David Barnett's Brand Protection Articles: The Highest-Threat TLDs

by Justin Hartland and David Barnett

In the first article^[1] of this two-part blog series, we looked at how frequently domains were used by bad actors for phishing activity across individual top-level domains (TLDs) or domain extensions, using data from CSC's Fraud Protection services, powered by our DomainSec^SM platform^[2]. In this second article, we analyse multiple datasets to determine the highest-threat TLDs, based on the frequency with which the domains are used egregiously for a range of cybercrimes.

In this deeper dive, we look at the following datasets:

Spamhaus' 10 most abused TLDs^[3], reflecting information in its domain blocking list and containing domains with poor reputations (generally those found to be associated with spam or malware).
Netcraft's 50 TLDs with the highest ratios of cybercrime incidents to active sites^[4], generally reflecting phishing and malware incidences.
Palo Alto Networks' 10 TLDs with the highest rates of malicious domains^[5], reflecting four categories of malicious content (malware, phishing, command and control (C2), and grayware), and expressed as the median of the absolute deviation from the median (MAD).
Data from CSC's Fraud Protection services, as discussed in Part 1 of this series.

Each dataset measures the proportion of domains across each TLD deemed to be associated with threatening content^[6]. For datasets 1, 2 and 3 as outlined above, proportions are expressed as the total number of domains analysed for the TLD in question.

Methodology: For ease of comparison, the threat frequency for each TLD within each dataset is again normalised, so that in each case the value for the highest-threat TLD is 1. The overall threat frequency for a TLD is then calculated as the average of the normalised scores across the datasets in which it appears. We excluded any TLDs from the results that were only present in CSC's dataset and where fewer than 50 phishing cases were recorded.

Analysis and discussion

The above methodology yields the following list in Table 1 for the top 30 highest-threat TLDs, ranked by overall normalised threat frequency.

TLD	Threat freq.	Registry	Operator^[7]	Region (Country) / Type
.ci	1.000	Autorité de Régulation des Télécommunications / TIC de Côte d’lvoire (ARTCI)	Autorité de Régulation des Télécommunications / TIC de Côte d’lvoire (ARTCI)	Africa (Ivory Coast)
.zw	1.000	Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)	TelOne Pvt Ltd	Africa (Zimbabwe)
.sx	0.945	SX Registry SA B.V.	Canadian Internet Registration Authority (CIRA)	Caribbean (Sint Maarten)
.mw	0.862	Malawi Sustainable Development Network Programme	Malawi Sustainable Development Network Programme	Africa (Malawi)
.am	0.608	"Internet Society" Non-Governmental Organization	"Internet Society" Non-Governmental Organization	Asia (Armenia)
.date*	0.506	dot Date Limited	GoDaddy Registry	New gTLD
.cd	0.391	Office Congolais des Postes et Télécommunications (OCPT)	Office Congolais des Postes et Télécommunications (OCPT)	Africa (Democratic Rep. of the Congo)
.ke	0.381	Kenya Network Information Center (KeNIC)	Kenya Network Information Center (KeNIC)	Africa (Kenya)
.app*	0.377	Charleston Road Registry Inc.	Google Inc	New gTLD
.bid*	0.361	dot Bid Limited	GoDaddy Registry	New gTLD
.ly	0.356	General Post and Telecommunication Company	Libya Telecom and Technology	Africa (Libya)
.bd	0.351	Posts and Telecommunications Division	Bangladesh Telecommunications Company Limited (BTCL)	Asia (Bangladesh)
.surf*	0.325	Registry Services, LLC	GoDaddy Registry	New gTLD
.sbs*	0.250	ShortDot	CentralNic	New gTLD
.pw	0.240	Micronesia Investment and Development Corporation	Radix FZC	Asia (Palau)
.dev*	0.222	Charleston Road Registry Inc.	Google Inc	New gTLD
.quest*	0.209	XYZ.COM LLC	CentralNic	New gTLD
.top*	0.196	Jiangsu Bangning Science and Technology Co., Ltd.	Jiangsu Bangning Science and Technology Co., Ltd.	New gTLD
.page*	0.195	Charleston Road Registry Inc.	Google Inc	New gTLD
.gq	0.192	GETESA	Equatorial Guinea Domains B.V. (Freenom)	Africa (Equatorial Guinea)
.cf	0.168	Societe Centrafricaine de Telecommunications (SOCATEL)	Centrafrique TLD B.V. (Freenom)	Africa (Central African Republic)
.ga	0.164	Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF)	Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) (Freenom)	Africa (Gabon)
.ml	0.157	Agence des Technologies de l’Information et de la Communication	Mali Dili B.V. (Freenom)	Africa (Mali)
.buzz*	0.149	DOTSTRATEGY CO.	GoDaddy Registry	New gTLD
.cyou*	0.141	ShortDot	CentralNic	New gTLD
.cn	0.130	CNNIC	CNNIC	Asia (China)
.monster*	0.106	XYZ.COM LLC	CentralNic	New gTLD
.bar*	0.104	Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable	CentralNic	New gTLD
.host*	0.101	Radix FZC	CentralNic	New gTLD
.io	0.085	Internet Computer Bureau Limited	Internet Computer Bureau Limited	Asia (British Indian Ocean Territory)

*Extensions where there are currently no customer domains under CSC's management.

Table 1: The top 30 TLDs with the highest overall normalised threat frequencies

Table 2 shows the datasets in which each of the top 30 TLDs appear.

TLD	Spamhaus	Netcraft	Palo Alto Networks	CSC (phishing)
.ci	✔	✔
.zw			✔
.sx	✔
.mw	✔	✔
.am			✔
.date			✔
.cd			✔
.ke		✔	✔	✔
.app				✔
.bid			✔
.ly				✔
.bd		✔	✔	✔
.surf	✔	✔
.sbs		✔	✔	✔
.pw		✔	✔
.dev				✔
.quest		✔	✔
.top	✔	✔		✔
.page				✔
.gq	✔			✔
.cf	✔			✔
.ga	✔			✔
.ml	✔			✔
.buzz		✔		✔
.cyou		✔		✔
.cn	✔	✔
.monster		✔
.bar		✔
.host		✔
.io				✔

Table 2: Datasets in which each of the top 30 TLDs by overall threat frequency appear

It is significant that this list is dominated by extensions from Africa, Asia, and the Caribbean, as well as several new gTLDs. The latter is consistent with the observation that new gTLDs tend to be disproportionately more abused than legacy TLDs, although they tend to have better processes for tackling infringements^[8]. Nearly half of the TLDs in this list are operated by just three organisations, namely CentralNic (six TLDs), Freenom (four), and GoDaddy Registry (four) - all consumer-grade registrars.

The Anti-Phishing Working Group's (APWG's) comprehensive Global Phishing Survey^[9] of 2017, which analysed the TLDs most frequently associated with phishing domains, also showed some similar trends (although the landscape may have changed somewhat since 2017). Its top 10 TLDs by frequency of phishing domains was dominated by African and Asian country-code TLDs (ccTLDs), with three of the top five (.ml, .bd and .ke) featuring in our top 30 list.

The below observations from the analysis are also notable:

Some of the TLDs in the list have special significance:

.ly - The frequency of this extension's use in conjunction with threatening content is strongly influenced by its appearance in URL-shortening services (e.g. bit.ly, cutt.ly and ow.ly). This means its threat frequency is disproportionately large compared with what would be expected from its use solely as a ccTLD.
.io – The .io extension is popularly used in domains with technology-related content, particularly anything associated with the range of Apple (iOS) operating systems. Many of the threat sites in this analysis are on compromised .io domains, or subdomains of sites such as github.io, rather than reflecting any factors related to the British Indian Ocean Territory.

The top 30 highest-threat TLDs includes four of the five free extensions offered by Freenom (with the exception of .tk, where the threat frequency is likely to be diminished by the large absolute number of registrations across the TLD). Their business model allows customers to register domains for free, with the option to make subsequent payments, depending on how the domain will be used. This makes these extensions particularly popular with phishers, who may discard their domains after a few days' use for a phishing attack.

Figure 1 shows how the threat scores compare with the total number of customer domains under CSC's management across the observed TLDs^[10].

Figure 1: Total numbers of customer domains under CSC's management (where non-zero) as a function of overall normalised TLD threat frequency, for the top 30 highest threat TLDs

It is notable that most of the highest threat TLDs are associated with only small numbers of domains under CSC’s management. Therefore, one clear recommendation is that brand owners may want to consider defensively registering domain names featuring high-relevance brand terms across the high-risk extensions where possible, to prevent them from being fraudulently registered by third parties.

When exploring a defensive registration strategy, brand owners should also consider registering domains containing specific brand variants or keywords that are frequently associated with phishing activity, rather than just registering exact brand matches across TLDs of particular concern. These might include common character replacements, or keywords like 'login', 'jobs', 'invest' or other industry-related keywords.

Where relevant domains have already been taken across high-threat TLDs, it may be advantageous to monitor them for possible future changes in content, or to launch enforcement actions or acquisition processes in cases where infringing content is identified.

It is also worth considering the list of top TLDs by the number of customer domains under CSC's management (Figure 2). It is noteworthy that only one of the TLDs from the top 30 highest-threat extensions (.cn) currently appears in this list (alongside .com.cn).

Figure 2: Top TLDs by total numbers of registered customer domains under CSC's management

It is often observed that many of the highest-risk TLDs do, however, experience high levels of registration activity overall - with significant proportions associated with fraudulent use - of which much is via consumer-grade registrars, often with little legitimate activity seen by enterprise-class providers. Previous CSC studies have established that most brand-related domain names on risky domain extensions are typically registered by third parties and are often involved in cybersquatting or malicious use. In one study looking at the .icu 'cousins' of the core domains of several top brands - i.e. the same second-level domain name, but on the. icu extension - around three quarters of the domains used suspect DNS providers that were not under the control of the brand owner.

CSC recommendations

CSC has a short list of recommendations to help brand owners tackle the issues outlined in these articles.

1. Start at the foundations

Everything in cybersecurity comes back to the humble domain name. It is vital to have a comprehensive view of your domain portfolio - what domains you have, and which are business-critical, tactical, or defensive. CSC's Domain Management services allow organisations to manage their portfolios of official corporate domains. Deploying blocking or alerting services provides visibility of attempts by third parties to register domains containing brand-related terms. CSC's Brand Advisory Team can consult on domain registration strategies.

2. Keep them secure

Third parties registering branded domains is just part of the issue. Keeping your official domains secure from unauthorised changes to a domain's infrastructure that form the basis for targeted attacks like domain hijacking, e-mail spoofing and phishing is another part of the picture. As an enterprise-class provider, CSC offers several domain security solutions that allow organisations to secure their corporate domains and maintain a defense-in-depth approach as part of a robust security posture. These measures include CSC's MultiLock, DNSSEC (domain name system security extensions), use of CAA (certificate authority authorisation) records, DMARC (domain-based message authentication, reporting, and conformance), SPF (sender policy framework), and DKIM (domain keys identified mail).

3. Monitor closely for potential threats

Domain intelligence is power. Monitoring for the registration, re-registration, and dropping of brand-related domain names is highly recommended, together with using this knowledge to inform when a brand should act. CSC's 3D Domain Security and Enforcement service does just this, encompassing a range of brand variants including fuzzy matches and character replacements. The monitoring covers a wide range of domain extensions, including high-threat TLDs. This service also monitors high-relevance domains 24×7, tracking them for relevant changes in content.

For brands where phishing is a concern, we recommend augmenting domain or Internet content monitoring with a phishing protection service. This will improve coverage over areas that may not otherwise be detected, e.g. non-brand-specific domain names or unindexed Internet content. CSC's phishing detection products use a range of data sources, including spam traps and honeypots, alongside other data feeds such as customer abuse mailbox data and webserver logs. The results are fed into a correlation engine - driven by CSC's machine learning deep search (MLDS) technology - to detect fraudulent sites by analysing URL patterns and comparing the sites with known predictors of fraudulent content.

4. Enforce on infringements

Points 1 to 3 aim to reduce the appearance of cyber-risks, but for existing infringements it is important to have an effective enforcement solution to protect your brand. CSC's Enforcement services include 24×7 rapid takedown of a variety of infringement types. We use a toolkit approach with a wide range of enforcement methodology options, using the most efficient and cost-effective option in any given case, while reserving other options for escalation. Effective use of enforcement enables any brand to protect its reputation, and potentially reclaim lost revenue from fraudulent activity and re-direction to third-party sites.

References

[1] https://www.cscdbs.com/blog/the-highest-threat-tlds-part-1/

[2] https://www.cscdbs.com/en/domainsec/

[3] https://www.spamhaus.org/statistics/tlds/

[4] https://trends.netcraft.com/cybercrime/tlds

[5] https://unit42.paloaltonetworks.com/top-level-domains-cybercrime/

[6] For datasets 1 and 2, all statistics are correct as of 13 June 2022

[7] From iana.org

[8] https://op.europa.eu/en/publication-detail/-/publication/7d16c267-7f1f-11ec-8c40-01aa75ed71a1

[9] https://docs.apwg.org//reports/APWG_Global_Phishing_Report_2015-2016.pdf

[10] Data correct as of June 2022

This article was first published on 16 December 2022 at: