Latest news of the domain name industry

Recent Posts

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

XYZ reveals .monster gTLD launch dates

Kevin Murphy, February 4, 2019, Domain Registries

XYZ.com has quietly unveiled its launch plan for its recently acquired gTLD, .monster.

General availability, with no eligibility requirements, is due to begin April 1.

The 30-day sunrise period is due to begin in just a couple of weeks — February 18.

.monster was acquired late last year from recruitment web site Monster.com, which had intended to operate it as a dot-brand, for an undisclosed sum.

Before the acquisition closed, Monster and ICANN amended the registry contract to cut the special dot-brand terms that would have removed the need for a sunrise period and would have prevented the domain being sold to regular registrants.

XYZ also intends to run a week-long Early Access Period — where premium prices apply — starting March 21.

I quite like the idea of .monster as an open gTLD.

While it’s certainly not going to perform as well volume-wise as .xyz, say, I can see it fitting nicely into the “quirky” niche occupied currently but the likes of Donuts’ .guru and .ninja — not really viable as standalone TLDs, but decent enough as part of a portfolio.

The company is pitching the TLD as “a domain for creative thinkers, masters of their craft, and modern-day renegades.”

Two controversial new gTLDs launching in January

Kevin Murphy, November 13, 2018, Domain Registries

Five years after the first batch of new gTLDs hit the market, registries continue to drip-feed them into the internet.

At least two more are due to launch on January 16 — .dev and .inc.

.dev is the latest of Google’s portfolio to be released, aimed at the software developer market.

It proved controversial briefly when it first was added to the DNS in 2014, causing headaches for some developers who were already using .dev domains on their private networks.

Four years is plenty of time for all of these collisions to have been cleaned up, however, so I can’t imagine many problems emerging when people start buying these names.

.dev starts a one-month sunrise January 16, sells at early access prices from February 19 to 28 before going to regular-price general availability.

Google has already launched one of its own products, web.dev, a testing tool for web developers, on a .dev domain.

Launching with a pretty much identical phased launch plan is .inc, from new market entrant Intercap Holdings, a Caymans-based subsidiary of a Toronto firm founded by .tv founder Jason Chapnik and managed by .xyz alumnus Shayan Rostam.

Intercap bought the .inc contract from Edmon Chong’s GTLD Limited earlier this year for an undisclosed sum. GTLD Ltd is believed to have paid in excess of $15 million for the TLD at auction.

.inc has proved controversial in the past, attracting criticism from states attorneys general in the US, which backed another bidder.

It may prove controversial in future, too. I have a hunch it’s going to attract more than its fair share of cybersquatters and will probably do quite well out of defensive registration fees.

Spammy .loan makes Alibaba fastest-growing and fastest-shrinking registrar in June

Kevin Murphy, October 5, 2018, Domain Registrars

Chinese registrar Alibaba was both the fastest-growing and fastest-shrinking registrar in June, purely due to its dalliance with hundreds of thousands of cheap .loan domain names.

Stats compiled by DI from the latest monthly registry reports show that Alibaba’s Singapore-based registrar — which has only been active for a year — grew its domains under management by 720,669 in June, almost four times as many as second-placed NameCheap.

The huge increase was due to Alibaba’s DUM in .loan doubling in June, going from from 621,851 to 1,274,532. Another 50,000 extra domains came from .win.

Both .loan and .win are run by registry GRS Domains, the company that replaced Famous Four Media as manager of the Domain Venture Partners gTLD portfolio.

According to SpamHaus, .loan has a “badness” of just shy of 90%, based on a sample size of 45,000 observed domains. SpamHaus has .win at almost 39% bad.

GRS has promised to turn its portfolio around and cut off its deep-discounting promotions effective August 20. The June figures reflect a time when discounts were still in place.

The Singapore Alibaba had DUM of 1,771,730 at the end of June.

At the bottom end of the June league table was a second Alibaba accrediation, Beijing-based Alibaba Cloud Computing (aka HiChina or net.cn), which had a net DUM loss of 266,411, after seeing 345,268 deletes in .loan (along with 45,000 deletes in .xyz and 35,000 in .xin).

The second biggest loser was AlpNames, which is owned by the same people as Famous Four, which deleted over 114,000 names in the month. The vast majority of these names were in FFM/GRS gTLDs, including .loan.

The main, earliest Alibaba accreditation, Alibaba Cloud Computing (Beijing), which has zero exposure to new gTLDs, grew by 69,794 domains to end June as the seventh fastest-growing registrar with DUM of 7,672,594.

As of a couple weeks ago, Alibaba has a fourth ICANN accreditation, Alibaba Cloud US LLC, but that obviously does not figure into the June numbers.

Here’s the top 10 registrars for June by DUM growth:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba.com Singapore E-commerce Private Ltd (3775)1771730230017228339416345720669
NameCheap, Inc. (1068)862443322140891613224418008253219187827
GoDaddy.com, LLC (146)59208467703796893114481131439951837153910
NameSilo, LLC (1479)1670604144276041838613653932107111151
Xin Net Technology Corporation (120)262370941275041-91415315466679102744
Google LLC (895)231378010763169190721253194944079148
Alibaba Cloud Computing (Beijing) Co., Ltd. (420)76725941907811732734622080515525869794
Network Solutions, LLC (2)708437552854143003855412243811062853712
GMO Internet, Inc. d/b/a Onamae.com (49)47051283043209195214625917494644668
TLD Registrar Solutions Ltd. (1564)12186886858-77239315232535877

And the bottom 10:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn) (1599)446845116192891330202094509820-266411
Alpnames Limited (1857)3613027165366314273114254-112825
Chengdu West Dimension Digital Technology Co., Ltd. (1556)2270000422719452282148101269286-94937
Bizcn.com, Inc. (471)9202431203336-3216603663268-69862
eNom, LLC (48)6824378915328741-1958875665101336-52205
Domain.com, LLC (886)197492715348827-72932361958695-37594
Todaynic.com, Inc. (697)13652775154-79138527795-26771
Register.com, Inc. (9)197625412953484-21891918737626-26231
Wild West Domains, LLC (440)300078434777346-38693101546045-18883
Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA (106)157968313143803-24891183828246-16839

You may notice that in both tables the net change column is not equal to the sum of adds and net transfers minus deletes. This is because, per ICANN contract, domains still in their five-day Add Grace Period are counted in DUM but not in adds, so many adds slip over into the following month.

ICANN heads to Mar-a-Lago for budget crisis talks

Kevin Murphy, April 1, 2018, Gossip

Cash-strapped ICANN has invited select community members to emergency budget talks at the Mar-a-Lago resort in Florida, DI has learned.

The three-day summit next week will address how best to spend the organization’s $138 million annual budget, along with its $236 million auction proceeds war chest and its $80 million of leftover new gTLD application fees.

“Recent public comments have made it clear than many valued ICANN community members have misunderstood our FY19 budget,” CEO Goran Marby said. “I believe a long weekend of intensive discussions at Mar-a-Lago should persuade the community that we’re actually on the right track.”

To encourage participation from an increasingly weary volunteer pool, attendees will be treated to complimentary spa treatments, golfing, and the most beautiful pieces of chocolate cake, he said.

DI has managed to obtain a preliminary agenda for the summit, which can be read here (pdf).

Business-class flights and three nights’ accommodation at the exclusive members club will be covered by ICANN.

Mar-a-Lago, purchased by Donald Trump in the 1980s, is a “six-star” resort in Palm Beach, Florida. It was originally a five-star hotel, until 2004 when Trump purchased the one-star hotel next door and knocked through.

Marby defended the choice of venue, pointing out that the guest list is to be strictly limited to the ICANN board of directors, industry CEOs, and members of the Intellectual Property Constituency.

DI understands that the IPC will be permitted to invite members of the Non-Commercial Stakeholder Group to attend, should they require golf caddies.

To ensure gender diversity, all attendees will be able to bring along their spouses or partners. ICANN will make up any shortfall by hiring decorative females from a pool of Trump litigants.

A small support team of 50 ICANN staffers will also be available to hand out fresh towels, collect empty glasses, and so on.

Remote participation will be available via AOL Instant Messenger.

Chief financial officer Xavier Calvez declined to disclose the cost of the summit, citing privacy concerns caused by “GDPR or something”, but DI understands it is to be accounted for as a line item in ICANN’s Federal lobbying disclosure.

Calvez said ICANN has managed to negotiate “substantial” bulk discounts on the usual $200,000 Mar-a-Lago membership fees and $2,000-a-night room rates.

The cost will also be offset by sponsorship contributions from ICANNwiki and the National Rifle Association, he said.

Registry and registrar CEOs polled by DI this weekend were split on whether they would attend.

“Of course I’m going,” Blacknight CEO Michele Neylon told us by phone from an airport lounge in Kigali.

But .xyz chief Daniel Negari said he would attend only if he can secure sufficient funding for his bus fare to the airport.

Among the cost-cutting proposals on the menu, DI understands, is a request to consolidate all current and future policy working groups into a single, unified WG.

Sources say this would have the added benefit of reducing the annual policy implementation budget to zero dollars between now and, at the earliest, 2045.