New gTLD phishing still tiny, but .xyz sees most of it
New gTLDs are not yet being widely used to carry out phishing runs, but most such attacks are concentrated in .xyz.
That’s one of the conclusions of the Anti-Phishing Working Group, which today published its report for the second half of 2014.
Phishing was basically flat in the second half of the year, with 123,972 recorded attacks.
The number of domains used to phish was 95,321, up 8.4% from the first half of the year.
However, the number of domains that were registered maliciously in order to phish (as opposed to compromised domains) was up sharply — by 20% to 27,253 names.
In the period, 272 TLDs were used, but almost 54% of the attacks used .com domains. In terms of maliciously registered domains, .com fared worse, with over 62% share.
According to APWG, 75% of maliciously registered domains were in .com, .tk, .pw, .cf and .net.
Both .tk and .cf are Freenom-administered free ccTLDs (for Tokelau and the Central African Republic) while low-cost .pw — “plagued” by Chinese phishers — is run by Radix for Palau.
New gTLDs accounted for just 335 of the maliciously registered domains — 1.2% of the total.
That’s about half of what you’d expect given new gTLDs’ share of the overall domain name industry.
Twenty-four new gTLDs had malicious registrations, but .xyz saw most of them. APWG said:
Almost two-thirds of the phishing in the new gTLDs — 288 domains — was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in one new gTLD, and we are seeing more examples in early 2015. aggressively promoted cheap or free .xyz names during the period, but APWG said that only four .xyz phishing names were registered via freebie partner Network Solutions.
In fact, APWG found that most of its phishing names were registered via Xin Net and used to attack Chinese brands.
But, normalizing the numbers to take account of different market shares, .xyz shapes up poorly when compared to .com and other TLDs, in terms of maliciously registered domains. APWG said:
XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .COM’s score of 4.7. Since most phishing domains in .XYZ were fraudulently registered and most in .COM compromised, .XYZ had a significantly higher incidence of malicious domain registrations per 10,000 coming in at 3.4 versus 1.4 for .COM.
APWG said that it expects the amount of phishing to increase in new gTLDs as registries, finding themselves in a crowded marketplace, compete aggressively on price.
It also noted that the amount of non-phishing abuse in new gTLDs is “much higher” than the phishing numbers would suggest:
Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.
The number of maliciously registered domains containing a variation on the targeted brand was more or less flat, up from 6.6% to 6.8%.
APWG found that 84% of all phishing attacks target Chinese brands and Chinese internet users.
The APWG report can be downloaded here.
UPDATE: CEO Daniel Negari responded to the report by pointing out that phishing attacks using .xyz have a much shorter duration compared to other TLDs, including .com.
According to the APWG report, the average uptime of an attack using .xyz is just shy of 12 hours, compared to almost 28 hours in .com. The median uptime was a little over six hours in .xyz, compared to 10 hours in .com.
Negari said that this was due to the registry’s “aggressive detection and takedowns”. He said XYZ has three full-time employees devoted to handling abuse.
First URS case decided with Facebook the victor
Facebook has become the first company to win a Uniform Rapid Suspension complaint.
The case, which dealt with the domain, took 37 days from start to finish.
This is what the suspended site now looks like:
The URS was designed for new gTLDs, but .PW Registry decided to adopt it too, to help it deal with some of the abuse it started to experience when it launched earlier this year.
Facebook was the first to file a complaint, on August 21. According to the decision, the case commenced about three weeks later, September 11, and was decided September 26.
I don’t know when the decision was published, but World Trademark Review appears to have been the first to spot it.
It was pretty much a slam-dunk, uncontroversial decision, as you might imagine given the domain. The standard is “clear and convincing evidence”, a heavier burden than UDRP.
The registrant did not respond to the complaint, but Facebook provided evidence showing he was a serial cybersquatter.
The decision was made by the National Arbitration Forum’s Darryl Wilson, who has over 100 UDRP cases under his belt. Here’s the meat of it:
The only difference between the Domain Name,, and the Complainant’s FACEBOOK mark is the absence of one letter (“o”) in the Domain Name. In addition, it is well accepted that the top level domain is irrelevant in assessing identity or confusing similarity, thus the “.pw” is of no consequence here. The Examiner finds that the Domain Name is confusingly similar to Complainant’s FACEBOOK mark.
To the best of the Complainant’s knowledge, the Respondent does not have any rights in the name FACEBOOK or “facebok” nor is the Respondent commonly known by either name. Complainant has not authorized Respondent’s use of its mark and has no affiliation with Respondent. The Domain Name points to a web page listing links for popular search topics which Respondent appears to use to generate click through fees for Respondent’s personal financial gain. Such use does not constitute a bona fide offering of goods or services and wrongfully misappropriates Complainant’s mark’s goodwill. The Examiner finds that the Respondent has established no rights or legitimate interests in the Domain Name.
The Domain Name was registered and is being used in bad faith.
The Domain Name was registered on or about March 26, 2013, nine years after the Complainant’s FACEBOOK marks were first used and began gaining global notoriety.
The Examiner finds that the Respondent has engaged in a pattern of illegitimate domain name registrations (See Complainant’s exhibit URS Site Screenshot) whereby Respondent has either altered letters in, or added new letters to, well-known trademarks. Such behavior supports a conclusion of Respondent’s bad faith registration and use. Furthermore, the Complainant submits that the Respondent is using the Domain Name in order to attract for commercial gain Internet users to its parking website by creating a likelihood of confusion as to the source, sponsorship or affiliation of the website. The Examiner finds such behavior to further evidence Respondent’s bad faith registration and use.
The only remedy for URS is suspension of the domain. According to Whois, it still belongs to the respondent.
Read the decision in full here.
URS is live today as .pw voluntarily adopts it
Directi has become the first TLD registry to start complying with the Uniform Rapid Suspension process for cybersquatting complaints.
From today, all .pw domain name registrations will be subject to the policy, which enables trademark owners to have domains suspended more quickly and cheaply than with UDRP.
URS was designed, and is obligatory, for all new gTLDs, but Directi decided to adopt the policy along with UDRP voluntarily, to help mitigate abuse in the ccTLD namespace.
URS requirements for gTLD registries have not yet been finalized, but this is moot as they don’t apply to .pw anyway.
To date, only two UDRP complaints have been filed over .pw domains.
The National Arbitration Forum will be handling URS complaints. Instructions for filing can be found here.
Report names and shames most-abused TLDs
Newish gTLDs .tel and .xxx are among the most secure top-level domains, while .cn and .pw are the most risky.
That’s according to new gTLD services provider Architelos, which today published a report analyzing the prevalence of abuse in each TLD.
Assigning an “abuse per million domains” score to each TLD, the company found .tel the safest with 0 and .cn the riskiest, with a score of 30,406.
Recently relaunched .pw, which has had serious problems with spammers, came in just behind .cn, with a score of 30,151.
Generally, the results seem to confirm that the more tightly controlled the registration process and the more expensive the domain, the less likely it is to see abuse.
Norway’s .no and ICM Registry’s .xxx scored 17 and 27, for example.
Surprisingly, the free ccTLD for Tokelau, .tk, which is now the second-largest TLD in the world, had only 224 abusive domains per million under management, according to the report..
Today’s report ranked TLDs with over 100,000 names under management. Over 90% of the abusive domains used to calculate the scores were related to spam, rather than anything more nefarious.
The data was compiled from Architelos’ NameSentry service, which aggregates abusive URLs from numerous third-party sources and tallies up the number of times each TLD appears.
The methodology is very similar to the one DI PRO uses in TLD Health Check, but Architelos uses more data sources. NameSentry is also designed to automate the remediation workflow for registries.
China pushes .pw to over 250,000 names
Directi’s .PW Registry has taken over 250,000 domain registrations in the two and a half months since it launched, largely thanks to growth in China.
According to recent DomainTools research, Chinese registrars such as DNSPod and Xin Net lead .pw sales, and .PW business head Sandeep Ramchandani told DI today that this trend is now even more noticeable.
The frankly surprising volume seems to be due largely to its low pricing and some aggressive registrar promotion. Xin Net, for example, sells .pw names for about $6 each, compared to $9 for .com.
While Chinese-script domains are available, most registrations are for Latin strings, Ramchandani said.
The 250,000 number excludes domains that have been deleted for abuse, of which there have been quite a lot.
Ramchandani said that the registry’s abuse department is staffed around the clock.
Directi is using NameSentry from Architelos to track abusive names and has made deals with the most-abused registrars to take down names at the registry level when they pop up, he said.
Directi’s Single-letter .pw sold to Upworthy
Directi has sold to social media linking service Upworthy for what is likely to be a five-figure sum.
Upworthy will use the domain for its custom link-shorteners.
It’s the third announced single-character .pw sale to be announced. The first two, and were sold to a hosting company for $8,000 each.
I expect sold for a little more, judging by the catalog of single-letter names listed on, which have buy-it-now prices of $10,000 to $12,000.
It’s potentially a nicer deal in terms of visibility for the recently relaunched ccTLD too.
Year-old Upworthy, which has been funded to the tune of $4 million, is a viral video site for “worthy” content, meaning its main purpose is to have its links spread far and wide.
Another recently relaunched ccTLD, had a similar — if much more high-profile — anchor tenant in Twitter, which bought for its in-house URL shortening service.
At one point, single-character .co domains were said to be selling for $1.5 million a pop, which just goes to show how far a nice TLD string can impact prices.
.pw sees strongest growth in China
The recently launched .pw domain, managed by Directi, is doing particularly well in China, according to an early analysis from DomainTools.
The survey of data from name servers supporting 63,736 .pw domains found that well over half — 38,356 — were on Chinese IP addresses.
The Chinese registrar XinNet, which promotes low-cost .pw heavily on its home page, runs the second-largest number of name servers for the ccTLD’s registrants, DomainTools said.
According to the data, Directi’s own service is the third-largest name server host for .pw, followed by NameCheap and Sedo.
While Directi said from the outset that it expected to see growth from less-developed regions of the world, it has also come under fire recently for a massive spam outbreak from .pw addresses.
The ccTLD already has over 100,000 domains, according to the company.
Directi fighting “massive” .pw spam outbreak
Recently relaunched budget TLD .pw is being widely abused by spammers already, but registry manager Directi said it’s enforcing a “zero tolerance” policy.
Anti-spam software makers and users have over the last week reported a “massive” increase in email spam from .pw domain names.
Security giant Symantec reports that .pw jumped to #4 in its rankings of TLDs used in spammed URLs in the week ending April 26.
Anti-spam vendor Fort even recommended its customers block the entire TLD at their mail gateways, blogging:
Since we have yet to see a legitimate piece of mail for the .pw domain but have recently seen massive amounts of spam from this domain, we are recommending that you block mail form this domain as soon as practical.
Anti-spam mailing lists have been full of people complaining about .pw spam, according to spam expert John Levine.
Our own TLD Health Check ranks .pw at #19 in abusive domains (which tracks phishing and malware domains rather than spam) for May, having not ranked it at all before April.
But Sandeep Ramchandani, head of Directi’s .PW Registry unit, told DI that the company has deactivated 4,000 too 5,000 .pw domains for breaching its anti-abuse policy.
He said that a single registrar was responsible for the majority of the abusive names, and that the registrar in question has had its discount revoked, resulting in newly registered domains from it going down to “almost nothing”.
“If you remove that registrar, the percentage of abusive names to non-abusive names is not alarming at all,” Ramchandani said.
He said the company has a “zero tolerance” approach to spam. It’s been communicating with many of its critics to let them know it’s on the case.
He noted that it’s not surprising that people are seeing more bad traffic from .pw than good — spammers tend to start using their domains immediately, whereas legitimate registrants take a bit longer.
Directi, which reported 50,000 names registered in the first three weeks of general availability last week, is now up to 100,000 names.
Many of the names were registered via the same aforementioned registrar, so more are likely to be turned off, Ramchandani said.
.pw is the ccTLD for Palau, but Directi brands it as “Professional Web”. It’s going for the budget end of the market, selling domains for less than .com prices even if you exclude discounts.
.pw claims 50,000 domains registered in three weeks
Directi’s recently relaunched .pw top-level domain has racked up 50,000 domain name registrations after just three weeks of general availability, according to the company.
The number, which will put a smile on the faces of many new gTLD applicants, relates to GA only and does not include defensive registrations made during the ccTLD’s sunrise period, Directi confirmed to DI.
“Our goal was 100,000 names for the first year,” Directi CEO Bhavin Turakhia said in a press release. “The feeling of achieving 50% of the goal within the first three weeks is surreal.”
As previously reported, there were 4,000 .pw domains registered during the first half hour of GA.
Directi (running .pw as .PW Registry and/or Radix Registry) signed up 120 registrars to sell .pw names, which it brands as “Professional Web”.
It’s really the ccTLD for Palau, a small nation in the Pacific.
The registry is going for budget buyers, with registry fees and retail prices coming in a little lower than .com.
Directi sells 4,000 .pw domains in first half hour
PW Registry, the Direci unit looking after the .pw registry, said it received orders for 4,000 domain names in its first 30 minutes of general availability today.
Disappointing? It’s certainly not up to the standard of, say, .co, which was well into six figures in the same period when it launched a few years ago.
But .pw’s ambitions weren’t quite as lofty as .co’s. It’s the ccTLD for Palau, and its chosen meaning of “professional web” isn’t nearly as intuitive or valuable as .co’s “company”.
Still, it’s early days, and Directi says it saw a reasonable amount of domainer action during its landrush phase.
Landrush and sunrise period numbers have not been disclosed, but the company said that Apple, Pfizer, Volkswagen and Nokia obtained their trademarks during sunrise.
PW Registry has 110 registrars, including many of the big ones, selling its names.
Recent Comments