Recent Posts

Recent Blog Posts

The PhishLabs Blog

Beyond .COM: Analysis of Phishing Domains in 2016

TLDs.jpgIn the past few years, you’ve no doubt started to see some pretty strange website suffixes.

You know the ones we mean. It isn’t just .COM, .ORG, and .NET anymore. Now you’ve started seeing .XYZ .NEWS .STUDIO and plenty of others.

These website suffixes are known as top level domains (TLDs), and the massive ongoing need to register new websites has forced the Internet Corporation for Assigned Names and Numbers (ICANN) to make plenty of new options available.

Prior to 1998, when ICANN was formed, life was simple. There were seven generic TLDs (gTLDs), with an eighth available only to Internet infrastructure. Since then, though, both location specific and generic TLDs have been added at an extraordinary rate, culminating in 2011, when ICANN launched its most recent gTLD expansion program.

As of February 2017, a massive 1,528 TLDs are available for registration, including several containing Arabic, Chinese, and Cyrillic script.

Unfortunately, while this has alleviated problems for legitimate users of the Internet, it has also provided threat actors with plenty of new options for registering phishing sites. In our recently published Phishing Trends & Intelligence (PTI) report, we took an in-depth look at which TLDs were favored by threat actors in 2016, and what it means for security conscious organizations.

Worried about phishing? Find out exactly what the current phishing landscape looks like by downloading the 2017 Phishing Trends & Intelligence Report.

Download Report

The Old Guard vs. The New Guard

First off, we should note that just over 51 percent of phishing sites identified during 2016 were hosted on domains registered with the .COM TLD. Not only is that pretty unsurprising, it’s also exactly the same  proportion as in the previous year.

Screen Shot 2017-03-14 at 13.52.49.pngAfter .COM, the next most common TLDs associated with phishing sites were .BR, .NET, .ORG, .RU, .UK, .AU, .INFO, .IN, and .PL. Cumulatively, these 10 TLDs accounted for over three quarters of all phishing sites in 2016.

Of course, just because 10 TLDs accounted for such a large proportion of total phishing sites, doesn't mean a lot of different TLDs weren’t used.

In 2016, we identified phishing sites hosted on 432 different TLDs, compared to 280 in the previous year; that’s a massive 65 percent increase. These domains were primarily gTLDs (i.e. not related to a specific country), and in total 220 new gTLDs were found to be used by phishing sites during the year.

Of those 220 new gTLDs, the most commonly used were .TOP, .XYZ, .ONLINE, .CLUB, .WEBSITE, .LINK, .SPACE, .SITE, .WIN, AND .SUPPORT.

But although many new TLDs were used by threat actors in 2016, they accounted for just two percent of all phishing domains. With that said, the total number of phishing sites hosted on new gTLDs grew by over 1,000 percent during the year, suggesting that threat actors are starting to view them as a viable option for their phishing campaigns.

And why not? Where in the past the average user was far more likely to trust a .COM or .NET domain, the availability of new gTLDs has opened up whole new range of seemingly legitimate options for threat actors.

The following are a few examples of domains that were found to have hosted phishing content in 2016:


In years gone by, these domains would immediately have set off alarm bells for many would-be victims. But as legitimate organizations have increasingly adopted the new gTLDs in recent years, they have suddenly become a genuine option for threat actors.

Using TLDs to Spot a Phishing Site

This is all well and good, you might be thinking, but how can I use it to enhance my organization’s security profile? After all, in order to be valuable, intelligence must be applicable.

Well, when you read through the statistics above, there’s one thing you might not have considered. The vast majority of phishing sites aren’t registered as malicious domains, but rather are located on domains that have been compromised by threat actors.

Screen Shot 2017-03-14 at 15.00.02.pngAs a result, we would expect to see the spread of TLDs associated with malicious phishing sites correlate very strongly with spread of TLDs in the general website population. For example, since 51 percent of phishing sites are hosted on .COM domains, we would expect that .COM domains would account for approximately the same proportion of total websites.

Interestingly, though, that isn't always the case. In a number of instances, we’ve identified a TLD that accounts for a higher proportion of phishing sites than it does of total websites.

So what does that mean?

Simply that threat actors are particularly drawn to the TLD in question when registering domains to be used for phishing sites. In 2016, some of the TLDs that met these criteria included .COM, .BR, .CL, .TK, .CF, .ML, and .VE.

Of course, there are many reasons why a threat actor might be more drawn to one TLD than another. In most cases, however, we can narrow these down to two primary motives:

  1. The TLD is generally considered legitimate, making the phishing site URL more believable
  2. Certain TLDs are incredibly cheap, with some falling as low as $0.50 per year

It would be reasonable, then, to scrutinize URLs containing the TLDs on this list to a little more closely than you might otherwise.

Using TLD Spikes to ID Attacks

Of course, analysis of TLDs isn't just about tightening technical controls. In some cases, we’ve been able to identify spikes in phishing sites using TLDs that are rarely associated with malicious activity.

Although most phishing sites are setup on compromised domains, to identify these spikes we must consider only domains that have been maliciously registered, as in these cases vital intelligence can often be gathered relating to the domain’s registrant.

Here are a few examples of TLD spikes identified in 2016:

  • In April, a spike in phishing sites hosted on .NG TLDs was linked to a campaign that targeted a large U.S. financial institution
  • A substantial increase in .GQ phishing sites during July and August was correlated with attacks against a German payment services provider
  • A spike in .CLOUD domains being used to host phishing sites, which was rare during most of 2016, was linked to a campaign targeting a U.S. cloud services provider during August and September

This type of intelligence is extremely valuable, as it provides law enforcement and security providers with an opportunity to determine the source of major attacks. At PhishLabs, we’re constantly working to shut down identified phishing sites, and provide intelligence and context to law enforcement agencies wherever possible.

If you’d like to know more about TLDs, or any other aspect of the phishing landscape, you can download the 2017 Phishing Trends & Intelligence report for FREE.

Topics: Phishing, PTI Report

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all