David Piscitello, Partner
Interisle’s studies and quarterly public reporting for nearly 5 years consistently found that the new gTLD program has been a greenfield for phishers, spammers and other exploiters of the domain name system. For example,
- In our 2024 Cybercrime Supply Chain study, we reported that new generic top-level domains (gTLDs) accounted for 37% of cybercrime domains reported while holding only 11% of the total domain name market.
- In our 2024 Phishing Landscape Study, we reported that after the demise of the phish-friendly Freenom, cybercriminals moved to using inexpensive domain names in new gTLDs. 42% of all domains reported for phishing were registered in new gTLDs, compared to 25% the prior year.
For these studies, we only considered TLDs for which we process domains reported for their association with phishing, spam, or malware activity. Further, we reported measurememeasurements and metrics only for TLDs with a minimum of 30,000 domains and 25 phishing domains.
The TLDs that met these criteria included legacy TLDs, ccTLDs, and new gTLDs with unrestricted, open registration policies.. Typically, we see between 100-150 TLDs that meet these minimum requirements when we publish our quarterly reports at the Cybercrime Information Center. For example, from August 1, 2024 – October 31, 2024, we measured phishing activity in 594 gTLDs and ccTLDs, and spam activity in 715 gTLDs and ccTLDs.
Some TLDs, however, are demonstrating success in mitigating DNS abuse or otherwise have policies that make them less attractive to exploitation by cybercriminals. This set includes gTLDs, e.g., MUSEUM and XXX, and ccTLDs, e.g., DK, FI, HU, IE, MT, NL, SE, SI, and SK.
When we look beyond the minimum criteria for our studies, we find that there are several new gTLDs that merit some respect for admirably managing DNS abuse. Today, we’ll identify these “silver linings”, explain how they are differentiated from publicly available new gTLDs, and make a case for ICANN to carefully consider this differentiation as it seeks to complete of policy activity for the New gTLD Program: Next Round in May 2025.
new gTLDs with registration requirements
We used the ICANN Registry Agreements list to find new gTLDs classified as community, or intended for a particular community or group. We then selected only the gTLDs that were described in the list as open for use by the general public or specific communities without sponsorship. We next visited a registrar to determine what registration requirements, if any, exist for gTLDs in this set. Then we re-visited our data sets for our 2024 Cybercrime Supply Chain study.
City and Regional gTLDs
The community gTLDs for cities or regional interest require a nexus: e.g., residency or citizenship, headquarters or office, or an economic, cultural, historical, social connection to the city or region.
The registration requirements for these gTLDs are similar to what we collected for EU ccTLDs for our studies. Unsurprisingly, the majority of these community gTLDs have similarly low cybercrime domain scores.
The outlier, CAT, was affected by a single month (March 2024). Even with the outlier CAT included, all the gTLDs in this set had lower annual cybercrime domain scores than those we reported in our Cybercrime Supply Chain study than the publicly available new gTLDs.
Professional community gTLDs
Certain community gTLDs require a nexus to the community, e.g., a performer, athlete, musician, band, radio professional, broadcaster, membership in an industry association ( e.g., wellness, environment).
In this set, we again found one outlier, SPA. The other gTLDs in this set had lower annual cybercrime domain scores than those we reported in our Cybercrime Supply Chain study than the publicly available new gTLDs.
High Security Community gTLDs
Some community gTLDs appear to have requirements from the 2011 High Security Zone TLD Advisory Group, which attempted to identify requirements for TLDs who intended to offer services where registrants have an expectation of higher security.
These gTLDs have stringent registration requirements, and we have no reports for five of the seven in our databases. NGO outperforms the publicly available new gTLDs. ONG’s cybercrime domain score was adversely affected by the 144 domains reported for spam in August 2024. Absent this month, ONG’s score of 213 still outperformed most publicly available new gTLDs.
ICANN: Make Registration Requirements a Priority in “Next Round” Policy Deliberations
In our 2024 Cybercrime Supply Chain, our analysis of the registration requirements of ccTLDs in the European Union and Asia-Pacific region showed that imposing verification requirements on domain registrations correlated with lower cybercrime and malicious registrations. The community gTLDs we studied for this article show that imposing registration requirements to lower cybercrime and malicious generations applies to gTLDs and hence the general case.
As we recommended in our study, ICANN should consider the history of cybercrime activity in new TLDs that offer open registrations and cheap domains carefully as it processes applications. The objective of fostering competition has arguably led to unanticipated and unwanted consequences. Adding more TLDs without a much stricter registration policy will likely further expand an already plentiful greenfield for cybercriminals.
Just FYI, .rio is also a Geo TLD with restricted registration and low levels of abuse.