ICANN's Fresh Top Level Domains: a Gift to Phishers

Written by

Though they may be freshly initiated internet addresses, malicious activity is already being seen coming from many of the new top-level domains released this year by Internet Corporation for Assigned Names and Numbers (ICANN). It’s a worrying trend that shows fresh addressing to be a boon for phishers and spammers—at least at first.

While the term “top-level domain” (TLD) may not be familiar to the average web surfer, it is a core part of the domain name system (DNS) that the internet relies on. TLDs refer to the last portion of a domain name used for addressing, i.e., .com, .gov and the like.

ICANN is in charge of TLDs and periodically releases new suffixes as others become saturated. More than 300 new TLDs were revealed by ICANN earlier this year, including .email, .support and .guru. And, many more are expected to be released in the near future as well. Already, there appears to be a hierarchy establishing itself in terms of who uses which and for what purposes—and some TLDs are more likely than others to be exploited by the bad guys.

“Out of curiosity, we checked our honeypot logs for the past 60 days to see if any malicious activity came from these new TLDs,” explained Jerome Segura, a researcher at Malwarebytes, in a blog, adding that many of them have already been compromised.

“It is important to note that the majority of the domains involved were not registered by the bad guys themselves,” he said. “Instead, what we observed are websites that have been hacked and used for nefarious purposes.”

For example, .pharmacy would be a good candidate for spammers pushing various drugs, Segura explained, “even though there are some restrictions as to who is allowed to register their site.”

In a corroborating finding, the SANS Internet Storm Center recently reported that phishing scammers were already using the .support TLD.

“Pretty much ever since TLD .biz went online a couple years ago, and the only ones buying domains in this space were the scammers, we kinda knew what would happen when ICANN's latest folly and money-grab went live,”  SANS researchers said in a bulletin. It looks like a number of the new top-level domains, like .support", .club, etc. have now come online. And again, it seems like only the crooks are buying.”

SANS is in the process of investigating a wave of phishing emails that try to lure the user to a copy of the Bank of America website.

“The main difference, of course, is that any login credentials entered do not end up with Bank of America, but rather with some crooks, who then help themselves to the savings,” the organization explained.

Worse, the new TLDs can help invalidate tried and true scam-fighting techniques.

“Since the crooks in this case own the domain, and obviously trivially can pass the so-called domain control validation employed by some [certificate authorities], they actually managed to obtain a real, valid SSL certificate,” SANS said. “Addition of SSL to the phish means that another scam indicator that we once taught our users is also no longer valid. When a user clicks on the link in the phishing email, the browser will actually show the padlock icon of a ‘secure site.’”

What’s hot on Infosecurity Magazine?