Will people ever learn?

By Stuart Fuller


In a report published by Spamhaus, the international non-profit organization that tracks spam and related cyber threats such as phishing, malware and botnets, it seems that some of the new gTLDs are attracting the attention of individuals and organisations whose motives are less than genuine.  The Spamhaus project provides real time actionable and highly accurate threat intelligence to the Internet's major networks, corporations and security vendors, and works with law enforcement agencies to identify and pursue spam and malware sources worldwide, so has some experience and authority in finding websites and domain names that are being used by bad actors.

Whilst one of the major drivers behind the launch of the new gTLD programme was to give businesses and consumers alike more choice of relevant domain names.  With hundreds of generic terms being launched as new Top Level Domains, it is really no surprise that those who have maleficent intentions have turned their attentions to more relevant keywords to the right of the top than the previous available suffixes, such as dotCom, dotNet or even dotTK.  With search engines starting to engage with Exact Domain Matching (EDM), the opportunity to include relevant keywords both to the left and right of the dot, miscreants have seen an opportunity to take advantage.

The research has found that some of the new gTLDs have high levels of domains seen by the systems at Spamhaus versus the domains their systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month "snapshot" of their current view.
The top ten includes TLDs such as dotDiet, dotClick, dotDownload and dotReview, terms that have “click-through” appeal to the untrained eye.  The biggest affected TLDs have ratios above 70% which is a significant concern for the industry as a whole. Combining such words with recognised terms or brand names can often fool the untrained eye and lead to issues with regard to Malware, Spyware or even Ransomware being installed on the user’s machine.  One reason why those TLDs in particular are being used is similar to the story behind the use of dotTK for illegitimate purposes – the cost to register a name.  The cheaper the registration cost, the more likely that they will be used for illicit purposes where the cost of being detected is negligible.

So what is the solution here?  It is hard to lay any blame at the registries doors here for trying to drive registrations through tactical marketing promotions with their registrar base.  Domain names aren’t necessarily associated with a website – they may use redirects to take the website user to content that could exist on servers anywhere around the world.  The registrar base needs to take some responsibility here for the registrants and how they use the names but ultimately, if the “demand” is reduced, so “supply” will also reduce in proportion. Therefore education is a key to making the internet a safer place.
Registries and registrars should take an action to educate their customers using a simple three step approach.

1. If a website appears to be offering deals, offers or content that appears to be too good to be true, it probably is!  Check the origins of the domain name.  When was it registered, by whom (does the registrant details match the keywords in the domain name?) and where?
2. Make sure your anti-virus is up to date and follow the instructions the programme gives you.  If you are asked to download anything on a website, make sure you know exactly what the file is.
3. If you are asked to enter any personal details into a website, ensure that there is a valid SSL in place that will encrypt your personal data.

Details of the Spamhaus report can be found here.