Domains Under the Most-Abused TLDs: Same Old DNS Abuse Trends? (original) (raw)
Protect your privacy: Get NordVPN → Deal: 73% off 2-year plans + 3 extra months
While threat actors can use any domain across thousands of top-level domains (TLDs), they often have favorites. For instance, you may be familiar with Spamhaus’s 10 most-abused TLDs for spamming.
WhoisXML API researchers recently built on this list by analyzing 40,000 newly registered domains (NRDs) that sported some of the listed unreputable TLDs. We called this study “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs.” Below is a summary of the report’s findings:
- About two-thirds of the domains had redacted WHOIS records.
- The domains frequently contained finance-related text strings and popular company names.
- Various domains contained country strings, hinting at localized campaigns.
Having observed domain and DNS activities for years, these patterns didn’t come as a surprise. However, the study further strengthened these trends’ continued relevance in 2023 and probably the upcoming years.
Abused WHOIS Redaction, a Likely Camouflage
WHOIS data redaction is nothing new. While the legitimate main goal is to protect domain owners’ privacy, threat actors have knowingly taken advantage of WHOIS data redaction under the pretext of privacy protection.
In a webinar conducted by the Coalition for a Secure and Transparent Internet in June 2022, ITIF Vice President Daniel Castro said WHOIS data redaction has given a “new cloak of anonymity and protection to Internet site operators engaged in illegal and malicious activity.”
Our study supported that argument, as most of the domain names sporting the most-abused TLDs revealed little about their registrants. About 64% of the domains had hidden WHOIS records.
Figure 1: Ratio of domains with redacted WHOIS records against those with public WHOIS data
This trend will likely continue in the coming years, as privacy laws become tighter and since data protection-as-a-service (which includes domain privacy protection) is predicted to become a US$94.3-billion industry by 2027.
Brand Squatting and Using Finance-Related Strings as Bait
We often see cybersquatting domains targeting popular companies as indicators of compromise (IoCs) used to host fake donation websites, launch denial-of-service (DoS) attacks, and run other malicious campaigns.
As to who their targets are, CheckPoint’s recent report tells us that the most-imitated brands are:
- Yahoo!
- DHL
- Microsoft
- WeTransfer
- Netflix
- FedEx
- HSBC
Still, no company or industry is safe. An in-depth study published by Akamai in 2022 revealed that cybersquatters actually don’t ignore any vertical. The domains under the most-abused TLDs we studied were no different.
Many of the properties we identified seemingly rode on the popularity of well-known brands, such as Windows, Apple, United Parcel Service (UPS), and Walmart. Here’s an example of a cybersquatting domain targeting Walmart, which hosted a website featuring the imitated store’s logo and company colors.
On the other hand, the content of the official Walmart domains looks like this:
Brand squatting domains sporting look-alike content remain effective lures to steal sensitive information as in the case of a Google ad for GIMP[.]org that served info-stealers through a look-alike website back in October 2022.
Also, generic finance-related strings frequently appeared among the domains sporting the most-abused TLDs. We saw several domains potentially targeting online banking users and parcel delivery recipients. Examples include acces-deposit[.]live, bankid[.]live, gllacierbnk[.]top, and parcel-track[.]link.
This pattern reminds us of a cybercrime group called the “Disneyland Team,” which spoofed popular banks through domains containing typo variants and Punycode last year. For example, to imitate usbank[.]com, the group distributed malware via ushank[.]com. To spoof Ameriprise, they used the Punycode version of ạmeriprisẹ[.]com—xn—meripris-mx0doj[.]com.
Suspicious Domains with a Local Touch
The recurring appearance of the string XN- in our DNS abuse study highlights the prevalent use of Punycode or internationalized domain names (IDNs). As previously illustrated, these can be utilized in brand squatting, where only a few characters are replaced with non-Latin characters.
The presence of XN- could also mean that malicious campaigns and potential targets were likely localized with the help of domains written entirely in the target’s language. Below are a few examples.
| Punycode | IDN |
|---|---|
| xn—54qx09k[.]beauty | 觅光[.]beauty |
| xn—6oq6rw3hw6dfy2a1ouk7ff9i2y4a27s[.]top | 银保监会在线查询窗口[.]top |
| xn—k1ahd[.]su | прл[.]su |
| xn—80aimufiw[.]su | ардуино[.]su |
| xn—b8q084c[.]cn | 冷枫[.]cn |
| xn—hm-vra[.]live | hōm[.]live |
| xn—fiq53l6wck2kojtj8g[.]fit | 中国物流平台[.]fit |
| xn—80adzthg3lb[.]link | сітівапк[.]link |
Aside from IDNs, the repeated use of location keywords, such as US, Cyprus, and Dubai, was also common.
These localized domains could be used to deliver location-aware malware, such as Roaming Mantis, which targeted people in France only. The command-and-control (C&C) server was designed to display a 404 error page to users outside France.
Concluding Thoughts
While our study focused on domains sporting the most-abused TLDs, the patterns we identified overlapped with those featured in previous studies. For instance, when we analyzed IoCs related to Gigabud RAT, hundreds of artifacts were found squatting on targeted organizations, including Banco de Comercio, Advice, Thai Lion Air, Shopee Thailand, and Kasikornbank.
Our analysis of Royal Ransomware also revealed finance-related domains, particularly those sporting text strings like trading, bbva, and expensify. On top of that, several properties we analyzed in various threat reports weren’t taken down yet at the time of the investigations.
Furthermore, our monthly New Domain Activity Highlights consistently showed massive WHOIS data redaction among NRDs. For three months in a row, the rate had been more than 70%, the highest of which was observed in November 2022, when 85% of the NRDs had redacted WHOIS data.
These studies, along with the findings highlighted in our downloadable report “DNS Abuse Trends: Dissecting the Domains Under the Most-Abused TLDs,” raise a few open questions that remain relevant in 2023, including:
- Why are the TLDs in the study often cited as the most abused and why do threat actors favor them? Are the TLD operators too lenient, or is domain price a factor?
- How can ICANN, registries, and registrars implement privacy protection laws that don’t compromise cybercrime investigation and prevention?
- How can governments and organizations responsible for domain registration collectively minimize brand squatting?
- Should registrars start filtering brand, company, and trademark names in domain registrations to prevent cybersquatting?
As we await the answers, our team will continue gleaning threat intelligence from domain, IP, and DNS data.
If you want to have a deeper and detailed conversation about DNS abuse or conduct a similar investigation, feel free to contact us.