Re-registered domains, spam, and search-engine optimisation

Google has recently announced some changes to their search and prioritisation algorithms, intended to tackle the problem of 'spammy, low-quality content' in search results. Of particular interest are the improvements to the process of handling 'expired domain abuse' - in particular, the addition of options to their spam reporting tool - in response to the previous practice of infringers purchasing expired domains and posting new spam content.

The reasons for repurposing domains can include taking advantage of the higher level of trust associated with the content previously present on the site, to boost the search ranking of the new material^[1,2,3,4,5]. This spam content can take a number of forms, including adult or gambling-related material, or blog-style sites promoting third-party content. The use of the practice to promote sites offering the sale of counterfeit goods has also been noted^[6,7]. This issue also presents the possibility for increasing the effectiveness of more egregious types of abuse, such as explicit brand impersonation.

As a simple case study into the potential scale of the issue, we have looked at instances of re-registered domains across the .app, .biz and .blog TLDs. These specific extensions were selected due to the fact that they are 'mid-sized', popular TLDs^[8] with low-cost, low-restriction registration options, which are generally 'well-trusted' by general Internet users^[9,10], but (paradoxically) also include one example (.app) which has previously been noted as being particularly prone to infringement and abuse^[11].

In order to carry out the analysis, we consider the set of those domains which were registered between the 03 and 10-Jun-2024, based on a comparison of zone files. Of these, we then consider the subset which had also previously been actively registered as of Q3 2023 (i.e. instances of re-registrations). The statistics for these are shown in Table 1.

TLD	Registered domains	New registrations (last 7 days)	Re-registrations
.app	1,427,146	14,862	1,860
.biz	1,270,822	5,304	744
.blog	269,389	3,253	199

Table 1: Numbers of registered domains (totals as of 10-Jun-2024), new registrations, and re-registrations for the three TLDs

Of the re-registrations, we then consider those which resolve to live sites (also as of 10-Jun-2024). These are associated with a range of content types, including large numbers resolving just to placeholder or error pages, sites featuring pay-per-click (PPC) links, or pages offering the domains for sale. However, for the analysis, we focus on the subset resolving to 'spammy' content. This determination is - of course - somewhat subjective, but essentially considers material which appears non-legitimate and/or appears to be unrelated to the name of the domain in question. The 'hit-rate' for re-registrations featuring spam content was greatest for .biz (58 identified examples, compared with 5 for .blog, and 4 for .app). It is also worth noting that - particularly for .app - significant numbers of the re-registrations had actually gone dead again by the time of analysis. Many of these featured long, pseudo-random domain names and may be associated with automated registrations used for malicious or infringing purposes^[12].

Figure 1 shows four examples of .biz domains featuring 'spammy' content (e.g. adult or gambling/gaming-related material or random blog content) which had (according to information from archive.org) previously resolved to live, apparently legitimate content (for companies or organisations for whom the domain name itself has specific relevance). Some of these domains have long histories, going back a decade or more. They are therefore potentially examples of domains which have been re-registered to take advantage of the previous level of trust in the websites, and their consequent boosted search-engine rankings. Furthermore, some have been re-registered multiple times since their original incarnation. It is also worth noting that, amongst the dataset, we see numerous instances of repeated use of similar site templates, suggesting potential serial infringement by particular entities.

Figure 1: Examples of re-registered .biz domains now resolving to 'spammy' content

The scale of the issue indicates the potential for subsequent abuse and, perhaps even more concerningly, the misplaced belief that the new material has a definitive link with the previous legitimate content. Brand owners should bear this in mind when allowing domains to lapse - which might take place as part of a domain portfolio rationalisation project.

Overall, the Google reporting tool should be welcomed by brand owners. Alongside mechanisms such as the UDRP to address the underlying domain itself, the reporting tool provides another low-cost way of addressing IP infringement in the web and domain space.

References

[1] https://blog.google/products/search/google-search-update-march-2024/

[2] https://www.thedomains.com/2024/05/30/google-adds-expired-domains-abuse-to-their-report-spam-tools/

[3] https://www.craigcampbellseo.com/do-expired-domains-still-work/

[4] https://www.seroundtable.com/google-report-spam-tool-adds-options-37479.html

[5] https://web.swipeinsight.app/posts/google-s-spam-tool-now-flags-site-reputation-expired-domains-abuse-6732

[6] https://www.burges-salmon.com/news-and-insight/legal-updates/popular-expired-domain-names-are-being-re-registered-for-the-sale-of-counterfeit-goods

[7] https://euipo.europa.eu/tunnel-web/secure/webdav/guest/document_library/observatory/resources/Research_on_Online_Business_Models_IBM/Research_on_Online_Business_Models_IBM_en.pdf

[8] https://research.domaintools.com/statistics/tld-counts/

[9] https://growthbadger.com/top-level-domains/

[10] https://www.wpbeginner.com/showcase/top-domain-name-extension-list/

[11] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2

[12] https://www.iamstobbs.com/opinion/the-randomest-domain-names-entropy-as-an-indicator-of-tld-threat-level

This article was first published on 27 June 2024 at:

https://www.iamstobbs.com/opinion/re-registered-domains-spam-and-seo

Some more new domains in the .locker

Next in line for launch in the new-gTLD programme is the .locker domain-name extension. It entered its Sunrise period on the 19th June 2024, and will go into Early Access on the 18th September 2024 (when domains can be secured at a premium price) and subsequently into General Availability on the 26th September 2024. The extension was originally owned by telecommunications company Dish DBS, before being acquired by Orange Domains in August 2023^[1], with the intention of use in conjunction with digital locker services (including both electronic file and physical storage)^[2,3].

Like some previous examples - such as .box^[4] - the new .locker extension promises to provide dual Web2 / Web3 functionality^[5]. This is achieved by it offering integrated support for the Bitcoin protocol, meaning that it will be compatible with applications such as cryptocurrency wallets. The Web3 'digital identity' will be reserved for holders of the corresponding Web2 domain name, but its use will not be compulsory^[6].

As of the date of analysis [05-Jun-2024], the .locker zone file contained just a handful of entries^[7], comprising reserved domain names relevant to the technical infrastructure of the TLD^[8]. However, we would expect the numbers to start ramping up once the Sunrise period opens and brand owners are able to start securing domains, before likely jumping up once again once registrations become generally available to all.

Similarly to .zip, the new extension may be attractive to infringers because of the potential for abuse due to the possibility for confusion with legitimate file-storage solutions. It may also transpire that the TLD will be popular with piracy-related applications, in reference to the old 'cyberlocker' terminology^[9] (cf. the potential for the shortly-available .ad extension to be abused for advertising fraud^[10]).

In light of this development, brand owners are advised to secure key brand terms and/or keyword strings across the new extension, as soon as purchase is possible - even if only as defensive registrations to prevent fraudulent use. Additionally - as with any emerging area of Internet content - ongoing monitoring of the space will also be advisable, in order to stay one step ahead of the infringers.

References

[1] https://domainnamewire.com/2023/08/28/realty-and-locker-top-level-domains-change-hands/

[2] https://iptwins.com/fr/2024/05/29/lancement-du-locker-avec-support-du-protocole-bitcoin/

[3] https://www.linkedin.com/posts/iptwins_lancement-du-locker-avec-support-du-protocole-activity-7203025215935627264--s0l/

[4] https://www.iamstobbs.com/opinion/un-.zip-ping-and-un-.box-ing-the-risks-associated-with-new-tlds

[5] https://www.iamstobbs.com/opinion/the-crossover-two-recent-developments-in-web2/web3-interaction

[6] https://comlaude.com/launch-of-locker-ssl-price-increase-tr-launch-update-tmch-price-increase/

[7] 6as2tersqsgcku63tqcsfkl0baarlvou.locker, amh1aepsfk05e2eeamgjtkop5nrleb70.locker, gjqec5q3vb7n7qa543edh7v2cckpro03.locker, my.locker, nic.locker, registry.locker

[8] https://ntldstats.com/tld/locker

[9] https://en.wikipedia.org/wiki/File-hosting_service

[10] https://www.iamstobbs.com/opinion/a-new-tld-to-.ad-to-the-collection

This article was first published on 21 June 2024 at:

https://www.iamstobbs.com/opinion/some-more-new-domains-in-the-.locker

A bit of a nasty (anti)virus: the landscape of fake antivirus websites

BLOG POST

Following a recent report by Trellix^[1] about bogus websites posing as antivirus providers, we have conducted a landscape review of domains beginning with the names of major antivirus and antimalware providers. The analysis considers all examples where the second-level domain name (SLD) - i.e. the part to the left of the dot - consists only of the brand name, or where any keywords from a set of high-relevance keywords are also present.

New-gTLD extensions feature heavily within the list of 1,440 domains, with .live (106 domains), .online (48), .xyz (33), .site (22) and .shop (19) being the most popular. New-gTLDs are commonly associated with high rates of infringement and abuse, and give rise to particular security concerns in the technology sector, where many of the extensions have specific relevance^[2].

The review identified a number of high-concern websites posing direct potential threats, such as those offering (potentially malicious) downloads and instances of user credential collection (i.e. potential phishing). Other identified infringement types included e-commerce sites, offers of discount codes and information sites. Significant numbers of domains where the SLD consisted just of the brand name were also found to be potentially infringing.

Given that this study focuses solely on a small subset of the full range of potentially infringing sites, the number of threatening findings is concerning. This analysis highlights the importance of proactive programmes of brand protection, incorporating a policy of defensive domain registrations (to address the issue of 'brand-only' SLD examples). Other advisable initiatives include greater clarity by brand owners on the identity of their official sites (perhaps involving the use of dot-brand extensions) and engagement with 'fraudcasting' schemes, to push out browser warnings for fraudulent sites.

This specific case of infringements targeting antivirus brands is an interesting one - essentially an instance of 'gamekeeper turned game'. The very nature of these brands is such that consumer trust is a key element (in addition to technical effectiveness), so the emergence of these types of attack poses a real risk to brand reputation and value.

References

[1] https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/

[2] https://www.iamstobbs.com/opinion/un-.zip-ping-and-un-.box-ing-the-risks-associated-with-new-tlds

This article was first published on 4 June 2024 at:

https://www.iamstobbs.com/opinion/a-bit-of-a-nasty-antivirus-the-landscape-of-fake-antivirus-websites

* * * * *

WHITE PAPER

Introduction

A recent report by cybersecurity service provider Trellix^[1] highlighted the detection of three fake sites posing as official antivirus providers. In all cases, these sites were offering the download of purported security products, but were actually distributing malicious applications, which aimed to access confidential data, steal information or mine cryptocurrency^[2]. As of the time of writing (29-May-2024), only one of these sites (bitdefender-app[.]com) was still active (Figure 1), though all three still generated browser messages warning of dangerous content. 

Figure 1: The fake site at bitdefender-app[.]com, as of 29-May-2024

Analysis

As an investigation into the scale of this type of issue, we consider the landscape of domains with names beginning with any one of 16 of the top antivirus and antimalware providers^[3,4,5]. It is also worth noting that none of the other potentially threatening examples presented in this article were found to generate browser warnings, an additional factor of concern regarding the potential for exposure of consumers to infringing or harmful content. Analysis is based on zone-file information from ICANN's CZDS service, available for 1,087 gTLDs (domain extensions).

The analysis yielded a dataset of over 14,000 domains, though this will include 'false positives' such as instances where the brand strings appear as sub-strings of longer terms, and references to the brand name in an unrelated context. Accordingly, for the first round of filtering, we considered only those domains where the second-level domain name (SLD) string (i.e. the part of the domain name to the left of the dot) consisted only of the brand name, or where any of the following high-relevance keywords were present in the domain name: virus; malware; secur*, app, download, update, login, scan, protect, enterprise, activat*, defend, online, setup, instal*. This generated a candidate set of just over 1,900 high-relevance domain names. From these, we next removed any which appeared to be under the control of the official brand owner in question, on the basis of the use of an enterprise-class registrar and/or re-direction to a definitively official website. This leaves a set of 1,440 probable third-party domains of potential concern. Significant numbers of these domains utilise new-gTLD extensions, noted in many previous studies as being associated with high rates of infringement and abuse^[6]; the new-gTLD extensions with more than 10 domains in the dataset are: .live (106), .online (48), .xyz (33), .site (22), .shop (19), .pro (17), .store (13), .zip (11), .click (11), and .deals (11). 

Of the 1,440 sites, 439 generate a live website response, according to an automated site-visitor script (though this is likely to be a conservative estimate, since some websites will generate a false-negative response - e.g. if the site is slow to respond). 

Amongst the live sites, a range of content types were identified, including instances of unrelated third parties apparently legitimately using the same brand name (particularly where the brand is a relatively generic acronym, such as AVG, or a common name, such as Norton), cases of misdirection to unrelated content (including gambling-related or other undesirable content in some cases), and sites monetised through the inclusion of pay-per-click links, or by displaying pages offering the domain name for sale. There is also the potential for any of these sites to be activated with more significant content at a later date. 

However, the sites currently of highest concern are those displaying official branding, or referencing the brand name in a context relevant to the business area of the brand in question. Some of these sites may be (possibly official, but potentially unauthorised) distributors (Figure 2) or other affiliated organisations (e.g. mcafee[.]education, which re-directs to mcafeeinstitute[.]com). 

Figure 2: Example of a purported official distributor's website (avgverlengen[.]nl, re-directed from avg[.]partners and avg[.]tips)

A number of others have the appearance of legitimate sites, but may be fake - in many cases, a definitive determination is difficult, which is clearly unsatisfactory from a customer confusion point of view. One of the categories of highest concern are those sites where the SLD consists just of the brand name, as these present (if non-legitimate) the highest potential for confusion with genuine sites. The dataset includes a number of such examples, including avast[.]partners, bitdefender[.]digital, bitdefender[.]icu, bitdefender[.]lat, emsisoft[.]lat, eset[.]ovh, f-secure[.]store, surfshark[.]click, and totalav[.]xyz (Figure 3) which, if not official sites under the control of the respective brand owners, pose a serious concern. 

Figure 3: Examples of sites whose legitimacy is unclear (with all five examples registered via privacy protection service providers), and where the SLD consists just of the brand name: bitdefender[.]icu; eset[.]ovh; f-secure[.]store; surfshark[.]click; totalav[.]xyz

Widening out to the larger set of domains which feature additional keywords of relevance, sites featuring a range of content types were identified. These include examples of (potentially non-legitimate or unauthorised) sites featuring e-commerce content (e.g. avastantivirus[.]pro (re-directs to datav[.]fr), bitdefenderantivirus[.]space, kasperskyantivirus[.]space, nortonantivirus[.]space (all re-direct to software-defender[.]com),  malwarebyteschannelstore[.]com, avgonline[.]com, bitdefenderonline[.]com, bitdefenderperu[.]com, malwarebytessoftware[.]com, nortondefenderhub[.]com, norton-setup[.]com), offering coupons, vouchers or discount codes (e.g. bitdefenderantiviruscoupon[.]com), offering product information (e.g. malwarebytesnew[.]com, mcafee-activate[.]xyz, mcafeecom-activatesetup[.]com, mcafeecom-setup[.]com, vipre-antivirus[.]com, avastupdates[.]com, norton-com-setup[.]live, norton-setup[.]net – which actually directs users to a third-party site at fox2[.]kr) and sites making other general claims of affiliation (e.g. bitdefender-indonesia[.]com, bitdefenderkorea[.]com). (Figure 4). 

Figure 4: Example of an e-commerce site (avgonline[.]com), a site offering discount codes (bitdefenderantiviruscoupon[.]com), and an information site (mcafeecom-activatesetup[.]com)

However, the examples of greatest concern, from the point of view of posing direct potential threats, are those offering downloads (which may be malicious) (e.g. surfsharkvpnapp[.]com, kasperskydownload[.]com, mcafeedownload[.]com, spybot-freedownload[.]com, spybot-free-download[.]com, avastlogins[.]com (re-directs to a URL on loneseo[.]tongxinfl[.]cn)) or collecting user credentials (i.e. potential phishing) (e.g. esetprotect[.]cloud, nortonsetup[.]cloud, nortonsetup[.]xyz, trendmicrosetup[.]online) (Figure 5).

Figure 5: Examples of sites offering downloads (surfsharkvpnapp[.]com and avastlogins[.]com) and sites collecting user credentials (nortonsetup[.]cloud and trendmicrosetup[.]online)

It is also worth noting that three of these sites (for example) - nortonsetup[.]cloud, nortonsetup[.]xyz and trendmicrosetup[.]online) - all have a very similar appearance and appear likely to have been generated from a common site template (perhaps as part of a single coordinated campaign by a particular individual infringer). This assertion is strengthened by the facts that all three are registered via 'Privacy Protect, LLC' with Hostinger Operations, UAB as registrar, and all three reference the same hyperlink (http[://]gmpg[.]org[/]xfn[/]11) in the metadata sections of the HTML of the websites. These types of insights are key to the process of 'clustering', a means of drawing links between infringements, and forming the basis for the potential for factors such as building cases of bad-faith and allowing for efficient bulk takedown actions^[7].

Discussion

The numbers of results identified in this simple study (considering only 16 antivirus brands, and looking only at branded domain names where the brand name appears at the start) indicates that the scale of the issue of antivirus infringements, scams and fake sites is likely to be considerable, and certainly comprises far more examples than the handful of sites reported in the original article. 

These findings highlight not only the importance of care being taken by consumers, but also the necessity for brand owners - particularly in industries where digital security is such a central concern - to employ comprehensive brand protection programmes comprising monitoring, analysis and enforcement. Defensive domain registrations are also likely to play a significant part of this picture, as shown by (for example) the significant numbers of potential infringements where the second-level domain name consists just of the brand name; for key TLDs, these types of domain names should certainly be kept under the control of the brand owners in question. 

Another point to take away is the importance of organisations communicating the identity of their official site(s) clearly to their customer base, and educating them on the risks of engaging with other unapproved entities. Increased adoption of dot-brand domain-name extensions may be a key part of this solution. Finally, it would also be advantageous for brand owners to more extensively explore schemes to proactively push out alerts to browsers, whenever fake sites are detected or reported^[8]. 

References

[1] https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/

[2] https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.html 

[3] https://www.security.org/antivirus/best/ 

[4] https://www.techradar.com/best/best-malware-removal 

[5] The monitored brand strings were: "^totalav", "^surfshark", "^norton", "^kaspersky", "^mcafee", "^bitdefender", "^trend-?micro", "^avast", "^eset", "^vipre", "^malwarebytes", "^f-?secure", "^avira", "^avg", " ^emsisoft", and "^spybot", where '^' denotes that the string must appear at the start of the domain name, and '?' denotes that the previous character (in these cases, where appropriate, a hyphen) is optional.

[6] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 9: 'Domain landscape analysis' [awaiting publication]

[7] 'Patterns in Brand Monitoring' by D.N. Barnett, Chapter 6: 'Result "clustering"' [awaiting publication]

[8] https://circleid.com/posts/20231205-can-we-get-more-eyes-on-britains-largest-scam-watch-list 

This article was first published as an e-book on 4 June 2024 at:

https://www.iamstobbs.com/a-bit-of-a-nasty-antivirus-ebook