The Internet is organized into domains. Readers of Bach Seat are familiar with the .net domain since you got here. You are also probably familiar with other web neighborhoods like .com where Facebook and Google live. The folks in charge of the Intertubes have added more neighborhoods or technically Top Level Domains (TLD), and now we have over 1,000 TLDs, many of which have only been around for the past two years.
This rapid growth raises questions about how well those in charge of these new TLD’s secure their neighborhood against malware and other threats. CSO Online explains that just like any city, the Web has neighborhoods where dubious activities often take place: spam, scams, the distribution of potentially unwanted software (PUS), malware, botnets, phishing, and other suspicious activity.
Web security and WAN optimization firm Blue Coat Systems (BCSI) regularly analyzes hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to track “shady activity” on the Web. In September, it released Do Not Enter: Blue Coat Research Maps the Web’s Shadiest Neighborhoods (PDF), with a list of the 10 top-level domains (TLDs) on the Web that are home to shady sites.
Blue Coat recommends that organizations take steps to protect themselves, including blocking traffic to the riskiest TLDs and cautioning users to be careful clicking on any links that contain these TLDs. It further suggests that users who are unsure of a source hover their mouse over a link to help verify that it leads to the address displayed in the text of the link, or “press and hold” links on a mobile device to do the same verification
Blue Coat’s list of TLDs most associated with shady sites is constantly in flux but here is their September list.
- .review – The .review TLD is shady mostly due to scam sites, Blue Coat’s Larsen says. “Just looking at the list of domain names, I would say all of the top 15 are scam sites,” he adds, “.review does not seem to be making any effort whatsoever to keep the bad guys out.”
- .country – The security firm says the .country TLD appears to have been colonized by scam networks that like to use a game/survey “reward” or “prize” as bait. Blue Coat’s Larsen told CSO there is a strong connection between some of the supporting ad networks on and known PUS networks (adware and spyware). Mr. Larson says, “So if you’d like to block that entire TLD on your Web gateway, I wouldn’t blame you.
.kim – The .kim TLD hosts some legitimate domains, most notably a Korean tech blog and several Turkish sites. According to Blue Coat, the TLD earned its shady online reputation due to the presence of scam networks linked to PUS, malware, and at least one domain that hosts a domain generation algorithm (DGA) used to pump out domain names that can be used with malware according to the blog.
- .cricket – Named for the world’s second-most popular sport, the .cricket TLD is another shady neighborhood on the Web. The author notes that while home to some legitimate sites, researcher Larsen points to many instances of search engine poisoning. For instance, StarWarsMovie.cricket pulls lots of random Star Wars items into one place to get traffic — including images clearly lifted from other places.
.science – The .science TLD may be a victim of its own marketing. In trying to raise the TLD’s profile, the registry gave away free .science domains and became one of the shadiest TLD’s on the web. Blue Coat’s Larsen described their downfall in the CSO article. “Generally they tend to run into trouble when they run promotions for bulk registrations for really low prices … If you can register a domain for a buck, generally there will be bad guys there registering domains.” He says the .science domains seem to be largely associated with spam, and scam sites. The shady activity included a sizable network of ebook sites, which led to a download network that’s been associated with PUS activity in the past.- .work – The .work TLD seems to be more about spam and scams than malware, though Larsen’s team did find a few tentative connections to PUS networks. There were some legitimate sites, though Larsen notes that they might be worth blocking as well. Examples include a Turkish porn site.
- .
party – Mr, Larson told CSO that a number of the sites on the .party TLD may seem legitimate. However, he warns, “There are some yellow flags.” of search engine poisoning. The TLD also hosts a number of MP3 sites — probably piracy or something malicious. There’s also a site that hosts what appears to be a shady tracker.
- .gq – The .gq TLD is the country code for Equatorial Guinea which Blue Coat’s Larson notes is in many ways a lifetime achievement award winner. He says, “If we look at all of the .gq sites … nearly 99 percent are shady”. Most of the abuse of .gq noted by Blue Coat has been in the form of search engine poisoning and many cookie-cutter “shady video” sites associated with PUS. It also features some “shocking video” spam/scam sites that spread via social media and a smattering of malware, phishing, and porn sites.
.link – The .link TLD is rife with porn content delivery networks and piracy sites, neither of which is counted as “shady” by Blue Coat. There are apparently a handful of legit sites in .link but beyond these legitimate domains are a host of survey scam sites. “Historically, it’s been a place for spammers to live,” Larsen says.
Of course, there are well-run TLD’s. The best according to Blue Coat are:
rb-
These TLD’s are why companies like BluseCoat, Websense, and OpenDNS are in business. (OK- Websense and OpenDNS are no longer stand-alone companies anymore. Websense was gobbled by defense contractor Raytheon and then spit out as ForcePoint and OpenDNS has been assimilated into Cisco (CSCO).
You can use these tools to just block almost anybody from going to these shady parts of the web for the reasons explained above.
Related articles
- Google Choose .XYZ Over .Com for Alphabet. Is .Com Irrelevant? (makeuseof.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
