Home / Blogs

The Highest Threat TLDs - Part 2

Co-authored by Dr. David Barnett, Brand Monitoring Subject-Matter Expert and Justin Hartland, Global Director of Account Management at CSC.

In the first article1 of this two-part blog series, we looked at how frequently domains were used by bad actors for phishing activity across individual top-level domains (TLDs) or domain extensions, using data from CSC’s Fraud Protection services, powered by our DomainSecSM platform. In this second article, we analyze multiple datasets to determine the highest-threat TLDs, based on the frequency with which the domains are used egregiously for a range of cybercrimes.

In this deeper dive, we look at the following datasets:

  1. Spamhaus’ 10 most abused TLDs2, reflecting information in its domain blocking list and containing domains with poor reputations (generally those found to be associated with spam or malware).
  2. Netcraft’s 50 TLDs3with the highest ratios of cybercrime incidents to active sites, generally reflecting phishing and malware incidences.
  3. Palo Alto Networks’ 10 TLDs4 with the highest rates of malicious domains, reflecting four categories of malicious content (malware, phishing, command and control (C2), and grayware), and expressed as the median of the absolute deviation from the median (MAD).
  4. Data from CSC’s Fraud Protection services, as discussed in part one of this series.

Each dataset measures the proportion of domains across each TLD deemed to be associated with threatening content5. For datasets 1, 2 and 3 as outlined above, proportions are expressed as the total number of domains analyzed for the TLD in question.

Methodology: For ease of comparison, the threat frequency for each TLD within each dataset is again normalized, so that in each case the value for the highest-threat TLD is 1. The overall threat frequency for a TLD is then calculated as the average of the normalized scores across the datasets in which it appears. We excluded any TLDs from the results that were only present in CSC’s dataset and where fewer than 50 phishing cases were recorded.

Analysis and discussion

The above methodology yields the following list in Table 1 for the top 30 highest-threat TLDs, ranked by overall normalized threat frequency.

Table 1: The top 30 TLDs with the highest overall normalized threat frequencies.*Extensions where there are currently no customer domains under CSC’s management.
TLDThreat frequencyRegistryOperator6Region (country) or type
.CI1.000Autorité de Régulation des Télécommunications; TIC de Côte d’lvoire (ARTCI)Autorité de Régulation des Télécommunications; TIC de Côte d’lvoire (ARTCI)Africa (Ivory Coast)
.ZW1.000Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)TelOne Pvt LtdAfrica (Zimbabwe)
.SX0.945SX Registry SA B.V.Canadian Internet Registration Authority (CIRA)Caribbean (Sint Maarten)
.MW0.862Malawi Sustainable Development Network ProgrammeMalawi Sustainable Development Network ProgrammeAfrica (Malawi)
.AM0.608“Internet Society” Non-Governmental Organization“Internet Society” Non-Governmental OrganizationAsia (Armenia)
.DATE*0.506.DATE LimitedGoDaddy®RegistryNew gTLD
.CD0.391Office Congolais des Postes et Télécommunications (OCPT)Office Congolais des Postes et Télécommunications (OCPT)Africa (Democratic Rep. of the Congo)
.KE0.381Kenya Network Information Center (KeNIC)Kenya Network Information Center (KeNIC)Africa (Kenya)
.APP*0.377Charleston Road Registry Inc.Google®Inc.New gTLD
.BID*0.361.BID LimitedGoDaddy RegistryNew gTLD
.LY0.356General Post and Telecommunication CompanyLibya Telecom and TechnologyAfrica (Libya)
.BD0.351Posts and Telecommunications DivisionBangladesh Telecommunications Company Limited (BTCL)Asia (Bangladesh)
.SURF*0.325Registry Services, LLCGoDaddy RegistryNew gTLD
.SBS*0.250ShortDotCentralNicNew gTLD
.PW0.240Micronesia Investment and Development CorporationRadix FZCAsia (Palau)
.DEV*0.222Charleston Road Registry Inc.Google Inc.New gTLD
.QUEST*0.209XYZ.COM LLCCentralNicNew gTLD
.TOP*0.196Jiangsu Bangning Science and Technology Co., Ltd.Jiangsu Bangning Science and Technology Co., Ltd.New gTLD
.PAGE*0.195Charleston Road Registry Inc.Google Inc.New gTLD
.GQ0.192GETESAEquatorial Guinea Domains B.V. (Freenom)Africa (Equatorial Guinea)
.CF0.168Societe Centrafricaine de Telecommunications (SOCATEL)Centrafrique TLD B.V. (Freenom)Africa (Central African Republic)
.GA0.164Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF)Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) (Freenom)Africa (Gabon)
.ML0.157Agence des Technologies de l’Information et de la CommunicationMali Dili B.V. (Freenom)Africa (Mali)
.BUZZ*0.149DOTSTRATEGY CO.GoDaddy RegistryNew gTLD
.CYOU*0.141ShortDotCentralNicNew gTLD
.CN0.130CNNICCNNICAsia (China)
.BAR*0.104Punto 2012 Sociedad Anonima Promotora de Inversion de Capital VariableCentralNicNew gTLD
.HOST*0.101Radix FZCCentralNicNew gTLD
.IO0.085Internet Computer Bureau LimitedInternet Computer Bureau LimitedAsia (British Indian Ocean Territory)

Table 2 shows the datasets in which each of the top 30 TLDs appear.

Table 2: Datasets in which each of the top 30 TLDs by overall threat frequency appear.
TLDSpamhausNetcraftPalo Alto NetworksCSC

It’s significant that this list is dominated by extensions from Africa, Asia, and the Caribbean, as well as several new gTLDs. The latter is consistent with the observation that new gTLDs tend to be disproportionately more abused than legacy TLDs, although they tend to have better processes for tackling infringements7. Nearly half of the TLDs in this list are operated by just three organizations, namely CentralNic (six TLDs), Freenom (four), and GoDaddy Registry (four)—all consumer-grade registrars.

The Anti-Phishing Working Group’s (APWG’s) comprehensive Global Phishing Survey8 of 2017, which analyzed the TLDs most frequently associated with phishing domains, also showed some similar trends (although the landscape may have changed somewhat since 2017). Its top 10 TLDs by frequency of phishing domains was dominated by African and Asian country-code TLDs (ccTLDs), with three of the top five (.ML, .BD and .KE) featuring in our top 30 list.

The below observations from the analysis are also notable:

  • Some of the TLDs in the list have special significance:
    • .LY – The frequency of this extension’s use in conjunction with threatening content is strongly influenced by its appearance in URL-shortening services (e.g., bit.ly, cutt.ly and ow.ly). This means its threat frequency is disproportionately large compared with what would be expected from its use solely as a ccTLD.
    • .IO – The .IO extension is popularly used in domains with technology-related content, particularly anything associated with the range of Apple (iOS) operating systems. Many of the threat sites in this analysis are on compromised .IO domains, or subdomains of sites such as github.io, rather than reflecting any factors related to the British Indian Ocean Territory.
  • The top 30 highest-threat TLDs includes four of the five free extensions offered by Freenom (with the exception of .TK, where the threat frequency is likely to be diminished by the large absolute number of registrations across the TLD). Their business model allows customers to register domains for free, with the option to make subsequent payments, depending on how the domain will be used. This makes these extensions particularly popular with phishers, who may discard their domains after a few days’ use for a phishing attack.

Figure 1 shows how the threat scores compare with the total number of customer domains under CSC’s management across the observed TLDs9.

Figure 1: Total numbers of customer domains under CSC’s management (where not zero) as a function of overall normalized TLD threat frequency, for the top 30 highest threat TLDs.

It’s notable that most of the highest threat TLDs are associated with only small numbers of domains under CSC’s management. Therefore, one clear recommendation is that brand owners may want to consider defensively registering domain names featuring high-relevance brand terms across the high-risk extensions where possible, to prevent them from being fraudulently registered by third parties.

When exploring a defensive registration strategy, brand owners should also consider registering domains containing specific brand variants or keywords that are frequently associated with phishing activity, rather than just registering exact brand matches across TLDs of particular concern. These might include common character replacements, keywords like “login”, “jobs”, “invest” or other industry-related keywords.

Where relevant domains have already been taken across high-threat TLDs, it may be advantageous to monitor them for possible future changes in content, or to launch enforcement actions or acquisition processes in cases where infringing content is identified.

It’s also worth considering the list of top TLDs by the number of customer domains under CSC’s management (Figure 2). It’s noteworthy that only one of the TLDs from the top 30 highest-threat extensions (.CN) currently appears in this list (alongside .COM.CN).

Figure 2: Top TLDs by most registered customer domains under CSC’s management.

It’s often observed that many of the highest-risk TLDs do, however, experience high levels of registration activity overall—with significant proportions associated with fraudulent use—of which much is via consumer-grade registrars, often with little legitimate activity seen by enterprise-class providers. Previous CSC studies established that most brand-related domain names on risky domain extensions are typically registered by third parties and are often involved in cybersquatting or malicious use. In one study looking at the .ICU “cousins” of the core domains of several top brands—i.e., the same second-level domain name, but on the. ICU extension—around three quarters of the domains used suspect DNS providers that were not under the control of the brand owner.

CSC recommendations

CSC has a short list of recommendations to help brand owners tackle the issues outlined in these articles.

1. Start at the foundations

Everything in cybersecurity comes back to the humble domain name. It’s vital to have a comprehensive view of your domain portfolio—what domains you have, and which are business-critical, tactical, or defensive. Deploying blocking or alerting services provides visibility of attempts by third parties to register domains containing brand-related terms.

2. Keep them secure

Third parties registering branded domains is just part of the issue. Keeping your official domains secure from the unauthorized changes to a domain’s infrastructure that form the basis for targeted attacks like domain hijacking, email spoofing, and phishing, is another part of the picture.

3. Monitor closely for potential threats

Domain intelligence is power. Monitoring for the registration, re-registration, and dropping of brand-related domain names is highly recommended, together with using this knowledge to inform when a brand should act.

For brands where phishing is a concern, we recommend augmenting domain or internet content monitoring with a phishing protection service. This will improve coverage over areas that may not otherwise be detected, e.g., non-brand-specific domain names or unindexed internet content.

4. Enforce on infringements

Points 1 to 3 aim to reduce the appearance of cyber risks, but for existing infringements it’s important to have an effective enforcement solution to protect your brand. This enables any brand to protect its reputation, and potentially reclaim lost revenue from fraudulent activity and redirection to third-party sites.

By David Barnett, Brand Protection Strategist at Stobbs

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC