Phishing in the 2020s: Persistently Exploited TLDs
Colin Strutt
This post continues the series that looks at aspects of phishing over the past five years.
The previous post compared the proportion of phishing to market share across TLD types. Here we examine those TLDs that have appeared repeatedly in the top positions.
Phishing Domains Reported, by Top Level Domain
When we look at raw counts – number of domains reported for phishing each year – .COM tops the list in each of our yearly studies. This is unsurprising, as .COM domains represent 44% of the global DNS name space.
Three commercialized ccTLDs previously operated by Freenom (.GA, .ML, .TK) appeared in the Top 5 in our 2021-2023 yearly studies, but phishing activity has virtually disappeared from these ccTLDs after Freenom ceased operations following a legal action.
The .XYZ gTLD and .CN ccTLD also have multiple Top 5 rankings. These have 3% and 8% of .COMs domains under management respectively.
The .TOP gTLD, with barely 2% of .COM’s size, has climbed into prominence in recent years. We reported on phishing activity in .TOP in a recent Insights post.
Here we show a 5-year ranking of the TLDs with the most phishing domains reported:
Thirty-six TLDs appeared in the top-20 phishing domains over the 5-year period. Of these, twenty were new gTLDs, eleven were ccTLDs, and five were legacy TLDs.
Five of the twenty new gTLDs were operated by ShortDot (.BOND, .CFD, . CYOU, .ICU, and .SBS). Five were the Freenom commercialized ccTLDs (.CF, .GA, .GQ, .ML, and .TK).
Phishing Domain Scores
Raw counts can be deceiving. For example, a study that only compares the number of crimes committed in New York City to the number committed in Albany, NY doesn’t consider that the population of Albany is barely 100,000 and New York City has nearly 8.5 million people. A study that uses a per capita comparison would show that the total crime rate in Albany is 165% higher than New York City. If we were only to compare and rank TLDs by phishing domains, we would invariably highlight TLD like .COM with larger numbers of domains under management.
To take into consideration TLD size, we calculate a “score” that relates the number of phishing domains to the total number of domains in each TLD.
This comparison yields quite different results.
.SUPPORT appears in the top five TLDs by phishing score in three of our five yearly studies;.BOND, .LIVE, .CYOU, and .BAR only appear twice. This shows that phishers move from gTLD to gTLD, perhaps opportunistically. For example, they may take advantage of low prices when acquiring large sets of domains (for a “snowshoe” attack) to reduce their costs of scamming the largest number of people.
Here is a 5-year ranking of the TLDs with the highest phishing domain scores reported:
Forty-nine TLDs appeared in the top 20 phishing domain scores over the 5-year period. Forty-two of these were new gTLDs, of which seven were operated by Binky Moon (including .FINANCE, .SUPPORT, .FYI, .DIGITAL, .ZONE) and seven by XYZ.COM (including .XYZ, .LOL, .MONSTER, and .PICS).
Malicious Phishing Domains
We also look at counts of domains reported for phishing that we believe were obtained maliciously – i.e., by a phisher for the express purpose of phishing. We’ll cover the topic of malicious domain registrations in a forthcoming post in this series.
For More Information
You can find more detailed tables, and the numbers behind the tables above, at the Cybercrime Information Center and read all the Phishing Landscape reports.
In the next post, we look in more detail at how the new gTLD program became a greenfield for phishers.