2 min read

Free Domain Provider Offers Safe Harbor for Spammers

Loredana BOTEZATU

December 14, 2012

Free Domain Provider Offers Safe Harbor for Spammers

Crooks replace co.cc and co.kr with Tokelau’s free .tk TLD in cyber-attacks.

Cyber crooks have significantly abused .tk domains in attack campaigns in the second half of 2012. Compared to the first half, the number of malicious .tk domains jumped from less than 1 percent to 9 percent of all security incidents involving Top Level Domains.

The explanation for the jump is simple: In the second half, Tokelau’s Dot.TK was the only top level domain name registry that provides free domain names. An answer to the problem, though, is somewhat more complicated.

Free domain names have always posed problems for web users and security companies alike. In July 2011, sustained abuse prompted Google to delist domains registered with second-level registrars, such as the Australian co.cc and the Korean co.kr. Most antivirus companies also enforced web blockades for all domains registered with the respective registries.

The ban, and the bad publicity, made cyber-criminals lose interest in them, which explains their poor scores and drop in ranking. Co.cc ranks 16th and co.kr is was down in position 67.

Scammers register domains and create websites on top level domains where they host phishing forms and malware as part of cyber-attacks driven by spam, social media posts or instant messenger. When users click a malicious link or open an infected HTML spam attachment, they are either redirected to malicious pages, or an IFrame fetches malware from a compromised web location to infect users’ PCs.

In other attacks, crooks rely on mass-compromise of websites that run highly-popular content management software such as WordPress or Joomla. They use known exploits to subvert the hosting account and store malware, phishing pages or even information they steal via keyloggers or browser injectors.

As shown in the above chart, the .com remains the most frequently abused top level domain in malicious spam campaigns. It’s no surprise that the .com TLD is the top choice for scammers. According to VeriSign, the .com and .net TLDs experienced aggregate growth, reaching a combined total of 113.8 million domain names in the fourth quarter of 2011.

Apart from the perennial .com, .info, .ru, and .net domains, users have seen these past few months more .eu, .us, or .org URLs in messages spammed into their inboxes.

Scammers use TLDs with good reputations to give targeted victims a false sense of familiarity. The number of malicious .eu domains, for instance, has nearly tripled in recent months, exactly because crooks wanted to take advantage of the fact that for most people don’t associate .eu domains with malicious attacks and security problems.

The lifespan of these domains is usually short. Attackers need to move fast from one domain to another to evade security software blacklists or reputation-based mechanisms.

Lately, scammers have managed to hide paid domains and use them longer before they get blocked, blacklisted or receive the bad-reputation badge when they began using URL shortening servers. This apparently was behind the 15 percent drop in the number of new TLDs used in cyber-crime operations.

This article is based on the statistics provided courtesy of Adrian Miron, Bitdefender Lead Antispam Researcher.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read