New gTLDs are not yet being widely used to carry out phishing runs, but most such attacks are concentrated in .xyz.
That’s one of the conclusions of the Anti-Phishing Working Group, which today published its report for the second half of 2014.
Phishing was basically flat in the second half of the year, with 123,972 recorded attacks.
The number of domains used to phish was 95,321, up 8.4% from the first half of the year.
However, the number of domains that were registered maliciously in order to phish (as opposed to compromised domains) was up sharply — by 20% to 27,253 names.
In the period, 272 TLDs were used, but almost 54% of the attacks used .com domains. In terms of maliciously registered domains, .com fared worse, with over 62% share.
According to APWG, 75% of maliciously registered domains were in .com, .tk, .pw, .cf and .net.
Both .tk and .cf are Freenom-administered free ccTLDs (for Tokelau and the Central African Republic) while low-cost .pw — “plagued” by Chinese phishers — is run by Radix for Palau.
New gTLDs accounted for just 335 of the maliciously registered domains — 1.2% of the total.
That’s about half of what you’d expect given new gTLDs’ share of the overall domain name industry.
Twenty-four new gTLDs had malicious registrations, but .xyz saw most of them. APWG said:
Almost two-thirds of the phishing in the new gTLDs — 288 domains — was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in one new gTLD, and we are seeing more examples in early 2015.
XYZ.com aggressively promoted cheap or free .xyz names during the period, but APWG said that only four .xyz phishing names were registered via freebie partner Network Solutions.
In fact, APWG found that most of its phishing names were registered via Xin Net and used to attack Chinese brands.
But, normalizing the numbers to take account of different market shares, .xyz shapes up poorly when compared to .com and other TLDs, in terms of maliciously registered domains. APWG said:
XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .COM’s score of 4.7. Since most phishing domains in .XYZ were fraudulently registered and most in .COM compromised, .XYZ had a significantly higher incidence of malicious domain registrations per 10,000 coming in at 3.4 versus 1.4 for .COM.
APWG said that it expects the amount of phishing to increase in new gTLDs as registries, finding themselves in a crowded marketplace, compete aggressively on price.
It also noted that the amount of non-phishing abuse in new gTLDs is “much higher” than the phishing numbers would suggest:
Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.
The number of maliciously registered domains containing a variation on the targeted brand was more or less flat, up from 6.6% to 6.8%.
APWG found that 84% of all phishing attacks target Chinese brands and Chinese internet users.
The APWG report can be downloaded here.
UPDATE: XYZ.com CEO Daniel Negari responded to the report by pointing out that phishing attacks using .xyz have a much shorter duration compared to other TLDs, including .com.
According to the APWG report, the average uptime of an attack using .xyz is just shy of 12 hours, compared to almost 28 hours in .com. The median uptime was a little over six hours in .xyz, compared to 10 hours in .com.
Negari said that this was due to the registry’s “aggressive detection and takedowns”. He said XYZ has three full-time employees devoted to handling abuse.
The vast majority of top-level domain registries could soon be banned from selling domains into China due to a reported crackdown under a decade-old law.
That’s according to Allegrevita, a company that helps registries with their go-to-market strategies in the country.
Allegravita released a report last week claiming that Chinese registrars will be forbidden to sell domains in TLDs that are not on a government-approved list.
The crackdown could come as early as July, the report says:
Foreign registries which have not applied for Chinese market approval are advised to do so in the near term, as unapproved Top-Level Domains are likely to be taken off the market from July this year.
As of April 30, there were only only 14 TLDs on the approved list. All of them are run by Chinese registries and only five do not use Chinese script.
Not on the list: every legacy gTLD, including .com, as well as every ccTLD apart from .cn.
The Draconian move is actually the implementation of regulations introduced by China’s Ministry of Industry and Information Technology over a decade ago but not really enforced since.
As I reported in December, Donuts was facing problems launching its Chinese-script gTLDs due to this red tape.
MIIT announced in 2012 that new gTLD applicants would need licenses to sell into China.
According to Allegrevita, which until recently was working heavily with TLD Registry (“.chinesewebsite”) on its entry into the country, it’s “no longer ambiguous” that MIIT has asserted full oversight of the domain industry in China.
MIIT’s crackdown appears to be focused on the 93 Chinese registrars it has approved to do business.
Allegravita says these companies will not be allowed to sell unapproved TLD domains to Chinese registrants, but that existing registrations will be grandfathered:
by sometime in July 2015, the MIIT will not permit unapproved registries to operate or offer their domains for sale in China. The MIIT will not interfere with existing domain registrations for unapproved registries; however, new registrations will not be permitted to be sold by Chinese registrars to Chinese registrants.
Presumably, non-Chinese registrars will reap the benefits of this as Chinese would-be registrants look elsewhere to buy their domains.
China is an important market for many registries, particularly the low-cost ones.
Judging by MIIT’s web site, getting approval to sell your TLD in China involves a fairly stringent set of requirements, including having a local presence.
MIIT said in a press release last month that the “special action” is designed “to promote the healthy development of the Internet, to protect China’s Internet domain name system safe and reliable operation
Verisign has boosted its reportable .com domain count by almost 750,000 by starting to count expired and suspended names.
The change in methodology, which is a by-product of ICANN’s much more stringent Whois accuracy regime, happened on Friday afternoon.
Before the change, the company reported on its web site that there were 116,788,107 domains in the .com zone file, with another 167,788 names that were registered but not configured.
That’s a total of 116,955,895 domains.
But just a few hours later, the same web page said .com had a total of 117,704,800 names in its “Domain Name Base”.
That’s a leap of 748,905 pretty much instantly; the number of names in the zone file did not move.
.net jumped 111,110 names to 15,143,356.
The reason for the sudden spikes is that Verisign is now including two types of domain in its count that it did not previously. The web page states:
Beginning with the first quarter, 2015, the domain name base on this website and in subsequent filings found in the Investor Relations site includes domains that are in a client or server hold status.
I suspect that the bulk of the 750,000 newly reported names are on clientHold status, which I believe is used much more often than serverHold.
The clientHold EPP code is often applied by registrars to domains that have expired.
However, registrars signed up to the year-old 2013 Registrar Accreditation Agreement are obliged by ICANN to place domains on clientHold status if registrants fail to respond within 15 days to a Whois verification email.
The 2013 RAA reads (my emphasis):
Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.
Last June, registrars claimed that the new policy — which came after pressure from law enforcement — had resulted in over 800,000 domains being suspended.
It’s an ongoing point of contention between ICANN, its registrars, and cops.
Verisign changing its reporting methodology may well be a reaction to this increase in the number of clientHold domains.
While its top-line figure has taken a sharp one-off boost, it will still permit daily apples-to-apples comparisons on an ongoing basis.
My assumption about the link to the 2013 RAA was correct.
Verisign CFO George Kilguss told analysts on February 5.
Over the last several years, the average amount of names in the on-hold status category has been approximately 400,000 names and the net change year-over-year has been very small.
While still immaterial, during 2014, we saw an increase in the amount of names registrars have placed on hold status, which appears to be a result of these registrars complying with the new mandated compliance mechanisms in ICANN’s 2013 Registrar Accreditation Agreement or RAA.
In 2014, we saw an increase in domain names placed on hold status from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.
Handbags at dawn!
Verisign, the $7.5 billion .com domain gorilla, has sued upstart XYZ.com and CEO Daniel Negari for disparaging .com and allegedly misrepresenting how well .xyz is doing.
It’s the biggest legacy gTLD versus the biggest (allegedly) new gTLD.
The lawsuit focuses on some registrars’ habit of giving .xyz names to registrants of .com and other domains without their consent, enabling XYZ.com and Negari to use inflated numbers as a marketing tool.
The Lanham Act false advertising lawsuit was filed in Virginia last December, but I don’t believe it’s been reported before now.
Verisign’s beef is first with this video, which is published on the front page of xyz.com:
Verisign said that the claim that it’s “impossible” to find a .com domain (which isn’t quite what the ad says) is false.
The complaint goes on to say that interviews Negari did with NPR and VentureBeat last year have been twisted to characterize .xyz as “the next .com”, whereas neither outlet made such an endorsement. It states:
XYZ’s promotional statements, when viewed together and in context, reflect a strategy to create a deceptive message to the public that companies and individuals cannot get the .COM domain names they want from Verisign, and that XYZ is quickly becoming the preferred alternative.
As regular readers will be aware, .xyz’s zone file, which had almost 785,000 names in it yesterday, has been massively inflated by a campaign last year by Network Solutions to push free .xyz domains into customers’ accounts without their consent.
It turns out Verisign became the unwilling recipient of gtld-servers.xyz, due to it owning the equivalent .com.
According to Verisign, Negari has used these inflated numbers to falsely make it look like .xyz is a viable and thriving alternative to .com. The company claims:
Verisign is being injured as a result of XYZ and Negari’s false and/or misleading statements of fact including because XYZ and Negari’s statements undermine the equity and good will Verisign has developed in the .COM registry.
XYZ and Negari should be ordered to disgorge their profits and other ill-gotten gains received as a result of this deception on the consuming public.
The complaint makes reference to typosquatting lawsuits Negari’s old company, Cyber2Media, settled with Facebook and Goodwill Industries a few years ago, presumably just in order to frame Negari as a bad guy.
Verisign wants not only for XYZ to pay up, but also for the court to force the company to disclose its robo-registration numbers whenever it makes a claim about how successful .xyz is.
XYZ denies everything. Answering Verisign’s complaint in January, it also makes nine affirmative defenses citing among other things its first amendment rights and Verisign’s “unclean hands”.
While many of Verisign’s allegations appear to be factually true, I of course cannot comment on whether its legal case holds water.
But I do think the lawsuit makes the company looks rather petty — a former monopolist running to the courts on trivial grounds as soon as it sees a little competition.
I also wonder how the company is going to demonstrate harm, given that by its own admission .com continues to sell millions of new domains every quarter.
But the lesson here is for all new gTLD registries — if you’re going to compare yourselves to .com, you might want to get your facts straight first if you want to keep your legal fees down.
And perhaps that’s the point.
Is .com “silly” and “meaningless”?
That’s what some new gTLD registries would have you believe.
In separate blog posts over the last week, Donuts and ARI Registry Services have gone on the offensive, dismissing .com as an irrelevant relic of a bygone age.
ARI CEO Adrian Kinderis branded .com as “meaningless and unintuitive” in a post slamming the Board of Racing Victoria, an Australian horse-racing organization, for the purchase of racing.com for (he claimed) $500,000.
New gTLDs with more semantic relevance to horse racing or geographic regions will make this purchase look “silly” in future, he said.
Take for instance .racing which is set to launch soon. It would offer a more creative and relevant domain name such as horses.racing, victorian.racing or vichorses.racing.
He also said that most Australians are conditioned to visit .com.au (for which ARI provides the registry back-end), which will lead to traffic leakage from racing.com to racing.com.au.
The problem is that racing.com does not have an intrinsic connection with Victorian horse racing that would lend itself to intuitive navigation and recall.
Donuts had a similar message in a blog post last week.
Donuts vice president Mason Cole said on that company’s blog that .com is “diluted and meaningless” when compared to more vertically oriented TLDs such as Donuts’ .photography and .bike.
It adds nothing to an identity. Except perhaps to say, “I’m on the Internet somewhere.” .COM is “1999” — not “today,” and definitely not the future. New .COM registrations are extraordinarily long and much less meaningful when compared to a new registration in a new gTLD. And with its recent price decreases on new registrations (which apparently is necessary to match their low quality), .COM now means “low quality and cheap.”
It will be interesting to see whether this kind of messaging will be carried over from lightly trafficked corporate blogs into more mainstream new gTLD marketing by registries.
What do you think? Do Donuts and ARI have a point? Is .com meaningless? Will it fall out of fashion? Is going negative on legacy gTLDs a wise strategy for new gTLD companies?