Phishing attacks are up nearly 40 percent in the year ending August 2024, and much of that growth is focused on a small number of new top-level domains (gTLDs) — such as .in the store, .up, .xyz — that lure fraudsters with low prices and no reasonable registration requirements, a new study finds. Meanwhile, the non-profit organization that oversees the domain name industry is moving forward with plans to launch a number of new gTLDs.
Photo: Shutterstock.
Research on phishing data released by Interisle Consulting finds that new gTLDs launched in the past few years command only 11 percent of the market for new domains, but account for nearly 37 percent of cybercrime domains reported between September 2023 and August 2024.
Interisle receives data about cybercrime domains from anti-spam organizations, including Anti-Phishing Task Force (APWG), i Coalition Against Unsolicited Commercial Mail (CAUCE), and Messaging, Malware, and Mobile Harassment Task Force (M3AAWG).
Research finds that while .com again .net domains that made up nearly half of all domains registered last year (more than all other TLDs combined) accounted for just over 40 percent of all cybercrime domains. Interisle says that an almost equal share – 37 percent – of cybercriminal domains are registered with new gTLDs.
Spammers and fraudsters gravitate to domains in new gTLDs because these registrars often offer cheap or free registration with little or no account or identity verification requirements. For example, among the gTLDs with the highest cyber crime domain scores in this year’s study, nine offered registration fees under $1, and nearly twenty-two offered fees under $2.00. By comparison, the cheapest price listed for a .com domain was $5.91.
Currently, there are approximately 2,500 registrars authorized to sell domains by Internet Corporation for Assigned Names and Numbers (ICANN), a California non-profit organization that oversees the domain industry.
Top 5 new gTLDs, ranked by reported cybercrime domains. Image: Interisle Cybercrime Supply Chain 2014.
Ironically, despite years of these reports showing that phishing is heavily exploiting the new gTLDs, ICANN is moving forward with the plan to introduce more of them. The next proposed round of ICANN has a view to accepting applications for new gTLDs in 2026.
John Levine is the author of “The Internet for Dummies” and president of CAUCE. Levine said that adding more TLDs without a more stringent registration policy would expand the green space already infested with hackers.
“The problem is that ICANN can’t make a decision whether it’s a neutral nonprofit or a domain trade association,” Levine told KrebsOnSecurity. “But they do a lot like the latter.”
Levine said most new gTLDs have a few thousand domains – a far cry from the number of registrations they would need to cover the upfront costs of operating a new gTLD (~$180,000-$300,000). New gTLD registrants can attract customers quickly by selling domains cheaply to customers who buy domains in bulk, but that is often a losing strategy.
“Selling to criminals and spammers is just a bad business,” Levine said. “You can charge whatever you want for the first year, but you have to charge list prices for domain renewals. And hackers and spammers never update. So if it sounds like economics doesn’t make sense, it’s because economics doesn’t make sense.”
In almost all previous spam reports, Interisle found the top brands mentioned in phishing attacks were major technology companies, including Apple, Facebook, Google and PayPal. But this past year, Interisle received a US Postal Service was the most hacked business, with four times the number of phishing sites as the second most common target (Apple).
At least some of that increase is likely to come from more cybercriminals using aliases Chenlunwho sold phishing tools that targeted domestic postal services in the United States and at least a dozen other countries.
Interisle says that an increasing number of spammers are avoiding domain registration altogether, and are instead taking advantage of subdomain providers. blogspot.com, pages.devagain weebly.com. The report notes that cyber attacks hosted on subdomain providers’ services can be difficult to mitigate, because only the subdomain provider can disable malicious accounts or take down malicious web pages.
“Any incremental action, such as blocking a second-tier domain, could impact the provider’s entire customer base,” the report noted.
Interisle tracked more than 1.18 million instances of subdomains being used for phishing in the past year (a 114 percent increase), and found that more than half of those were subdomains from blogspot.com and other services operated by Google.
“Many of these services allow the creation of multiple accounts at the same time, which are widely exploited by criminals,” the report concluded. “Subdomain providers should limit the number of subdomains (user accounts) a customer can create at one time and stop automatic sign-ups for high-volume accounts – especially using free services.”
Source link