Why Phishers Love New TLDs Like .shop, .top and .xyz – Krebs on Security
Phishing attacks increased by nearly 40% in the year to August 2024, with much of the growth concentrated in a small number of new generic top-level domains (gTLDs) such as ., ., .xyz – Low prices and no meaningful registration requirements lure scammers, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is promoting plans to introduce a raft of new gTLDs.
one study About released phishing data interisland consulting The study found that new gTLDs launched in the past few years accounted for only 11% of the new domain market, but accounted for approximately 37% of cybercriminal domains reported between September 2023 and August 2024.
Interisle receives sponsorship from several anti-spam organizations, including Anti-Phishing Working Group (Asia Pacific Working Group) Coalition Against Unsolicited Commercial Email (reason), and Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG).
Research has found that although .com and . domains accounted for approximately half of all domains registered last year (more than all other TLDs combined), and they account for just over 40% of all cybercriminal domains. According to Interisle, almost the same proportion (37%) of cybercriminal domains are registered through new gTLDs.
Spammers and scammers gravitate to domains in new gTLDs because these registrars often offer cheap or free registrations with few account or identity verification requirements. For example, of the gTLDs with the highest cybercrime domain scores in this year’s study, nine offer registration fees of less than $1, and nearly 20 offer registration fees of less than $2. In comparison, the cheapest price for a .com domain is $5.91.
Currently, there are approximately 2,500 registrars authorized to sell domains. Internet Corporation for Assigned Names and Numbers (ICANN), a California-based nonprofit organization that oversees the domain name industry.
Incredibly, despite years of reports showing serious misuse of new gTLDs by phishers, ICANN is still moving ahead with the introduction of more new gTLDs ) plan. ICANN proposed Next round of ideas New gTLD applications will be accepted in 2026.
John Levine He is the author of “The Internet for Dummies” and the president of CAUCE. Adding more top-level domains without stricter registration policies could further expand an already ample green space for cybercriminals, Levine said.
“The problem is that ICANN can’t decide whether to be a neutral nonprofit regulator or a trade association for domain speculators,” Levine told KrebsOnSecurity. “But they behave more like the latter.”
Levine said the vast majority of new gTLDs have thousands of domain names, a far cry from the number of registrations needed just to cover the upfront costs of operating a new gTLD, which ranges from about $180,000 to $300,000. . New gTLD registrars can quickly attract customers by selling domains at low prices to customers who buy domains in bulk, but this is often a losing strategy.
“It turns out that selling to criminals and spammers is a bad thing,” Levine said. “You can charge whatever you want for the first year, but when the domain renews you have to charge the list price. Criminals and spammers never renew. So if it sounds like economics means nothing, that’s because economics means nothing. Meaningless.
In nearly all previous spam reports, Interisle found that the top brands mentioned in phishing attacks were the largest technology companies, including Apple, Facebook, Google, and PayPal. But last year, Interisle discovered United States Postal Service It is by far the most targeted entity for phishing attacks, with more than four times the number of phishing domains than the next most common target (Apple).
At least some of the growth may come from prolific cybercriminals using the nickname Chenlunwho has Selling phishing kits targeting domestic postal services in the United States and at least a dozen other countries.
Interisle says that more and more phishers are eschewing domain registrations entirely, instead using subdomain providers, e.g. blogspot.com, page.devand weebly.com. The report notes that cyberattacks hosted by subdomain provider services can be difficult to mitigate because only the subdomain provider can deactivate malicious accounts or remove malicious web pages.
“Any action upstream, such as blocking a second-level domain, will have an impact on the provider’s entire customer base,” the report states.
Last year, Interisle tracked more than 1.18 million instances of subdomains used for phishing (a 114% increase) and found that more than half were subdomains of blogspot.com and other services operated by Google.
“Many of these services allow the creation of large numbers of accounts at once, which can be easily exploited by criminals,” the report concludes. “Subdomain providers should limit the number of subdomains (user accounts) that customers can create at one time and suspend high-volume Automatic account registration, especially when using free services.”
Dec. 4, 10:21 a.m. ET: Report link corrected.
2024-12-03 13:27:31