Research discloses that the Top-Level Domains (TLDs) with the “shadiest” websites are exclusively used for malicious purposes
Many of the security researchers had warned that the Internet Corporation for Assigned Names and Numbers’ (ICANN) decision to allow a host of new commercial generic top-level Internet domains was going to create an abundance of opportunities for internet scammers and hackers for exploiting shady domains. Researchers have disclosed that a number of top-level domains are used almost entirely to support botnets, spam campaigns and phishing.
Attackers are always in search of new domains for links to guide users to download malware, divulge personal data or spam their friends. Also, liberalization of the Web has expanded the number of top-level domains tenfold in the past two years.
Blue Coat, a US-based provider of security and networking solutions, has disclosed new research for consumers and businesses that shows the Top-Level Domains (TLDs), or “neighborhoods,” mostly connected with suspicious websites. The company analyzed hundreds of millions of Web requests from over 15,000 businesses and 75 million users to test the legitimacy of ten different TLDs. The Blue Coat security team says a domain was considered “suspicious” if it contained spam, scams, malware, a botnet link, potentially unwanted software (PUS) or were related to phishing activities.
However, if a domain was clean, the domain was awarded the accolade of being “non-shady.”
The major findings indicate that more than 95 percent of websites in 10 different TLDs are rated as dangerous and suspicious, wherein the most dangerous TLDs that contained one form of shady activity were .zip and .review, while the safest new ones were .london, .tel and .church.
“Due to the explosion of TLDs in recent years, we have seen a staggering number of almost entirely shady Web neighborhoods crop up at an alarming rate,” said Dr. Hugh Thompson, CTO for Blue Coat Systems.
“The increase in Shady TLDs as revealed by Blue Coat’s analysis is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike.”
“Ideally, TLDs would all be run by security-conscious operators who diligently review new domain name applications, and reject those that don’t meet a stringent set of criteria,” Blue Coat wrote in its study.
“The reality for many of these new neighborhoods is that this is not happening.”
Overall, the worst ten TLDs for malicious domains, as of August 2015, were:
- .zip (100.00%)
- .review (100.00%)
- .country (99.97%)
- .kim (99.74%)
- .cricket (99.57%)
- .science (99.35%)
- .work (98.20%)
- .party (98.07%)
- .gq (97.68%)
- .link (96.98%)
On the other hand, the most clean TLDs seem to be .mil (0.24%), .jobs (0.36%), .ck (Cook Islands) (0.52%), .church (0.84%), .gov (0.96%), .gl (Gibraltar) (1.26%), .tel (1.60%), .kw (Kuwait) (1.61%), .london (1.85%), and .jp (Japan) (1.95%).
According to the Blue Coat researchers, custom domains are mostly used in spam and scam campaigns, as most of the users tend to believe that these new generic domain names are difficult to get by or are extremely expensive.
It is difficult to tell users and request them to remember to take extra precautions when accessing one domain extension or another, however, Blue Coat security researchers do suggest that businesses enterprise consider blocking traffic that leads to the dangerous top-level domains. The users should also take care against linking on links based on these TLDs if received over email or social networks.
