Home / Blogs

Domains Under the Most-Abused TLDs: Same Old DNS Abuse Trends?

While threat actors can use any domain across thousands of top-level domains (TLDs), they often have favorites. For instance, you may be familiar with Spamhaus’s 10 most-abused TLDs for spamming.

WhoisXML API researchers recently built on this list by analyzing 40,000 newly registered domains (NRDs) that sported some of the listed unreputable TLDs. We called this study “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs.” Below is a summary of the report’s findings:

  • About two-thirds of the domains had redacted WHOIS records.
  • The domains frequently contained finance-related text strings and popular company names.
  • Various domains contained country strings, hinting at localized campaigns.

Having observed domain and DNS activities for years, these patterns didn’t come as a surprise. However, the study further strengthened these trends’ continued relevance in 2023 and probably the upcoming years.

Abused WHOIS Redaction, a Likely Camouflage

WHOIS data redaction is nothing new. While the legitimate main goal is to protect domain owners’ privacy, threat actors have knowingly taken advantage of WHOIS data redaction under the pretext of privacy protection.

In a webinar conducted by the Coalition for a Secure and Transparent Internet in June 2022, ITIF Vice President Daniel Castro said WHOIS data redaction has given a “new cloak of anonymity and protection to Internet site operators engaged in illegal and malicious activity.”

Our study supported that argument, as most of the domain names sporting the most-abused TLDs revealed little about their registrants. About 64% of the domains had hidden WHOIS records.

Figure 1: Ratio of domains with redacted WHOIS records against those with public WHOIS data

This trend will likely continue in the coming years, as privacy laws become tighter and since data protection-as-a-service (which includes domain privacy protection) is predicted to become a US$94.3-billion industry by 2027.

Brand Squatting and Using Finance-Related Strings as Bait

We often see cybersquatting domains targeting popular companies as indicators of compromise (IoCs) used to host fake donation websites, launch denial-of-service (DoS) attacks, and run other malicious campaigns.

As to who their targets are, CheckPoint’s recent report tells us that the most-imitated brands are:

  • Yahoo!
  • DHL
  • Microsoft
  • Google
  • LinkedIn
  • WeTransfer
  • Netflix
  • FedEx
  • HSBC
  • WhatsApp

Still, no company or industry is safe. An in-depth study published by Akamai in 2022 revealed that cybersquatters actually don’t ignore any vertical. The domains under the most-abused TLDs we studied were no different.

Many of the properties we identified seemingly rode on the popularity of well-known brands, such as Windows, Apple, United Parcel Service (UPS), and Walmart. Here’s an example of a cybersquatting domain targeting Walmart, which hosted a website featuring the imitated store’s logo and company colors.

On the other hand, the content of the official Walmart domains looks like this:

Brand squatting domains sporting look-alike content remain effective lures to steal sensitive information as in the case of a Google ad for GIMP[.]org that served info-stealers through a look-alike website back in October 2022.

Also, generic finance-related strings frequently appeared among the domains sporting the most-abused TLDs. We saw several domains potentially targeting online banking users and parcel delivery recipients. Examples include acces-deposit[.]live, bankid[.]live, gllacierbnk[.]top, and parcel-track[.]link.

This pattern reminds us of a cybercrime group called the “Disneyland Team,” which spoofed popular banks through domains containing typo variants and Punycode last year. For example, to imitate usbank[.]com, the group distributed malware via ushank[.]com. To spoof Ameriprise, they used the Punycode version of ạmeriprisẹ[.]com—xn—meripris-mx0doj[.]com.

Suspicious Domains with a Local Touch

The recurring appearance of the string XN- in our DNS abuse study highlights the prevalent use of Punycode or internationalized domain names (IDNs). As previously illustrated, these can be utilized in brand squatting, where only a few characters are replaced with non-Latin characters.

The presence of XN- could also mean that malicious campaigns and potential targets were likely localized with the help of domains written entirely in the target’s language. Below are a few examples.

PunycodeIDN
xn—54qx09k[.]beauty觅光[.]beauty
xn—6oq6rw3hw6dfy2a1ouk7ff9i2y4a27s[.]top银保监会在线查询窗口[.]top
xn—k1ahd[.]suпрл[.]su
xn—80aimufiw[.]suардуино[.]su
xn—b8q084c[.]cn冷枫[.]cn
xn—hm-vra[.]livehōm[.]live
xn—fiq53l6wck2kojtj8g[.]fit中国物流平台[.]fit
xn—80adzthg3lb[.]linkсітівапк[.]link

Aside from IDNs, the repeated use of location keywords, such as US, Cyprus, and Dubai, was also common.

These localized domains could be used to deliver location-aware malware, such as Roaming Mantis, which targeted people in France only. The command-and-control (C&C) server was designed to display a 404 error page to users outside France.

Concluding Thoughts

While our study focused on domains sporting the most-abused TLDs, the patterns we identified overlapped with those featured in previous studies. For instance, when we analyzed IoCs related to Gigabud RAT, hundreds of artifacts were found squatting on targeted organizations, including Banco de Comercio, Advice, Thai Lion Air, Shopee Thailand, and Kasikornbank.

Our analysis of Royal Ransomware also revealed finance-related domains, particularly those sporting text strings like trading, bbva, and expensify. On top of that, several properties we analyzed in various threat reports weren’t taken down yet at the time of the investigations.

Furthermore, our monthly New Domain Activity Highlights consistently showed massive WHOIS data redaction among NRDs. For three months in a row, the rate had been more than 70%, the highest of which was observed in November 2022, when 85% of the NRDs had redacted WHOIS data.

These studies, along with the findings highlighted in our downloadable report “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs,” raise a few open questions that remain relevant in 2023, including:

  • Why are the TLDs in the study often cited as the most abused and why do threat actors favor them? Are the TLD operators too lenient, or is domain price a factor?
  • How can ICANN, registries, and registrars implement privacy protection laws that don’t compromise cybercrime investigation and prevention?
  • How can governments and organizations responsible for domain registration collectively minimize brand squatting?
  • Should registrars start filtering brand, company, and trademark names in domain registrations to prevent cybersquatting?

As we await the answers, our team will continue gleaning threat intelligence from domain, IP, and DNS data.

If you want to have a deeper and detailed conversation about DNS abuse or conduct a similar investigation, feel free to contact us.

By Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Filed Under

Comments

Comparative results? Todd Knarr  –  Feb 27, 2023 11:51 PM

I’d be interested in seeing a comparison of the stats for domains operated by bad actors with the same stats for reputable domains. Knowing that 2/3rds of spam domains use WHOIS redaction isn’t helpful if 2/3rds of reputable domains also use WHOIS redaction. Behavior where spam domains differ significantly from reputable domains is what we need to have to be able to take any action.

Can't wait for certified email Jean Guillon  –  Feb 28, 2023 3:58 AM

When is a major inventing certified email to avoid spam?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API