Top Level Domain Abuse – gTLD abuse observations

July 12, 2016
Domain Name Monitoring

gTLDs Phishing, Fraud, Abuse Observations – Top Level Domains (TLDs), such as .com, .org, .biz, .net, a part of the domain name that is installed in the root zone, now come in many different variations and flavours – such as generic TLDs (gTLDS), Country-Code TLDs (ccTLDS). These new TLDS have opened up the Domain Name system to cater for the growing internet user base and to suit specific purposes such as non-profit organisations, business, government, military, sports etc.

The management of most TLDS are still assigned to the internet governing body –   Internet Corporation for Assigned Names and Numbers (ICANN) and their organization –  Internet Assigned Numbers Authority (IANA), which also operates and is in charge of maintaining the DNS root zone. However, many new TLDS are being maintained and regulated by new organisations such as Donuts Inc.

It is well known the most phishing sites and malware infrastructure exist on compromised websites and servers but a significant amount of abuse and fraud occurs on specifically registered domains. In other words the criminal will go to a domain registrar and register a unique domain name of the purpose of malice, such domain names will often spoof or copy  a specific name to leverage a trusted business names.

So while the majority of attackers use compromised websites to host their attacks we routinely see approximately a quarter of all attacks are carried out via domain names registered by the criminal.

Generic Top Level Domain (gTLDS) such as .organic, .business,.shoes were introduced in 2014. When the gTLDS were first introduced we were anticipating that this provide a lucrative avenue for the criminal to exploit.  So far our observations have shown that the level of abuse and fraud on the gTLDS is much lower than the traditional TLDs, and much less than we first thought or presumed upon their introduction.

Less than 0.5% of domains that are registered are used for malicious purpose or need to be deregistered to brand, trademark or copyright infringements. (about 0.4% for .com and 0.2 – 0.35 for .net, .info, .biz and .info.) However, for gTLDS these figures are much less – less than a quarter compared with traditional TLDS. We suspect that the process to register for a specific gTLD has become more intensive than traditional TLDS with increased authentication required for registration and payment – hence this has been a deterrent for the average criminal.

In saying this – we do see abuse and fraud on this channel, which if and when it does occur can have a significant impact on the business and web service channel. “trustedbrand.shop” does look like a trusted domain!!

iZOOlogic employs proprietary abuse-detection and pattern-recognition systems to monitor domain registrations, domain usage, and queries existing who.is records across all TLDS, including gTLDS, to harvest and analyse data and information relevant to the client brand. iZOOlogic also has strong working relationships with registrars to quickly to respond to issues and abuse across the TLD spheres.

About the author

Leave a Reply