Domain abuse | Which TLDs are employed for misuse?
Fraud and crime have become inextricably linked to the internet, manifesting in various forms such as counterfeit stores, phishing emails and spam. We explore which TLDs are currently used most often for abusive purposes.
Published by
Katrin Ohlmer
Date
Each TLD registry deals with domain abuse of their infrastructure differently. As a consequence, criminals tend to favor certain top-level domains (TLDs), while giving others a wide berth. Some operators contractually commit themselves to taking strong action against abusive activities. Some have made voluntary declarations of intent, while others barely undertake anything or do absolutely nothing at all. We shed light on how these factors impact domain abuse by analyzing individual TLDs. Furthermore, we examine whether certain TLDs demonstrate a significant level of phishing or spam activities.
gTLDs without contractual obligations
TLDs can be divided into three categories: generic TLDs (gTLDs), country code TLDs (ccTLDs) and new gTLDs. gTLDs are generally operated by private companies and non-profit organizations. For example, the publicly traded US company Verisign operates .com and net, the publicly traded US company Neustar runs .biz, the US company Identity Digital operates the TLD .info and the non-profit organization Public Interest Registry manages .org.
Many TLD registries are not under any contractual obligation to regulators or ICANN that requires them to deal with domain abuse. Only a handful have signed contracts with ICANN that include clauses describing efforts and statements of intent about dealing with domain abuse. For example, Verisign, the registry of .com, has agreed to the following provisions in the contract with ICANN:
Verisign and ICANN agree to work in good faith to do the following in order to help combat Security Threats.
Within a reasonable period of time following the approval and promulgation by ICANN of the enhanced contractual provisions developed as a result of the work performed pursuant to Section 1A above into the new gTLD base agreement, Verisign will adopt in the .com Registry Agreement such promulgated provisions in a form reasonably appropriate for the .com TLD.
The registry of .com, the extension with the most registered domains, promises ICANN that it will make every effort to combat security risks. Verisign also pledges to include new commitments in any adjustments to the ICANN treaty, although it reserves the right to decide whether these are “reasonable” or “adequate” – which is rather vaguely worded. The contract does not include any concrete obligations for Verisign to deal with spam and other abuse or any punitive sanctions if appropriate action is not taken.
The special TLDs .gov, .mil and .edu, for which public domain registrations are not possible, are exempt from contractual regulations. For example, .mil is operated directly by the U.S. Department of Defense.
ccTLDs have no contract with ICANN
Some ccTLDs are operated by private companies and organizations. For example, the Frankfurt-based cooperative DENIC eG operates the German extension .de; the Austrian registry nic.at GmbH is responsible for .at. Some are also state-owned, such as the Norwegian .no extension, managed by Norid, and the Finnish .fi extension, owned by the Finnish Transport and Communications Agency (Traficom). Other country extensions are still closely linked to university operation, such as the Chilean extension .cl, which is administered by the University of Chile, and the Lithuanian extension .lt, which is operated at the Kaunas University of Technology.
ccTLD registries have no contract with ICANN and therefore no contractual obligation to act against domain abuse. This is because, in order to implement policies, the cooperation was initially purely informal. However, since 2000, ICANN has been working with the ccTLD administrators towards formalizing their relationship. These are formal agreements, the so-called “Exchange of Letters”, in which the registries make a commitment to ICANN that they will operate the respective country extensions in the best possible manner.
The European ccTLD .eu is an exception. The registry EURid has undertaken the obligation to provide an abuse contact, but without any obligations with regard to processing domain abuse reports and cases.
New gTLDs share a consistent ICANN agreement
Private companies and non-profit organizations predominantly operate the new gTLDs that have been approved by ICANN since 2014. They have a single contract with ICANN that defines obligations under which operators must take action against domain abuse.
The registries use domain abuse monitoring and management systems for this purpose. These permanently monitor whether the domains registered under the respective TLD are used for malicious purposes. To this end, they use the data of specialized providers such as Abusix or Phishtank, among others. The systems detect any abuse of domains and support registries in promptly notifying the affected providers of such cases. In turn, the providers process the domain abuse in their systems or in collaboration with their customers.
Detection of spam, malware and phishing by TLD category
We analyzed the specific number of domain abuse cases in different TLD categories. To do this, we picked a day (14 March 2023) and examined how domain abuse is spread across the different TLD categories using two tools – Abusix and Phishtank. While Abusix Mail Intelligence tracks the categories of spam, malware and phishing, Phishtank focuses exclusively on phishing.
The data sheds light on a number of questions. Are specific types of domain abuse more prevalent among certain TLDs? Are ccTLDs, for example, used more frequently for phishing, while gTLDs are instead employed for spam? To complete the analysis, we examined whether domain abuse frequency varies based on the type of TLD.
Top 10 Abusix | Top 10 Phishtank |
.com | .com |
.link | .app |
.net | .co |
.cn | .tio |
.top | .io |
.tk | .net |
.ru | .dev |
.org | .ru |
.club | .org |
.xyz | .site |
The figures show that the number of domain abuse cases between the TLD categories is almost evenly distributed. The top 10 domain extensions with the most cases of abuse includes three gTLDs and ccTLDs and four new gTLDs each.
Comparing gTLDs
Place | Abusix | Phishtank |
1 | .com | .com |
2 | .net | .net |
3 | .org | .org |
4 | .biz | .info |
5 | .info | .pro |
6 | .pro | .biz |
A comparison of the data from Abusix and Phishtank reveals a high degree of correlation in the ranking within the gTLD category. These figures show that gTLDs are used equally for different domain abuse activities. Only places four to six show slight differences in the ranking order.
Comparing ccTLDs
Place | Abusix | Phishtank |
1 | .cn | .co |
2 | .tk | .io |
3 | .ru | .ru |
4 | .in | .me |
5 | .pl | .fr |
6 | .uk | .gd |
The ccTLD lists do not provide a uniform picture whatsoever. Only the Russian extension .ru is included third in both rankings.
Comparing new gTLDs
Place | Abusix | Phishtank |
1 | .link | .app |
2 | .top | .top |
3 | .club | .dev |
4 | .xyz | .site |
5 | .monster | .link |
6 | .shop | .xyz |
The new gTLD rankings show interesting results. Although three of the top 6 TLDs match (.top, .link, .xyz), they are listed in different positions. Overall, the scenario here is quite varied.
Exceptions in the categories brandTLDs and geoTLDs
Interesting observations can be made in two new gTLD subcategories – namely brandTLDs and geoTLDs. BrandTLDs (also known as dotBrand) show no cases of domain abuse. And there is a very logical explanation for this. Only trademark owners can register domain names under brandTLDs. Any misuse by third parties is therefore ruled out.
The analysis of geoTLDs also delivers a more consistent picture. We analyzed the domain abuse cases of all European cityTLDs for the first quarter of 2023 (1 January – 31 March 2023). A total of 18 cases were reported during this period. Of these 18 cases, the majority were so-called false positives. This refers to warnings that, for instance, mention the IP address but not the domain, making them invalid.
Domain abuse was identified for six of the 18 domains. Accordingly, one third of the instances in the sample were indeed abuse cases and two thirds were false reports. Of the six real cases, three occurred under the cityTLD .london, two under its French counterpart .paris and one under the Austrian extension .vienna. These data show that geoTLDs are barely affected by domain abuse.
Domain abuse involving spam, phishing and malware
In the realm of domain abuse, three primary categories emerge as the most prominent threats: spam, phishing, and malware. We analyzed the level of each of these threats for different TLDs.
Domain abuse cases connected to spam
Spamhaus is often used to analyze domain abuse in the spam category. We analyzed Spamhaus data for one week, from 29 March to 4 April 2023. It should be noted that Spamhaus analyzes and evaluates the proportion of domains misused for spam out of the actively used domains based on the registration volume of the TLD. Parked domains are not considered.
It is striking that almost exclusively gTLDs are listed among the top 10 with the most spam cases. Only two non-generic TLDs are present, namely the Chinese country extension .cn and the Japanese geoTLD .okinawa.
Rank | 29 March | 30 March | 31 March | 1 April | 2 April | 3 April | 4 April |
1 | .rest | .rest | .rest | .rest | .rest | .rest | .rest |
2 | .okinawa | .okinawa | .okinawa | .okinawa | .okinawa | .okinawa | .okinawa |
3 | .live | .live | .live | .live | .live | .monster | .monster |
4 | .monster | .monster | .monster | .monster | .monster | .okinawa | .top |
5 | .top | .top | .top | .top | .top | .top | .okinawa |
6 | .boutique | .boutique | .boutique | .boutique | .boutique | .boutique | .boutique |
7 | .beauty | .beauty | .beauty | .beauty | .beauty | .beauty | .beauty |
8 | .haus | .haus | .haus | .haus | .cn | .cn | .degree |
9 | .zone | .zone | .zone | .cn | .haus | .zone | .cn |
10 | .bar | .cn | .cn | .zone | .zone | .autos | .zone |
Domain abuse cases by spam (Source: Spamhaus).
Domain abuse cases connected to phishing and malware
Netcraft is a valuable resource for establishing the correlation between the volume of active domains and instances of abuse, effectively filtering out any parked or inactive domains. Netcraft focuses on the domain abuse categories of phishing and malware. We looked at the Netcraft data for the same period as the Spamhaus analysis, i.e. 29 March to 4 April 2023.
Rank | 29 March | 30 March | 31 March | 1 April | 2 April | 3 April | 4 April |
1 | .gives | .gives | .gives | .gives | .gives | .gives | .gives |
2 | .cyou | .cyou | .cyou | .cyou | .cyou | .cyou | .cyou |
3 | .vg | .vg | .vg | .vg | .vg | .vg | .vg |
4 | .top | .top | .top | .top | .top | .top | .top |
5 | .bond | .bond | .bond | .bond | .bond | .bond | .bond |
6 | .fun | .fun | .fun | .fun | .buzz | .buzz | .buzz |
7 | .buzz | .buzz | .buzz | .buzz | .life | .life | .life |
8 | .life | .life | .life | .life | .fun | .fun | .today |
9 | .edu | .edu | .edu | .edu | .edu | .edu | .edu |
10 | .ug | .ug | .ug | .ug | .ug | .ug | .bd |
Domain abuse cases with phishing and malware (Source: Netcraft).
Two TLDs among the Netcraft data are worth a closer look. The first is .gives, taking the top spot, operated by the same registry responsible for .org – the Public Interest Registry – and thus an “old hand”. And the second is .edu, which can only be registered by US universities and schools.
Interestingly, when comparing Spamhaus, Netcraft, Abusix and Phishtank, it becomes apparent that different TLDs sometimes land in the top ten positions. Even though TLDs are represented in the top 10 in several sources, the ranking may nevertheless end up being very different depending on the tool or source used.While some sources may place TLDs within their top 10, others may not. These include the TLDs .top, .link, .monster and the ccTLD .cn.
No specific TLD category is particularly vulnerable to domain abuse
The analysis shows that the distribution of abuse seems to be fairly consistent across all TLD categories, with the exception of brandTLDs and geoTLDs. There is a notable pattern within the respective categories: gTLDs such as .com and .net have a very similar ranking across all categories of domain abuse – with .com taking the lead, followed by .net and .org.
If domain misuse occurs, it is usually spread out equally across the categories spam, phishing and malware. The picture is inconsistent for ccTLDs and new gTLDs, as no TLD occupies a prominent position for all types of abuse.
Why do some TLDs show more abuse cases?
Although domain abuse is spread evenly across TLD categories, our analysis indicates that certain TLDs fall victim to domain abuse more frequently. This means they make an appearance in the statistics more often than others. But why? What influences the rate of domain abuse?
- Price plays an important role in the process of selecting and registering domains for abusive purposes. It’s not surprising that criminals often register cost-free or inexpensive domains, e.g. for phishing emails. Domains with prices in the three-digit euro range are almost never misused.
- If a case of domain abuse occurs, collaborative action is required. TLD registries and the affected providers work hand in hand to solve the problem as quickly as possible. Malpractice is facilitated if this cooperation is not effective.
- Another reason why quick action is essential is because domain abuse causes financial damage to those affected and can harm their reputation. Based on our observations, the responsiveness of the registry and provider can have an impact on the level of TLD abuse. If prompt action is taken to address abuse, this TLD is less commonly targeted.
- If criminals view a TLD as not having domain abuse management, they are likely to increase their illicit activities under that TLD. In some cases, instances of abuse may go undetected for hours or, even worse, may never be detected at all.
- ICANN Compliance bears a greater responsibility for new gTLDs, which are required by contract to monitor and manage abuse. New gTLD registries are obligated to ensure the contractual operation and to investigate relevant reports of domain abuse received from internet users. If such measures are not taken or are delayed, the behavior also has an influence on the selection of the TLD for misuse.
- If the TLD is only of interest to a limited target audience, such as .bank, .gmbh or geoTLDs, domain abuse is very low in absolute terms compared to other TLD categories. We attribute this effect to the limited number of customers and, in addition, to their comparatively high price.
Where can I report domain abuse?
There are various ways to respond to domain abuse. One option is to report the abuse directly to the registry. To facilitate this, nearly all TLD operators have established a dedicated email address. They check incoming emails and forward them to the provider where the domain was registered. Many providers also offer users the possibility to contact them in case of misused domains. The contact address for abuse reports can usually be found in the imprint. The WHOIS entry of the TLD identifies the responsible provider for the TLD.
Domain abuse can be affected by different elements, such as the top-level domain (TLD), pricing and the choice of provider. Keep in mind that there isn’t a one-size-fits-all solution for every situation. To support you as a domain holder in face of domain abuse, registrars like InterNetX offer direct communication channels with customized advice that meets your unique needs. Don’t hesitate to contact our Domain Services Team – they will be more than happy to assist you!