Latest news of the domain name industry

Recent Posts

Newly launched .zip already looks dodgy

A trawl through the latest zone file for Google’s newly launched .zip gTLD reveals that it is likely to be used in malware and phishing attacks.

.zip is of course also a filename extension used by the ZIP archive format, often used to compress and email multiple files at once, and many domains registered in the .zip gTLD in the last few days seem ready to capitalize on that potential for confusion.

I counted 3,286 domains in the May 14 zone file, and a great many of them appear to relate to email attachments, financial documents, software updates and employment information.

I found 133 instances of the word “update”, with sub-strings such as “attach”, “statement”, “download” and “install” also quite common.

Some domains are named after US tax and SEC forms, and some appear to be targeting employees at their first day of work.

I don’t know the intent of any of these registrants, of course. It’s perfectly possible some of their domains could be put to benign use or have been registered defensively by those with security concerns. But my gut says at least some of these names are dodgy.

Google went into general availability with eight new TLDs last Wednesday, and as of yesterday .zip was the only one to rack up more than a thousand names in its zone file.

The others were .dad (913 domains), .prof (264), .phd (605), .mov (463), .esq (979), .foo (665) and .nexus (330).

Facebook sues free domains registry for cybersquatting

Facebook parent Meta has sued Freenom, the registry behind multiple free-to-register ccTLDs including .tk, claiming the company engages in cybersquatting.

Meta alleges that Freenom infringes its Facebook, Instagram and WhatsApp trademarks over 5,000 domain names in the TLDs it operates.

While best-known for Tokelau’s .tk, which had almost 25 million registrations when Verisign stopped counting them a year ago, Freenom also operates .gq for Equatorial Guinea, .cf for the Central African Republic, .ml for Mali, and .ga for Gabon.

Apart from some reserved “premiums”, the company gives domains away for free then monetizes, with parking, residual traffic when the domains expire or, one suspects more commonly, are suspended for engaging in abuse.

Naturally enough, it therefore has registered, to itself, a great many domains previously used for phishing.

Meta lists these names as examples of infringers: faceb00k.ga, fb-lnstagram.cf, facebook-applogin.ga, instagrams-help.cf, instaqram.ml, chat-whatsaap.gq, chat-whatsaap-com.tk, and supportservice-lnstagram.cf, though these do not appear to be monetized right now.

It accuses the registry of cybersquatting, phishing and trademark infringement and seeks over half a billion dollars in damages (at $100,000 domain).

Today, Freenom is not accepting new registrations, but it’s blaming “technical issues” and says it hopes to resume operations “shortly”.

Facebook is one of the most prolific and aggressive enforcers of its trademarks in the domain space, having previously sued OnlineNIC, Namecheap and Web.com. OnlineNIC had to shut up shop due to its lawsuit.

(Via Krebs on Security)

ICANN extends Covid-19 abuse monitoring to Ukraine war

Kevin Murphy, March 9, 2022, Domain Policy

ICANN has started monitoring domains related to the war in Ukraine for potential abuse, expanding an ongoing project related to the Covid-19 pandemic.

CEO Göran Marby has during multiple sessions at ICANN 73 this week said that the Org will soon announce an extension of its DNSTICR project — pronounced “DNS Ticker” and standing for Domain Name Security Threat Information Collection & Reporting.

The plan is to alert registrars about Ukraine-related domain names being used to scam people or drop malware.

“There will be coming up more information about this very soon, but we have decided to also add names in relationship to the conflict in Ukraine,” Marby said during a session with the Commercial Stakeholders Group.

DNSTICR was launched in March 2020, when the pandemic was in full swing, to find new domains containing keywords such as “covid”, “pandemic” and “coronavirus”, and check them against domain abuse lists.

From May 2020 to August last year, it flagged 210,939 pandemic-related domains, and found that 3,791 of them were malicious with “high confidence”.

CTO John Crain said in a session on Monday: “There’s a lot of stuff in the press and some technical papers out there that show clearly that the bad guys, as always, have, once again, pivoted to whatever is happening in the world. So if we can do a little bit to help, we will.”

GoDaddy hack exposed a million customer passwords

Kevin Murphy, November 24, 2021, Domain Registrars

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

Donuts offers name spinner to show potential attacks

Kevin Murphy, May 13, 2021, Domain Tech

Donuts has launched a tool to show off its TrueName offering, which blocks potential phishing attacks at the domain registry level.

It’s like a regular name spinner, but instead of showing you available domains it shows you visually confusingly similar domains — homographs — that it will block if you register said name in any of Donuts’ portfolio of 2xx (subs, please check) TLDs.

For example, spinning truename.domains returns results such as trʋenɑme.domains (xn--trenme-exc57b.domains) and trᵫname.domains (xn--trname-xk6b.domains), which could be used in phishing attacks.

How many strings get blocked depends largely on what characters are in your name. The letters I and O have a great many visually confusing variants in other non-Latin scripts, and each instance exponentially increases the potential attack vectors.

For example, if I were to register “domainincite” in one of Donuts’ TLDs, Donuts would block 767 homographs at the registry level, but if I were to register “kevinmurphy”, it would only need to block 119.

It only blocks the homographs in the same TLD as the original name. It’s not a replacement for brand protection in other TLDs.

Donuts doesn’t charge anything extra for this service. It’s included in the price of registration and offered as a unique perk for Donuts’ selection of gTLDs.

I gave TrueName a brief post when it launched last year, but I have to say I really like the idea. It’s a rare example of true innovation, rather than simple money-grubbing, that has come from the new gTLD program.

If Verisign were to roll out something similar in .com, it would eliminate a bunch of phishing and cut down on legal fees for big brands chasing phishers and typosquatters through UDRP or the courts.

It was born out of Donuts’ Domain Protected Marks List product, which allows trademark owners to block their brands and homographs across the whole Donuts stable for less money than defensively registering the names individually.

The downside of the spinner tool is of course that, if you’re a bad guy, it simplifies the process of generating samples of homograph Punycode (the ASCII “xn--” string) that can be used in any non-Donuts TLD that supports internationalized domain names.

The tool is limited to 10 domains per spin, however, which limits the potential harm.

Try it out here.

Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains

Kevin Murphy, February 11, 2021, Domain Services

Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.

Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.

Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:

Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as , and the other Domain Names at issue in these proceedings.

By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.

Employees who click the bogus links are taken to harmless web pages describing how they were duped.

The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.

In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.

He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.

Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).

It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.

GoDaddy pranks employees with “insensitive” phishing test

Kevin Murphy, December 28, 2020, Domain Registrars

GoDaddy has apologized to its staff after teasing them with a $650 Christmas bonus that turned out to be nothing but a test of whether they could be duped into handing over their sensitive personal info.

Employees worldwide reportedly received emails promising the bonus December 14 from an official-looking but presumably spoofed address.

Those who clicked through and filled out a form with their personal data received a second email a few days later informing them they’d actually just failed a “phishing test” and would “need to retake the Security Awareness Social Engineering training.”

Around 500 staff reportedly failed the test.

But many were pissed off that the company would dangle a bonus, only to snatch it away, just a week before Christmas and at a time when the coronavirus pandemic has caused many to fear for their livelihoods.

While GoDaddy rode out the pandemic just fine, it laid off hundreds, regardless.

After the prank last week attracted media attention, the company apologized to its employees, saying in a statement sent to the AFP:

GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologised. While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees.

I sincerely hope nobody spent their illusory $650 in the days before the test was revealed.

GoDaddy denies weird front-running claim

Kevin Murphy, September 21, 2020, Domain Registrars

GoDaddy has been forced to deny (again) that it engages in front-running after a social media post attracted hundreds of comments.

Front-running is the practice of a registrar monitoring customers’ availability searches then registering the name itself in order to mark it up to a premium price.

No reputable registrar does this any more, if only because it would be reputation suicide.

But a poster on HackerNews claimed to have been exploited in precisely this way,

searched a few days ago for felons.io, looked for unique names for simple game didn’t know if I wanted it or not

guess godaddy decided for me: 1 days old Created on 2020-09-16 by GoDaddy.com, LLC

just a warning if you have a special name do not use godaddy to check if its available

Domains can appear to be front-run due to the law of large numbers. Registrants may think they’re the only one with a unique domain idea, but they’re likely not.

After the HackerNews post attracted hundreds of comments (largely promoting Namecheap as a superior competitor) and a post from Eliot Silver, GoDaddy decided to issue a response.

“These accusations are 100% false. This type of behavior is predatory, unethical, and goes against everything we stand for as a company,” registrar head Paul Bindel posted over the weekend.

Bindel went on to post the results of search queries for “felons” and related terms over a couple of weeks. There weren’t a huge amount.

Complicating the story, he also says that the felons.io domain was suspended not long after registration, and will soon be deleted, after it was flagged as a fraudulent registration by a compromised account.

Interestingly, the HackerNews account used to post the original allegation appears to have been created on the same day as the post, which is literally the only thing he or she ever posted on the site.

Donuts rolls out free phishing attack protection for all registrants

Donuts is offering registrants of domains in its suite of new gTLDs free protection from homograph-based phishing attacks.

These are the attacks where a a bad guy registers a domain name visually similar or identical to an existing domain, with one or more characters replaced with an identical character in a different script.

An example would be xn--ggle-0nda.com, which can display in browser address bars as “gοοgle.com”, despite having two Cyrillic characters that look like the letter O.

These domains are then used in phishing attacks, with bad actors attempting to farm passwords from unsuspecting victims.

Under Donuts’ new service, called TrueNames, such homographs would be blocked at the registry level at point of sale at no extra cost.

Donuts said earlier this year that it intended to apply this technology to all current and future registrations across its 250-odd TLDs.

The company has been testing the system at its registrar, Name.com, and reckons the TrueNames branding in the shopping cart can lead to increased conversions and bigger sales of add-on services.

It now wants other registrars to sign up to the offering.

It’s not Donuts’ first foray into this space. Its trademark-protection service, Domain Protected Marks List, which has about 3,500 brands in it, has had homograph protection for a few years.

But now it appears it will be free for all customers, not just deep-pocketed defensive registrants.

Go here to help fight against coronavirus abuse

Kevin Murphy, March 26, 2020, Domain Tech

A coalition of over 1,000 security experts, domain name providers and others have got together to help coordinate efforts to combat abusive coronavirus-related domains.

A workspace on the collaboration platform Slack has been growing steadily since it was created a week ago, enabling technology professionals to exchange information about the alarming number of sites currently trying to take advantage of the pandemic.

You can join the channel via this link. Thanks to Theo Geurts of RealtimeRegister.com for passing it along.

The collection of chat rooms appears to have been created by Joshua Saxe, chief scientist at security software firm Sophos, March 19. There are currently 1,104 members.

There’s a channel devoted to malicious domains, which is being used to share statistical data and lists of bad and good coronavirus-related domains, among other things.

Across the workspace, a broad cross-section of interested parties is represented. Current members appear to come from security companies, governments, law enforcement, registries, registrars, ICANN, healthcare providers, and others.

It seems like a pretty good way for the technical members of the domain name industry to keep track of what’s going on during the current crisis, potentially helping them to put a stop to threats using domains they manage as they emerge.