Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/4/2021
06:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Newer Generic Top-Level Domains a Security 'Nuisance'

Ten years of passive DNS data shows classic TLDs such as .com and .net dominate newer TLDs in popularity and use.

A study into the use and popularity of the Internet's top-level domains (TLDs) over a 10-year period shows that many newer TLDs may present more of a security nuisance for organizations than anything else.

That's according to Farsight Security, which this week released a 182-page snapshot of top-level domain traffic associated with each of 1,576 TLDs recognized by the Internet Assigned Numbers Authority (IANA). The company's findings are based on passive DNS data from 2010 to 2019 and do not include DNSSEC-related records.

Related Content:

How Fraudulent Domains 'Hide in Plain Sight'

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

The dataset includes traffic associated with generic top-level domains, such as .com, .net, and .org; country-code TLDs, such as .uk, .ca, and .de; new generic TLDs, such as .aarp, .nba, and .abc; and internationalized domain names, or TLDs with non-Latin characters.

One of the main goals of the study was to get a general sense of how broadly popular — or not — various TLDs have become over the past 10 years. While .com is generally perceived as — and actually is — the largest TLD, there's less information on the uptake of other TLDs after IANA began recognizing a lot more of them in recent years, Farsight notes in its report.

"One aspect of this to ask if it was a valuable extension of the namespace or pointless nuisance" to add more TLDs in recent years, says Ben April, chief technology officer at Farsight Security. The data around TLD use suggests that the latter might well be the case, he says.

"Overall, the new TLDs aren't thriving," April says. Many have a user population and some even show signs of growth. Even so, there is no evidence of the broad migration to sector-specific TLDs that many had expected initially. "We don't see entire sectors — for example, banks — dropping .com as a primary TLD and refocusing on .bank."

From a security perspective, one concern with the growth in the number of TLDs over the past few years is that attackers have more opportunities for spoofing domains for phishing, cyber squatting, and other malicious activities. For instance, by registering a popular brand's domain name on a newer generic TLD and sending phishing emails from there, an attacker might have more success in getting victims to part with credentials and other sensitive information. In a 2019 Proofpoint study, nearly 96% of organizations found an exact match of their brand-owned domain on other TLDs.

Concerns over the threat have prompted interest in so-called defensive registrations where organization register their domains, sometimes in varied grammatical formats, on different TLDs just to prevent others from doing it for malicious purposes.

Varying Risks
What Farsight's data provides is a way for organizations to identify TLDs that present the biggest risk to their brand, April says. "When evaluating risks to your brand, the size of your target surface is directly proportional to the number of TLDs relevant to your brand," he says. "You need to evaluate each TLD to determine the level of risk it presents. This report gives you data to compare how much risk each new TLD represents."

April says the data shows that while some TLDs are likely to be worthy of concern for specific organizations, others can be safely ignored.

For example, TLDs such as .aero and .gov that have access limitations present less of a risk as registrants need to prove their identity. "If you were an airline, you don't have to worry about an attacker registering myairline.areo," April notes. Open TLDs present more of a risk, but even here that risk varies with the relevance of the TLD. "For example, if I were a retailer, I would consider TLDs like .bargains, .blackfriday, .boutique, and .shop more of a risk than TLDs like .university, .travel, and .webcam," he says.

Organizations concerned about brand abuse on new TLDs should also do substring matching, April advises. This is where a TLD may contain part of an organization's domain or brand name. "As example, if you have bobsyoga.com, you might also want to evaluate the value of a defensive registration for bobs.yoga," April says.

Another issue that organizations need to consider is whether TLDs have enough of a critical user base to justify accepting email from them. Decisions would need to be made on a case-by-case basis and after a careful evaluation of each TLD. "The decision to reject mail from an entire TLD is not one to be taken lightly," April says. "Organizations with a low risk tolerance and an identifiable customer/vendor base can use the data in this report to eliminate TLDs that add exposure to their security operations without also adding value."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.