Latest news of the domain name industry

Recent Posts

New gTLD phishing still tiny, but .xyz sees most of it

New gTLDs are not yet being widely used to carry out phishing runs, but most such attacks are concentrated in .xyz.

That’s one of the conclusions of the Anti-Phishing Working Group, which today published its report for the second half of 2014.

Phishing was basically flat in the second half of the year, with 123,972 recorded attacks.

The number of domains used to phish was 95,321, up 8.4% from the first half of the year.

However, the number of domains that were registered maliciously in order to phish (as opposed to compromised domains) was up sharply — by 20% to 27,253 names.

In the period, 272 TLDs were used, but almost 54% of the attacks used .com domains. In terms of maliciously registered domains, .com fared worse, with over 62% share.

According to APWG, 75% of maliciously registered domains were in .com, .tk, .pw, .cf and .net.

Both .tk and .cf are Freenom-administered free ccTLDs (for Tokelau and the Central African Republic) while low-cost .pw — “plagued” by Chinese phishers — is run by Radix for Palau.

New gTLDs accounted for just 335 of the maliciously registered domains — 1.2% of the total.

That’s about half of what you’d expect given new gTLDs’ share of the overall domain name industry.

Twenty-four new gTLDs had malicious registrations, but .xyz saw most of them. APWG said:

Almost two-thirds of the phishing in the new gTLDs — 288 domains — was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in one new gTLD, and we are seeing more examples in early 2015. aggressively promoted cheap or free .xyz names during the period, but APWG said that only four .xyz phishing names were registered via freebie partner Network Solutions.

In fact, APWG found that most of its phishing names were registered via Xin Net and used to attack Chinese brands.

But, normalizing the numbers to take account of different market shares, .xyz shapes up poorly when compared to .com and other TLDs, in terms of maliciously registered domains. APWG said:

XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .COM’s score of 4.7. Since most phishing domains in .XYZ were fraudulently registered and most in .COM compromised, .XYZ had a significantly higher incidence of malicious domain registrations per 10,000 coming in at 3.4 versus 1.4 for .COM.

APWG said that it expects the amount of phishing to increase in new gTLDs as registries, finding themselves in a crowded marketplace, compete aggressively on price.

It also noted that the amount of non-phishing abuse in new gTLDs is “much higher” than the phishing numbers would suggest:

Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.

The number of maliciously registered domains containing a variation on the targeted brand was more or less flat, up from 6.6% to 6.8%.

APWG found that 84% of all phishing attacks target Chinese brands and Chinese internet users.

The APWG report can be downloaded here.

UPDATE: CEO Daniel Negari responded to the report by pointing out that phishing attacks using .xyz have a much shorter duration compared to other TLDs, including .com.

According to the APWG report, the average uptime of an attack using .xyz is just shy of 12 hours, compared to almost 28 hours in .com. The median uptime was a little over six hours in .xyz, compared to 10 hours in .com.

Negari said that this was due to the registry’s “aggressive detection and takedowns”. He said XYZ has three full-time employees devoted to handling abuse.

First URS case decided with Facebook the victor

Kevin Murphy, October 25, 2013, Domain Policy

Facebook has become the first company to win a Uniform Rapid Suspension complaint.

The case, which dealt with the domain, took 37 days from start to finish.

This is what the suspended site now looks like:

The URS was designed for new gTLDs, but .PW Registry decided to adopt it too, to help it deal with some of the abuse it started to experience when it launched earlier this year.

Facebook was the first to file a complaint, on August 21. According to the decision, the case commenced about three weeks later, September 11, and was decided September 26.

I don’t know when the decision was published, but World Trademark Review appears to have been the first to spot it.

It was pretty much a slam-dunk, uncontroversial decision, as you might imagine given the domain. The standard is “clear and convincing evidence”, a heavier burden than UDRP.

The registrant did not respond to the complaint, but Facebook provided evidence showing he was a serial cybersquatter.

The decision was made by the National Arbitration Forum’s Darryl Wilson, who has over 100 UDRP cases under his belt. Here’s the meat of it:


The only difference between the Domain Name,, and the Complainant’s FACEBOOK mark is the absence of one letter (“o”) in the Domain Name. In addition, it is well accepted that the top level domain is irrelevant in assessing identity or confusing similarity, thus the “.pw” is of no consequence here. The Examiner finds that the Domain Name is confusingly similar to Complainant’s FACEBOOK mark.


To the best of the Complainant’s knowledge, the Respondent does not have any rights in the name FACEBOOK or “facebok” nor is the Respondent commonly known by either name. Complainant has not authorized Respondent’s use of its mark and has no affiliation with Respondent. The Domain Name points to a web page listing links for popular search topics which Respondent appears to use to generate click through fees for Respondent’s personal financial gain. Such use does not constitute a bona fide offering of goods or services and wrongfully misappropriates Complainant’s mark’s goodwill. The Examiner finds that the Respondent has established no rights or legitimate interests in the Domain Name.

The Domain Name was registered and is being used in bad faith.

The Domain Name was registered on or about March 26, 2013, nine years after the Complainant’s FACEBOOK marks were first used and began gaining global notoriety.

The Examiner finds that the Respondent has engaged in a pattern of illegitimate domain name registrations (See Complainant’s exhibit URS Site Screenshot) whereby Respondent has either altered letters in, or added new letters to, well-known trademarks. Such behavior supports a conclusion of Respondent’s bad faith registration and use. Furthermore, the Complainant submits that the Respondent is using the Domain Name in order to attract for commercial gain Internet users to its parking website by creating a likelihood of confusion as to the source, sponsorship or affiliation of the website. The Examiner finds such behavior to further evidence Respondent’s bad faith registration and use.

The only remedy for URS is suspension of the domain. According to Whois, it still belongs to the respondent.

Read the decision in full here.

URS is live today as .pw voluntarily adopts it

Kevin Murphy, July 29, 2013, Domain Policy

Directi has become the first TLD registry to start complying with the Uniform Rapid Suspension process for cybersquatting complaints.

From today, all .pw domain name registrations will be subject to the policy, which enables trademark owners to have domains suspended more quickly and cheaply than with UDRP.

URS was designed, and is obligatory, for all new gTLDs, but Directi decided to adopt the policy along with UDRP voluntarily, to help mitigate abuse in the ccTLD namespace.

URS requirements for gTLD registries have not yet been finalized, but this is moot as they don’t apply to .pw anyway.

To date, only two UDRP complaints have been filed over .pw domains.

The National Arbitration Forum will be handling URS complaints. Instructions for filing can be found here.

Report names and shames most-abused TLDs

Kevin Murphy, July 11, 2013, Domain Services

Newish gTLDs .tel and .xxx are among the most secure top-level domains, while .cn and .pw are the most risky.

That’s according to new gTLD services provider Architelos, which today published a report analyzing the prevalence of abuse in each TLD.

Assigning an “abuse per million domains” score to each TLD, the company found .tel the safest with 0 and .cn the riskiest, with a score of 30,406.

Recently relaunched .pw, which has had serious problems with spammers, came in just behind .cn, with a score of 30,151.

Generally, the results seem to confirm that the more tightly controlled the registration process and the more expensive the domain, the less likely it is to see abuse.

Norway’s .no and ICM Registry’s .xxx scored 17 and 27, for example.

Surprisingly, the free ccTLD for Tokelau, .tk, which is now the second-largest TLD in the world, had only 224 abusive domains per million under management, according to the report..

Today’s report ranked TLDs with over 100,000 names under management. Over 90% of the abusive domains used to calculate the scores were related to spam, rather than anything more nefarious.

The data was compiled from Architelos’ NameSentry service, which aggregates abusive URLs from numerous third-party sources and tallies up the number of times each TLD appears.

The methodology is very similar to the one DI PRO uses in TLD Health Check, but Architelos uses more data sources. NameSentry is also designed to automate the remediation workflow for registries.

China pushes .pw to over 250,000 names

Directi’s .PW Registry has taken over 250,000 domain registrations in the two and a half months since it launched, largely thanks to growth in China.

According to recent DomainTools research, Chinese registrars such as DNSPod and Xin Net lead .pw sales, and .PW business head Sandeep Ramchandani told DI today that this trend is now even more noticeable.

The frankly surprising volume seems to be due largely to its low pricing and some aggressive registrar promotion. Xin Net, for example, sells .pw names for about $6 each, compared to $9 for .com.

While Chinese-script domains are available, most registrations are for Latin strings, Ramchandani said.

The 250,000 number excludes domains that have been deleted for abuse, of which there have been quite a lot.

Ramchandani said that the registry’s abuse department is staffed around the clock.

Directi is using NameSentry from Architelos to track abusive names and has made deals with the most-abused registrars to take down names at the registry level when they pop up, he said.