Domains in free and cheap ccTLDs are much more likely to host phishing attacks than new gTLDs.
That’s one of the conclusions of the latest report of the Anti-Phishing Working Group, which found that Freenom’s re-purposed African ccTLDs were particularly risky.
The first-half 2014 report found 22,679 “maliciously registered” domains used in phishing attacks. That’s flat on the second half of 2013 and almost double the first half of 2013.
Only roughly a quarter of the domains used in phishing had been registered for the purpose. The rest were pointing to compromised web servers.
On new gTLDs, the APWG said:
As of this writing, the new gTLD program has not resulted in a bonanza of phishing. A few phishers experimented with new gTLD domain names, perhaps to see if anyone noticed. But most of the new gTLD domains that were used for phishing were actually on compromised web sites.
The new gTLDs .agency, .center, .club, .email and .tips were the only ones to see any maliciously registered phishing domains in the half — each had one — according to the report.
The APWG speculates quite reasonably that the relatively high price of most new gTLD domains has kept phishers away but warns that this could change as competition pushes prices down.
While .com hosts 54% of all phishing domains, small ccTLDs that give away domains for free or cheap are disproportionately likely to have such domains in their zones, the report reveals.
The Freenom-operated ccTLDs .cf (Central African Republic), .ml (Mali) and .ga (Gabon) top the table of most-polluted TLDs, alongside PW Registry’s .pw (Palau).
Freenom, which also runs .tk, offers free domains, while PW Registry has a very low registry fee.
APWG measures the risk of phishing by TLD by counting phishing domains per 10,000 registered names, where the median score is 4.7 and .com’s score is 4.1.
.cf tops the charts with 320.8, followed by .ml with 118.9, .pw with 122, .ga with 42,9 and .th (Thailand) with 27.5. These number include compromised as well as phisher-registered domains.
Read the APWG report here.
Directi’s .PW Registry has taken over 250,000 domain registrations in the two and a half months since it launched, largely thanks to growth in China.
According to recent DomainTools research, Chinese registrars such as DNSPod and Xin Net lead .pw sales, and .PW business head Sandeep Ramchandani told DI today that this trend is now even more noticeable.
The frankly surprising volume seems to be due largely to its low pricing and some aggressive registrar promotion. Xin Net, for example, sells .pw names for about $6 each, compared to $9 for .com.
While Chinese-script domains are available, most registrations are for Latin strings, Ramchandani said.
The 250,000 number excludes domains that have been deleted for abuse, of which there have been quite a lot.
Ramchandani said that the registry’s abuse department is staffed around the clock.
Directi is using NameSentry from Architelos to track abusive names and has made deals with the most-abused registrars to take down names at the registry level when they pop up, he said.
The recently launched .pw domain, managed by Directi, is doing particularly well in China, according to an early analysis from DomainTools.
The survey of data from name servers supporting 63,736 .pw domains found that well over half — 38,356 — were on Chinese IP addresses.
The Chinese registrar XinNet, which promotes low-cost .pw heavily on its home page, runs the second-largest number of name servers for the ccTLD’s registrants, DomainTools said.
According to the data, Directi’s own PrivacyProtect.org service is the third-largest name server host for .pw, followed by NameCheap and Sedo.
While Directi said from the outset that it expected to see growth from less-developed regions of the world, it has also come under fire recently for a massive spam outbreak from .pw addresses.
The ccTLD already has over 100,000 domains, according to the company.
Recently relaunched budget TLD .pw is being widely abused by spammers already, but registry manager Directi said it’s enforcing a “zero tolerance” policy.
Anti-spam software makers and users have over the last week reported a “massive” increase in email spam from .pw domain names.
Security giant Symantec reports that .pw jumped to #4 in its rankings of TLDs used in spammed URLs in the week ending April 26.
Anti-spam vendor Fort even recommended its customers block the entire TLD at their mail gateways, blogging:
Since we have yet to see a legitimate piece of mail for the .pw domain but have recently seen massive amounts of spam from this domain, we are recommending that you block mail form this domain as soon as practical.
Anti-spam mailing lists have been full of people complaining about .pw spam, according to spam expert John Levine.
Our own TLD Health Check ranks .pw at #19 in abusive domains (which tracks phishing and malware domains rather than spam) for May, having not ranked it at all before April.
But Sandeep Ramchandani, head of Directi’s .PW Registry unit, told DI that the company has deactivated 4,000 too 5,000 .pw domains for breaching its anti-abuse policy.
He said that a single registrar was responsible for the majority of the abusive names, and that the registrar in question has had its discount revoked, resulting in newly registered domains from it going down to “almost nothing”.
“If you remove that registrar, the percentage of abusive names to non-abusive names is not alarming at all,” Ramchandani said.
He said the company has a “zero tolerance” approach to spam. It’s been communicating with many of its critics to let them know it’s on the case.
He noted that it’s not surprising that people are seeing more bad traffic from .pw than good — spammers tend to start using their domains immediately, whereas legitimate registrants take a bit longer.
Directi, which reported 50,000 names registered in the first three weeks of general availability last week, is now up to 100,000 names.
Many of the names were registered via the same aforementioned registrar, so more are likely to be turned off, Ramchandani said.
.pw is the ccTLD for Palau, but Directi brands it as “Professional Web”. It’s going for the budget end of the market, selling domains for less than .com prices even if you exclude discounts.
Directi’s recently relaunched .pw top-level domain has racked up 50,000 domain name registrations after just three weeks of general availability, according to the company.
The number, which will put a smile on the faces of many new gTLD applicants, relates to GA only and does not include defensive registrations made during the ccTLD’s sunrise period, Directi confirmed to DI.
“Our goal was 100,000 names for the first year,” Directi CEO Bhavin Turakhia said in a press release. “The feeling of achieving 50% of the goal within the first three weeks is surreal.”
As previously reported, there were 4,000 .pw domains registered during the first half hour of GA.
Directi (running .pw as .PW Registry and/or Radix Registry) signed up 120 registrars to sell .pw names, which it brands as “Professional Web”.
It’s really the ccTLD for Palau, a small nation in the Pacific.
The registry is going for budget buyers, with registry fees and retail prices coming in a little lower than .com.