|
Co-authored by Dr. David Barnett, Brand Monitoring Subject-Matter Expert and Justin Hartland, Global Director of Account Management at CSC.
In the first article1 of this two-part blog series, we looked at how frequently domains were used by bad actors for phishing activity across individual top-level domains (TLDs) or domain extensions, using data from CSC’s Fraud Protection services, powered by our DomainSecSM platform. In this second article, we analyze multiple datasets to determine the highest-threat TLDs, based on the frequency with which the domains are used egregiously for a range of cybercrimes.
In this deeper dive, we look at the following datasets:
Each dataset measures the proportion of domains across each TLD deemed to be associated with threatening content5. For datasets 1, 2 and 3 as outlined above, proportions are expressed as the total number of domains analyzed for the TLD in question.
Methodology: For ease of comparison, the threat frequency for each TLD within each dataset is again normalized, so that in each case the value for the highest-threat TLD is 1. The overall threat frequency for a TLD is then calculated as the average of the normalized scores across the datasets in which it appears. We excluded any TLDs from the results that were only present in CSC’s dataset and where fewer than 50 phishing cases were recorded.
The above methodology yields the following list in Table 1 for the top 30 highest-threat TLDs, ranked by overall normalized threat frequency.
TLD | Threat frequency | Registry | Operator6 | Region (country) or type |
---|---|---|---|---|
.CI | 1.000 | Autorité de Régulation des Télécommunications; TIC de Côte d’lvoire (ARTCI) | Autorité de Régulation des Télécommunications; TIC de Côte d’lvoire (ARTCI) | Africa (Ivory Coast) |
.ZW | 1.000 | Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) | TelOne Pvt Ltd | Africa (Zimbabwe) |
.SX | 0.945 | SX Registry SA B.V. | Canadian Internet Registration Authority (CIRA) | Caribbean (Sint Maarten) |
.MW | 0.862 | Malawi Sustainable Development Network Programme | Malawi Sustainable Development Network Programme | Africa (Malawi) |
.AM | 0.608 | “Internet Society” Non-Governmental Organization | “Internet Society” Non-Governmental Organization | Asia (Armenia) |
.DATE* | 0.506 | .DATE Limited | GoDaddy®Registry | New gTLD |
.CD | 0.391 | Office Congolais des Postes et Télécommunications (OCPT) | Office Congolais des Postes et Télécommunications (OCPT) | Africa (Democratic Rep. of the Congo) |
.KE | 0.381 | Kenya Network Information Center (KeNIC) | Kenya Network Information Center (KeNIC) | Africa (Kenya) |
.APP* | 0.377 | Charleston Road Registry Inc. | Google®Inc. | New gTLD |
.BID* | 0.361 | .BID Limited | GoDaddy Registry | New gTLD |
.LY | 0.356 | General Post and Telecommunication Company | Libya Telecom and Technology | Africa (Libya) |
.BD | 0.351 | Posts and Telecommunications Division | Bangladesh Telecommunications Company Limited (BTCL) | Asia (Bangladesh) |
.SURF* | 0.325 | Registry Services, LLC | GoDaddy Registry | New gTLD |
.SBS* | 0.250 | ShortDot | CentralNic | New gTLD |
.PW | 0.240 | Micronesia Investment and Development Corporation | Radix FZC | Asia (Palau) |
.DEV* | 0.222 | Charleston Road Registry Inc. | Google Inc. | New gTLD |
.QUEST* | 0.209 | XYZ.COM LLC | CentralNic | New gTLD |
.TOP* | 0.196 | Jiangsu Bangning Science and Technology Co., Ltd. | Jiangsu Bangning Science and Technology Co., Ltd. | New gTLD |
.PAGE* | 0.195 | Charleston Road Registry Inc. | Google Inc. | New gTLD |
.GQ | 0.192 | GETESA | Equatorial Guinea Domains B.V. (Freenom) | Africa (Equatorial Guinea) |
.CF | 0.168 | Societe Centrafricaine de Telecommunications (SOCATEL) | Centrafrique TLD B.V. (Freenom) | Africa (Central African Republic) |
.GA | 0.164 | Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) | Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) (Freenom) | Africa (Gabon) |
.ML | 0.157 | Agence des Technologies de l’Information et de la Communication | Mali Dili B.V. (Freenom) | Africa (Mali) |
.BUZZ* | 0.149 | DOTSTRATEGY CO. | GoDaddy Registry | New gTLD |
.CYOU* | 0.141 | ShortDot | CentralNic | New gTLD |
.CN | 0.130 | CNNIC | CNNIC | Asia (China) |
.MONSTER* | 0.106 | XYZ.COM LLC | CentralNic | New gTLD |
.BAR* | 0.104 | Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable | CentralNic | New gTLD |
.HOST* | 0.101 | Radix FZC | CentralNic | New gTLD |
.IO | 0.085 | Internet Computer Bureau Limited | Internet Computer Bureau Limited | Asia (British Indian Ocean Territory) |
Table 2 shows the datasets in which each of the top 30 TLDs appear.
TLD | Spamhaus | Netcraft | Palo Alto Networks | CSC |
---|---|---|---|---|
.CI | ✓ | ✓ | ||
.ZW | ✓ | |||
.SX | ✓ | |||
.MW | ✓ | ✓ | ||
.AM | ✓ | |||
.DATE | ✓ | |||
.CD | ✓ | |||
.KE | ✓ | ✓ | ✓ | |
.APP | ✓ | |||
.BID | ✓ | |||
.LY | ✓ | |||
.BD | ✓ | ✓ | ✓ | |
.SURF | ✓ | ✓ | ||
.SBS | ✓ | ✓ | ✓ | |
.PW | ✓ | ✓ | ||
.DEV | ✓ | |||
.QUEST | ✓ | ✓ | ||
.TOP | ✓ | ✓ | ✓ | |
.PAGE | ✓ | |||
.GQ | ✓ | ✓ | ||
.CF | ✓ | ✓ | ||
.GA | ✓ | ✓ | ||
.ML | ✓ | ✓ | ||
.BUZZ | ✓ | ✓ | ||
.CYOU | ✓ | ✓ | ||
.CN | ✓ | ✓ | ✓ | |
.MONSTER | ✓ | |||
.BAR | ✓ | |||
.HOST | ✓ | |||
.IO | ✓ |
It’s significant that this list is dominated by extensions from Africa, Asia, and the Caribbean, as well as several new gTLDs. The latter is consistent with the observation that new gTLDs tend to be disproportionately more abused than legacy TLDs, although they tend to have better processes for tackling infringements7. Nearly half of the TLDs in this list are operated by just three organizations, namely CentralNic (six TLDs), Freenom (four), and GoDaddy Registry (four)—all consumer-grade registrars.
The Anti-Phishing Working Group’s (APWG’s) comprehensive Global Phishing Survey8 of 2017, which analyzed the TLDs most frequently associated with phishing domains, also showed some similar trends (although the landscape may have changed somewhat since 2017). Its top 10 TLDs by frequency of phishing domains was dominated by African and Asian country-code TLDs (ccTLDs), with three of the top five (.ML, .BD and .KE) featuring in our top 30 list.
The below observations from the analysis are also notable:
Figure 1 shows how the threat scores compare with the total number of customer domains under CSC’s management across the observed TLDs9.
It’s notable that most of the highest threat TLDs are associated with only small numbers of domains under CSC’s management. Therefore, one clear recommendation is that brand owners may want to consider defensively registering domain names featuring high-relevance brand terms across the high-risk extensions where possible, to prevent them from being fraudulently registered by third parties.
When exploring a defensive registration strategy, brand owners should also consider registering domains containing specific brand variants or keywords that are frequently associated with phishing activity, rather than just registering exact brand matches across TLDs of particular concern. These might include common character replacements, keywords like “login”, “jobs”, “invest” or other industry-related keywords.
Where relevant domains have already been taken across high-threat TLDs, it may be advantageous to monitor them for possible future changes in content, or to launch enforcement actions or acquisition processes in cases where infringing content is identified.
It’s also worth considering the list of top TLDs by the number of customer domains under CSC’s management (Figure 2). It’s noteworthy that only one of the TLDs from the top 30 highest-threat extensions (.CN) currently appears in this list (alongside .COM.CN).
It’s often observed that many of the highest-risk TLDs do, however, experience high levels of registration activity overall—with significant proportions associated with fraudulent use—of which much is via consumer-grade registrars, often with little legitimate activity seen by enterprise-class providers. Previous CSC studies established that most brand-related domain names on risky domain extensions are typically registered by third parties and are often involved in cybersquatting or malicious use. In one study looking at the .ICU “cousins” of the core domains of several top brands—i.e., the same second-level domain name, but on the. ICU extension—around three quarters of the domains used suspect DNS providers that were not under the control of the brand owner.
CSC has a short list of recommendations to help brand owners tackle the issues outlined in these articles.
Everything in cybersecurity comes back to the humble domain name. It’s vital to have a comprehensive view of your domain portfolio—what domains you have, and which are business-critical, tactical, or defensive. Deploying blocking or alerting services provides visibility of attempts by third parties to register domains containing brand-related terms.
Third parties registering branded domains is just part of the issue. Keeping your official domains secure from the unauthorized changes to a domain’s infrastructure that form the basis for targeted attacks like domain hijacking, email spoofing, and phishing, is another part of the picture.
Domain intelligence is power. Monitoring for the registration, re-registration, and dropping of brand-related domain names is highly recommended, together with using this knowledge to inform when a brand should act.
For brands where phishing is a concern, we recommend augmenting domain or internet content monitoring with a phishing protection service. This will improve coverage over areas that may not otherwise be detected, e.g., non-brand-specific domain names or unindexed internet content.
Points 1 to 3 aim to reduce the appearance of cyber risks, but for existing infringements it’s important to have an effective enforcement solution to protect your brand. This enables any brand to protect its reputation, and potentially reclaim lost revenue from fraudulent activity and redirection to third-party sites.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byVerisign