing domains with poor reputations (generally those found to be associated with spam or malware).
2. Netcraft’s 50 TLDs³with the highest ratios of cybercrime incidents to active sites, generally reflecting phishing and malware incidences.
3. Palo Alto Networks’ 10 TLDs⁴ with the highest rates of malicious domains, reflecting four categories of malicious content (malware, phishing, command and control (C2), and grayware), and expressed as the median of the absolute deviation from the median (MAD).
4. Data from CSC’s Fraud Protection services, as discussed in part one of this series.

Each dataset measures the proportion of domains across each TLD deemed to be associated with threatening content⁵. For datasets 1, 2 and 3 as outlined above, proportions are expressed as the total number of domains analyzed for the TLD in question.

Methodology: For ease of comparison, the threat frequency for each TLD within each dataset is again normalized, so that in each case the value for the highest-threat TLD is 1. The overall threat frequency for a TLD is then calculated as the average of the normalized scores across the datasets in which it appears. We excluded any TLDs from the results that were only present in CSC’s dataset and where fewer than 50 phishing cases were recorded.

Analysis and discussion

The above methodology yields the following list in Table 1 for the top 30 highest-threat TLDs, ranked by overall normalized threat frequency.

Table 2 shows the datasets in which each of the top 30 TLDs appear.

It’s significant that this list is dominated by extensions from Africa, Asia, and the Caribbean, as well as several new gTLDs. The latter is consistent with the observation that new gTLDs tend to be disproportionately more abused than legacy TLDs, although they tend to have better processes for tackling infringements⁷. Nearly half of the TLDs in this list are operated by just three organizations, namely CentralNic (six TLDs), Freenom (four), and GoDaddy Registry (four)—all consumer-grade registrars.

The Anti-Phishing Working Group’s (APWG’s) comprehensive Global Phishing Survey⁸ of 2017, which analyzed the TLDs most frequently associated with phishing domains, also showed some similar trends (although the landscape may have changed somewhat since 2017). Its top 10 TLDs by frequency of phishing domains was dominated by African and Asian country-code TLDs (ccTLDs), with three of the top five (.ML, .BD and .KE) featuring in our top 30 list.

The below observations from the analysis are also notable:

• Some of the TLDs in the list have special significance:
  • .LY – The frequency of this extension’s use in conjunction with threatening content is strongly influenced by its appearance in URL-shortening services (e.g., bit.ly, cutt.ly and ow.ly). This means its threat frequency is disproportionately large compared with what would be expected from its use solely as a ccTLD.
  • .IO – The .IO extension is popularly used in domains with technology-related content, particularly anything associated with the range of Apple (iOS) operating systems. Many of the threat sites in this analysis are on compromised .IO domains, or subdomains of sites such as github.io, rather than reflecting any factors related to the British Indian Ocean Territory.

• The top 30 highest-threat TLDs includes four of the five free extensions offered by Freenom (with the exception of .TK, where the threat frequency is likely to be diminished by the large absolute number of registrations across the TLD). Their business model allows customers to register domains for free, with the option to make subsequent payments, depending on how the domain will be used. This makes these extensions particularly popular with phishers, who may discard their domains after a few days’ use for a phishing attack.

Figure 1 shows how the threat scores compare with the total number of customer domains under CSC’s management across the observed TLDs⁹.

It’s notable that most of the highest threat TLDs are associated with only small numbers of domains under CSC’s management. Therefore, one clear recommendation is that brand owners may want to consider defensively registering domain names featuring high-relevance brand terms across the high-risk extensions where possible, to prevent them from being fraudulently registered by third parties.

When exploring a defensive registration strategy, brand owners should also consider registering domains containing specific brand variants or keywords that are frequently associated with phishing activity, rather than just registering exact brand matches across TLDs of particular concern. These might include common character replacements, keywords like “login”, “jobs”, “invest” or other industry-related keywords.

Where relevant domains have already been taken across high-threat TLDs, it may be advantageous to monitor them for possible future changes in content, or to launch enforcement actions or acquisition processes in cases where infringing content is identified.

It’s also worth considering the list of top TLDs by the number of customer domains under CSC’s management (Figure 2). It’s noteworthy that only one of the TLDs from the top 30 highest-threat extensions (.CN) currently appears in this list (alongside .COM.CN).

It’s often observed that many of the highest-risk TLDs do, however, experience high levels of registration activity overall—with significant proportions associated with fraudulent use—of which much is via consumer-grade registrars, often with little legitimate activity seen by enterprise-class providers. Previous CSC studies established that most brand-related domain names on risky domain extensions are typically registered by third parties and are often involved in cybersquatting or malicious use. In one study looking at the .ICU “cousins” of the core domains of several top brands—i.e., the same second-level domain name, but on the. ICU extension—around three quarters of the domains used suspect DNS providers that were not under the control of the brand owner.

CSC recommendations

CSC has a short list of recommendations to help brand owners tackle the issues outlined in these articles.

1. Start at the foundations

Everything in cybersecurity comes back to the humble domain name. It’s vital to have a comprehensive view of your domain portfolio—what domains you have, and which are business-critical, tactical, or defensive. Deploying blocking or alerting services provides visibility of attempts by third parties to register domains containing brand-related terms.

2. Keep them secure

Third parties registering branded domains is just part of the issue. Keeping your official domains secure from the unauthorized changes to a domain’s infrastructure that form the basis for targeted attacks like domain hijacking, email spoofing, and phishing, is another part of the picture.

3. Monitor closely for potential threats

Domain intelligence is power. Monitoring for the registration, re-registration, and dropping of brand-related domain names is highly recommended, together with using this knowledge to inform when a brand should act.

For brands where phishing is a concern, we recommend augmenting domain or internet content monitoring with a phishing protection service. This will improve coverage over areas that may not otherwise be detected, e.g., non-brand-specific domain names or unindexed internet content.

4. Enforce on infringements

Points 1 to 3 aim to reduce the appearance of cyber risks, but for existing infringements it’s important to have an effective enforcement solution to protect your brand. This enables any brand to protect its reputation, and potentially reclaim lost revenue from fraudulent activity and redirection to third-party sites.