After total domain name registrations decreased by 2.7 million, or 0.7%, to 364.6 million in the third quarter of 2021, they were back on the up in the fourth quarter. The fourth quarter of 2021 closed with 341.7 million domains across all TLDs, an increase of 3.3 million domain name registrations, or 1.0%, compared to the third quarter of 2021 according to Verisign’s latest Domain Name Industry Brief. Domain name registrations have increased by 1.6 million, or 0.5%, year over year.
Three in 5 .men domain names are classified as “bad” according to the latest Spamhaus analysis of the world’s most abused TLDs, but only slightly worse than .loan, who have a “Badness Index” of 6.43 and 6.35 respectively.
The Spamhaus analysis found that 43,758 of the 72,370, or 60.2%, .men domain names analysed were classified as “bad” and with a “Badness Index” of 6.43, slightly worse than the 39,642 out of 65,782 (60.0%) .loan domain names and a Badness Index of 6.35. Following was .gq (Equatorial Guinea) with 55.3% of analysed domains classified as bad and a Badness Index of 6.32, then .cf (Central African Republic) with 54.6% and a Badness Index of 6.24, .ga (Gabon) with 53.0% bad and a Badness Index of 6.06, .ml (Mali) with 51.5% bad and a Badness Index of 5.89, .top (46.4% bad and a Badness Index of 5.58), .work (53.4% bad and a Badness Index of 5.58), .click (64.9% bad and a Badness Index of 5.49) and the world’s third largest top level domain and second largest country code top level domain .tk rounding out the top 10 with 42.1% bad and a Badness Index of 4.83.
Registries that allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet, say Spamhaus. Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.
So what is a bad TLD? Spamhaus explains that a TLD may be “bad” in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. However, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.
The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.
In defining a “badness” index, Spamhaus decided to weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications—so they defined badness as:
- Db is the number of bad domains detected
- Dt is the number of active domains observed
Spamhaus says one can think of this number as the bad domains fraction weighted with the TLD's size, or as the order of magnitude of the problem weighted with the effectiveness of anti-abuse policies. Presented this way, this data more closely matches the perceptions Spamhaus staff has in dealing with this issue in a daily production basis. We hope that this definition helps to spotlight registries that in one way or another can be considered problematic, in a fair way.
These data represent domains seen by Spamhaus systems, and not a TLD's total domain corpus. Domains in this data are in active use, showing up in mail feeds and related DNS traffic. Other domains may be parked or used for traffic outside of our systems' focus, and those domains are not included in this summary.
The registries listed provide spammers and other miscreants with a service they need in order to survive. Many, even most, TLDs succeed, by and large, in keeping abusers off their systems and work to maintain a positive reputation. That success shows that these ten worst could, if they tried, “keep clean” by turning spammers and other abusers away.
Following in the footsteps of .tk (Tokelau), .ml (Mali), .ga (Gabon) and .cf (Central African Republic), Freenom has taken on the role of registry for .gq (Equatorial Guinea) and the ccTLD is now its fifth ccTLD where domains are given away free.
The move to give away domains in ccTLDs from smaller countries has had some success, particularly with .tk, which is now the worldâs second largest TLD behind .com and largest ccTLD with over 26.5 million registrations.
But the move to give away domains is not without problems. In the latest Anti-Phishing Working Group report, Global Phishing Survey 1H2014: Trends and Domain Name Use, it was noted that phishing occurred in 227 TLDs, but 90 percent of the malicious domain registrations (20,565) were in just five TLDs: .com, .tk, .pw, .cf. and .net.
And on a score of the number of phishing domains per 10,000 registered domains, .cf comes out way on top with a score of 320.8 followed by .ml with 118.9. The .ga TLD comes in fourth with 42.9.
In this latest venture Freenom has partnered with GETESA, the largest telecommunication operator in Equatorial Guinea and a joint venture with Orange, to relaunch .gq in various stages. Before .gq domains are available for free to the general public on 1 December, trademark holders and trademark agencies have their first pick in the .gq Sunrise Period that started on 1 October.
From 1 December onwards free GQ domains will be offered to all internet users in Equatorial Guinea and internationally. There will be no restrictions to registrations of free domains and anyone can claim their own .gq domain. Free .gq domains will work exactly like any other extension and can be renewed an unlimited number of times at no charge.
“The need for free domains continues to grow exponentially,” says Joost Zuurbier, CEO at Freenom. “Especially in countries like Brazil, Russia, Vietnam and China, we see the demand for new domains is growing and growing. We are happy to announce that we have opened up more domain space to fulfil these needs.”
Freenom has already partnered with four nations and has become the largest country code domain registry operator worldwide with more than 28 million active domains under management.
Following the success of .TK, Freenom has opened its model to other nations eager to develop their top level domain and looking for an alternative to the unprofitable pay-per-year model. By leapfrogging the traditional approach and offering free domains, they are able to create an immediate impact on their digital landscape and empower their internet users to build an online identity at no cost.
“Free domains make a lot of sense in countries where the banking penetration is in the single digit range,” continues Joost Zuurbier. “The demand for free domains is enormous because people in those nations may not have a credit card to buy domains, but they do have a profound need to communicate and build their presence online. Free domains are an important catalyst that directly enable local content creation and internet entrepreneurship.”
To support its African partners, Freenom opened an office in Dakar in 2013 and will continue to grow its operations in Senegal. Most African countries have been traditionally very weak in the domain name space, but its increasing technology-savvy population and modernizing digital landscape make it the perfect place for the free domain model. Just as free SIM cards and prepaid phones have revolutionized communications, free domains can dramatically change how African internet users are represented online.
In Equatorial Guinea, GETESA sees free .GQ domains as an opportunity to empower young internet users and help them embrace their digital flag. Through GQ free domains they will be able to create websites and learn about technology.
Freenom’s experience and technology will directly benefit the local internet community of Equatorial Guinea, who will be able to enjoy a modern platform and unlimited domains at no cost. Together with GETESA and in line with ICANN’s bottom-up multi-stakeholder model, the partnership will ensure that the .GQ extension is accessible to all internet users.
Incidences of phishing continued to explode in China in the second half of 2013, where Chinese phishers are victimising the country’s growing online population the Anti-Phishing Working Group’s Global Phishing Survey for Second Half of 2013 found.The report found Chinese phishers were responsible for 85 percent of the domain names that were registered for phishing. But it wasn’t all bad news on the phishing front with the average uptimes of phishing attacks declining and close to historic lows, pointing to some success by anti-phishing responders.Additionally, the companies (brands) targeted by phishing targets were diverse, with many new targets, indicating that e-criminals are looking for new opportunities in new places. The report also found mass hackings of vulnerable shared hosting providers led to 18 percent of all phishing attacks.While the number of phishing URLs reported in the second half of 2013 numbered in the millions, the number of unique phishing attacks and domain names used to host them was much smaller. In the six month period there were at least 115,565 unique phishing attacks worldwide, nearly a 60 percent increase over the 72,758 seen the first half of 2013, but less than the 123,486 attacks we observed in the second half of 2012.Most of the growth in attacks came, according to the APWG report, from phishing that used maliciously registered domains and subdomains. An attack is defined as a phishing site that targets a specific brand or entity. A single domain name can host several discrete phishing attacks against different banks, for example.The phishing attacks occurred on 82,163 unique domain names. Again, this is up from the 53,685 domains used in the first half of 2013. The growth was much larger than the increase in the number of domain names in the world that grew from 261 million in April 2013 to 271.5 million in November 2013.Of the 82,163 phishing domains, the report identified 22,831 domain names that the APWG believes were registered maliciously by phishers, the highest number in the seven years the APWG has been counting, 19,348 (85%) were registered to phish Chinese targets. This is significantly higher than the 12,175 found in the first half of 2013, and the 5,835 found in the second half of 2012.And of these 22,831 registered maliciously, they were registered in 39 different TLDs at registrars in China, the US, and Europe and hosted in China, the US, and elsewhere. The registrations clustered around ten TLDs including the .TK, .CF, .GA, and .ML registries that are all run by Freenom, a Netherlands-based company that offers free domain name registrations. The company makes money through monetising the traffic to the expired domains.As the report notes, Freenom has operated .TK under the free model for several years, and added .CF, .GA, and .ML to its programme during the second half of 2013. Freenom gives accredited interveners access to directly suspend domains in the .TK registry . (These partners include Facebook, Internet Identity, and the Anti-Phishing Alliance of China.) However, the mitigation of the malicious registrations lagged in Freenom’s new spaces — .CF, .GA. and .ML all had uptimes that were above the global average and median.Brands were, as usual, a target, with 681 unique target institutions during the six month period, down slightly from the 720 found in the second half of 2012. Of the 681 targets that were phished in the second half of 2013, almost half of them — 324 to be precise — were not phished in the first half of 2013. This, the report notes, is an unusual amount of “churn” or turnover and shows phishers trying out new targets. They appear to be looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing.Overall, the TLD with the most phishing attacks for the six months was .com with 46.4 percent (and 42.4% of global domain registrations) followed by .net (5.5%) and .tk (Tokelau – 4.5%). The .tk TLD is one of the free domains the report noted. Following was .br (Brazil – 3.2%), IP-based attacks (2.1%), .pn (Pitcairn Island – 1.9%), .me (Montenegro – 1.8%), .info (1.6%) and .ru (Russia – 1.5%). The remaining 27.3 percent came from 201 TLDs.But the TLDs with the most phishing domains per domains registered was .np (Nepal) with 27.1 phishing domains per 10,000 registrations and 32,500 registrations. In the top ten, those TLDs with more than 100,000 registrations were .pw (Palau) with a phishing per 10,000 domains score of 26.4 who came in second, .cl (Chile – 18.2) was fourth, .gr (Greece – 10.2) was sixth, .id (Indonesia – 10.2) and .br (Brazil – 9.1).For registrars, the top nine with domains used for phishing on a registrations per 10,000 domains are located in China. This is due, the report notes, to the fact that Chinese phishers tend to register domain names for their phishing, and use Chinese registrars regularly. Domains registered at the Chinese registrars were often used to phish Chinese targets such as Alibaba, Taobao.com, and CCTV, but were also used to occasionally phish outside targets such as Facebook and PayPal.For more information, check out the 30 page APWG report available for download from:
docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf.There is also a Phishing Activity Trends Report for the 4th Quarter 2013 titled Unifying the Global Response To Cybercrime available from:
Freenom, registry operator for .tk (Tokelau), .ga (Gabon), .cf (Central African Republic) and .ml (Mali), most of whose domains are provided for free with some having reputations of being some of the spammiest TLDs, has announced it has been successful in raising $3 million to expand its AnyCast cloud network and to develop commercial initiatives combining ccTLDs with local communities.
“Our current partners are very committed to the free domain name idea and industry,” said Joost Zuurbier, CEO & Founder of Freenom. “We are pleased to work with KIMA and the other members of this investment group to accelerate our growth and to expand our technology and presence online.”
Combined the ccTLDs have over 20 million registrations, with .tk leading the way to be the worldâs largest ccTLD. Free domain names are, according to Freenom, not required to run advertisements on their websites, and can be renewed at no cost.
China and Brazil are amongst the largest user groups of free domains. But also in the local partner countries, like Gabon and Mali, free domains have become very popular.
“The free domain name model radically changes the w ay a top level domain registry operates. We help partner countries to transform paid domain systems and processes into a new platform where domains are free and can be registered by everyone, locally and abroad.” Zuurbier continues. “We try to build truly win – win relationships with our partner countries. As a result we’ve seen a huge increase of local website building and technology usage locally, while providing the countries an additional income stream and promotional exposure. KIMA’s investment allows us to rapidly expand this platform, to reach out to additional countries and to invest in new partner relationships.”
Revenue is generated by monetising the expired domain names. Domains that are no longer used by the registrant or are expired are taken back by Freenom and the residual traffic is sold to advertisement networks. Next to this primary source of income, additional revenue will be generated by offering digital white labelled services, such as hosting packages, SSL certificates and others, to free domain name users. These new services will be available from January 2014 onwards.
Registering domain names in Maliâs ccTLD, .ml, has been free since July, but they come with an added bonus â phishing. According to a report published by Netcraft, âMali now has the most phishy top-level domain of any country in the world.â
According to the report, there are one in 17 âincidents to sitesâ for the 581 websites using .ml domains. Netcraft report there are 34 sites currently blocked due to phishing incidents. This is a long way ahead of the second worst ccTLD for phishing incidents, the .ne (Niger) which has a total of 170 sites with two of these currently blocked for phishing incidents, or one in 85.
Of ccTLDs with more than 100,000 sites, the worst is .cl (Chile) that has 280,540 sites, 510 of which are currently blocked due to phishing incidents, a ratio of one in 550. And for ccTLDs with more than one million sites, .ar (Argentina) is worst 450 sites currently blocked out of 1,001,660, a ratio of one in 2,225.
The Malian ccTLD recently joined .tk (Tokelau), whose registry operator Dot TK is a subsidiary of Freedom Registry who is the registry operator for .ml, and is the largest ccTLD with over 15 million registrations and who also had major problems with phishing. But Dot TK introduces an anti-abuse API to allow trusted partners to shut down sites that use .tk. Netcraft note that âthis dramatically reduced the average uptime of phishing sites which used .tk domains, making it a less attractive platform for fraudsters. Indeed, .tk does not even appear within the top 50 phishiest TLDs today; however, considering .tk and .ml share the same owner, this makes it somewhat surprising to see .ml being so heavily abused already.â
For the complete list compiled by Netcraft of the worldâs 50 phishiest ccTLDs, go to toolbar.netcraft.com/stats/tlds.