New gTLDs are not yet being widely used to carry out phishing runs, but most such attacks are concentrated in .xyz.
That’s one of the conclusions of the Anti-Phishing Working Group, which today published its report for the second half of 2014.
Phishing was basically flat in the second half of the year, with 123,972 recorded attacks.
The number of domains used to phish was 95,321, up 8.4% from the first half of the year.
However, the number of domains that were registered maliciously in order to phish (as opposed to compromised domains) was up sharply — by 20% to 27,253 names.
In the period, 272 TLDs were used, but almost 54% of the attacks used .com domains. In terms of maliciously registered domains, .com fared worse, with over 62% share.
According to APWG, 75% of maliciously registered domains were in .com, .tk, .pw, .cf and .net.
Both .tk and .cf are Freenom-administered free ccTLDs (for Tokelau and the Central African Republic) while low-cost .pw — “plagued” by Chinese phishers — is run by Radix for Palau.
New gTLDs accounted for just 335 of the maliciously registered domains — 1.2% of the total.
That’s about half of what you’d expect given new gTLDs’ share of the overall domain name industry.
Twenty-four new gTLDs had malicious registrations, but .xyz saw most of them. APWG said:
Almost two-thirds of the phishing in the new gTLDs — 288 domains — was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in one new gTLD, and we are seeing more examples in early 2015.
XYZ.com aggressively promoted cheap or free .xyz names during the period, but APWG said that only four .xyz phishing names were registered via freebie partner Network Solutions.
In fact, APWG found that most of its phishing names were registered via Xin Net and used to attack Chinese brands.
But, normalizing the numbers to take account of different market shares, .xyz shapes up poorly when compared to .com and other TLDs, in terms of maliciously registered domains. APWG said:
XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .COM’s score of 4.7. Since most phishing domains in .XYZ were fraudulently registered and most in .COM compromised, .XYZ had a significantly higher incidence of malicious domain registrations per 10,000 coming in at 3.4 versus 1.4 for .COM.
APWG said that it expects the amount of phishing to increase in new gTLDs as registries, finding themselves in a crowded marketplace, compete aggressively on price.
It also noted that the amount of non-phishing abuse in new gTLDs is “much higher” than the phishing numbers would suggest:
Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.
The number of maliciously registered domains containing a variation on the targeted brand was more or less flat, up from 6.6% to 6.8%.
APWG found that 84% of all phishing attacks target Chinese brands and Chinese internet users.
The APWG report can be downloaded here.
UPDATE: XYZ.com CEO Daniel Negari responded to the report by pointing out that phishing attacks using .xyz have a much shorter duration compared to other TLDs, including .com.
According to the APWG report, the average uptime of an attack using .xyz is just shy of 12 hours, compared to almost 28 hours in .com. The median uptime was a little over six hours in .xyz, compared to 10 hours in .com.
Negari said that this was due to the registry’s “aggressive detection and takedowns”. He said XYZ has three full-time employees devoted to handling abuse.
The vast majority of top-level domain registries could soon be banned from selling domains into China due to a reported crackdown under a decade-old law.
That’s according to Allegrevita, a company that helps registries with their go-to-market strategies in the country.
Allegravita released a report last week claiming that Chinese registrars will be forbidden to sell domains in TLDs that are not on a government-approved list.
The crackdown could come as early as July, the report says:
Foreign registries which have not applied for Chinese market approval are advised to do so in the near term, as unapproved Top-Level Domains are likely to be taken off the market from July this year.
As of April 30, there were only only 14 TLDs on the approved list. All of them are run by Chinese registries and only five do not use Chinese script.
Not on the list: every legacy gTLD, including .com, as well as every ccTLD apart from .cn.
The Draconian move is actually the implementation of regulations introduced by China’s Ministry of Industry and Information Technology over a decade ago but not really enforced since.
As I reported in December, Donuts was facing problems launching its Chinese-script gTLDs due to this red tape.
MIIT announced in 2012 that new gTLD applicants would need licenses to sell into China.
According to Allegrevita, which until recently was working heavily with TLD Registry (“.chinesewebsite”) on its entry into the country, it’s “no longer ambiguous” that MIIT has asserted full oversight of the domain industry in China.
MIIT’s crackdown appears to be focused on the 93 Chinese registrars it has approved to do business.
Allegravita says these companies will not be allowed to sell unapproved TLD domains to Chinese registrants, but that existing registrations will be grandfathered:
by sometime in July 2015, the MIIT will not permit unapproved registries to operate or offer their domains for sale in China. The MIIT will not interfere with existing domain registrations for unapproved registries; however, new registrations will not be permitted to be sold by Chinese registrars to Chinese registrants.
Presumably, non-Chinese registrars will reap the benefits of this as Chinese would-be registrants look elsewhere to buy their domains.
China is an important market for many registries, particularly the low-cost ones.
Judging by MIIT’s web site, getting approval to sell your TLD in China involves a fairly stringent set of requirements, including having a local presence.
MIIT said in a press release last month that the “special action” is designed “to promote the healthy development of the Internet, to protect China’s Internet domain name system safe and reliable operation
Minds + Machines co-founder Fred Krueger has been kicked out of his job as executive chairman of the company.
The news came as the new gTLD registry reported its first full year of results as a proper, revenue-generating company.
The company reported revenue of $1.9 million for 2014, compared to $56,000 in 2013.
Its report includes a “cash revenue” line of $5 million, to show off revenues that it has deferred to future periods due to standard domain industry accounting.
For accounting purposes, M+M was profitable to the tune of $22 million for the year, but almost none of that is from actually selling domains — $33.7 million of profit came from losing new gTLD auctions.
That’s not a sustainable or predictable part of the business — nobody knows exactly when or if ICANN will launch the next round of new gTLDs — but it did help M+M grow its cash pile to $45.7 million.
That pile may grow or shrink depending on how aggressive the company is in its 11 remaining new gTLD contention set auctions.
CEO Antony Van Couvering said that M+M is also eyeing acquisition opportunities as the new gTLD industry enters an early consolidation phase.
He said that M+M’s early priorities include a focus on selling premium domains that have higher than usual annual renewal fees.
At the same time as announcing its results, the company said Krueger, who founded M+M with Van Couvering in 2009 in anticipation of the new gTLD program, has quit.
While he’s technically resigned, he left no doubt in his unusually frank resignation letter that he’s actually been forced out by the M+M board of directors.
He wrote that the decision was “initiated by the board” and that his “decision” to leave “was unexpected – for me at least”.
He added that he was “OK with it, indeed supportive of it” and that he has no intention to sell off his substantial stake in the company.
Krueger will now focus on Mozart, a web site building software maker that he’s been leading for the last couple of years. M+M has a deal to offer Mozart to its registrants.
He’s been replaced, albeit in a non-executive capacity, by Keith Teare, an existing director.
Teare is a tech veteran perhaps best known in the domain industry for launching and running RealNames, which attempted to replicate AOL Keywords for the Internet Explorer browser at the turn of the century.
NameVault, a registrar that once had over 75,000 domains under management, has been terminated by ICANN over multiple alleged contract breaches.
ICANN told (pdf) the Canadian company this week that its right to sell gTLD domain names will come to an end June 17.
The breaches primarily relate to its failure to provide records relating to the domain stronglikebull.com and its failure to provide ICANN with a working phone number.
NameVault belonged to domain investor Adam Matuzich, but I hear he may have sold it off to an Indian outfit several months ago (that may have been a surprise to ICANN too).
Back in 2011, it had over 75,000 names on its books. Today, it has fewer than 1,000.
The decline seems to be largely due to the departure of fellow domain investor Mike Berkens, who started taking his portfolio to Hexonet a few years ago.
ICANN will now ask other registrars if they want to take over NameVault’s domains.
It’s the fourth registrar to lose its accreditation this year.
The 10-hour outage in the Trademark Clearinghouse’s key database had no impact on domain registrations, ICANN says.
We reported earlier this week that the TMCH’s Trademark Database had been offline for much of last Friday, for reasons unknown.
We’d heard concerns from some users that the downtime may have allowed registrants to register domain names matching trademarks without triggering Trademark Claims notices.
But that worry may have been unfounded. ICANN told DI:
The issue occurred when two nodes spontaneously restarted. The cause of this restart is still under investigation. Although both nodes came back up, several services such as the network interface, TSA Service IP and the SSH daemon did not. All TMDB Services except the CNIS service were unavailable during the outage. From a domain registration point of view there should have been no impact.
CNIS is the Claim Notice Information Service, which provides registrars with Trademark Claims notice data.