Just like any city or town, the Web has parts — neighborhoods if you will — where dubious activities frequently take place: spam, scams, the distribution of potentially unwanted software (PUS), malware, botnets, phishing and other suspicious activity.
Enterprise security specialist Blue Coat Systems regularly analyzes hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to track “shady activity” on the Web. In September, it released a list of the 10 top-level domains (TLDs) on the Web that are home to shady sites.
TLDs beyond the ubiquitous .com, .net and .org have begun to proliferate in the past several years, and they are often attractive to malicious actors because registering sites in those domains is often far less expensive than more well-known TLDs.
Blue Coat recommends that organizations take steps to protect themselves, including blocking traffic to the riskiest TLDs and cautioning users to be careful clicking on any links that contain these TLDs. It further suggests that users who unsure of a source hover their mouse over a link to help verify that it leads to the address displayed in the text of the link, or “press and hold” links on a mobile device to perform the same verification
Blue Coat’s list of TLDs most associated with shady sites is constantly in flux. The .zip TLD topped the list when Blue Coat’s report was released in September, but has slipped a few spots since then. Chris Larsen, malware research team leader at Blue Coat, notes that one of the things that makes .zip stand out is that it really only has one live domain: nic.zip — Google’s pre-registration page, which relays to a page on google.com that talks about their new TLDs.
“Regardless of this, .zip URLs are showing up in our traffic logs, among the billion or so anonymized Web requests that our customers end us every day to be categorized in our WebPulse system,” Larsen says. “Generally, if you look closer, most of these appear to be filenames, not URLs — but they somehow ended up in somebody’s browser somewhere as a URL, and got treated accordingly.”
Many of these requests are just funny-looking URLs that don’t resolve and so get treated as suspicious. But Larsen notes that many customers’ security teams have found .zip domains associated with malware families such as Cryptowall, MiniDionis and CozyBear.
Even as .zip has fallen from its No. 1 position, the .review TLD has held steady as the No. 2 shadiest neighborhood on the web. It’s mostly due to scam sites, Larsen says.
“Just looking at the list of domain names, I would say all of the top 15 are scam sites,” he adds, pointing to one domain on the list. “This is a Chinese health product scam network. At least 12 of the top 15 .review sites are of that family. .review does not seem to be making any effort whatsoever to keep the bad guys out.”
The .country TLD recently claimed the top spot on Blue Coat’s list, but it was No. 3 when the report was released in September.
“Unlike .click, .link and .rocks, when I started noticing shady .country domains and went to our logs to see how many bad ones there were, I didn’t find any recent .country domains that weren’t shady. (So if you’d like to block that entire TLD on your Web gateway, I wouldn’t blame you. You probably want to block .click while you’re at it, although it’s not quite as bad.),” Larsen says.
The TLD appears to have been colonized by scam network that likes to use a game/survey “reward” or “prize” as bait. Larsen notes that Blue Coat didn’t immediately notice any malware activity associated with the ntwork, but there is a strong connection between some of the supporting ad networks and known PUS networks (adware and spyware).
The .kim TLD was designated as the fourth-most shady neighborhood on the Web in Blue Coat’s report, but Larsen notes the registry (along with the .xyz registry, which did not make the top 10) has reached out to Blue Coat in an effort to clean up some of the shady activity on the TLD.
“We’ve been seeing a difference in recent traffic,” Larsen says. “They’ve been doing better and deserve some credit for that.”
The TLD does host some legitimate domains, most notably a Korean tech blog and several Turkish sites (“Kim” means “who” in Turkish). But the TLD earned its shady reputation due to the presence of scam networks linked to PUS, malware and at least one domain that hosts a domain generation algorithm (DGA) used to pump out domain names that can be used with malware.
Named for the world’s second-most popular sport, the .cricket TLD is fifth on the list of shadiest neighborhoods on the Web.
While home to some legitimate sites, Larsen points to numerous instances of search engine poisoning. For instance, StarWarsMovie.cricket pulls lots of random Star Wars items into one place to get traffic — including images clearly lifted from other places. Clicking on the page takes you to a page offering episode 6 on Blu-Ray.
The sixth-shadiest TLD on the Web is in many ways a victim of its own marketing. In an attempt to raise the TLD’s profile, the registry was giving away free .science domains.
“Generally they tend to run into trouble when they run promotions for bulk registrations for really low prices,” Larsen says. “If you can register a domain for a buck, generally there will be bad guys there registering domains.”
.science domains seem to be largely associated with spam, Larsen says, though Blue Coat found domains with suspicious and scam ratings as well. He notes that the shady activity included a sizeable network of ebook sites, which led to a download network that’s been associated with PUS activity in the past. Another network offered custom-written academic essays for sale.
The .work TLD seems to be more about spam and scams than malware, though Larsen’s team did find a few tentative connections to PUS networks. There were some legitimate sites, though Larsen notes that they might be worth blocking as well. Examples include a Turkish porn site and a network of Pakistani video-clip sites that looked exactly alike.
The eighth-shadiest TLD on the Web is .party. A number of the sites here look legitimate at first glance. For instance, the No. 1 site is FashionOnly.party, which features images of women in wedding dresses and casual outfits.
“There are some yellow flags,” Larsen says. “The pictures are all very ‘squished.’ None of these pictures look like they were taken for this format. Many have another site name watermarked in the background. There is no real sense of this being a site. There’s no content in the sense of commentary.”
These are hallmark signs of search engine poisoning, Larsen says. The TLD also hosts a number of MP3 sites — probably piracy or something malicious. There’s also a site that hosts what appears to be a shady tracker.
The .gq TLD is the country code for Equitorial Guinea. In the time since Blue Coat’s report was released, .gq has slipped out of the top 10, but Larsen notes that it is in many ways a lifetime achievement award winner.
“If we look at all of the .gq sites that have earned ratings in the database in the past 10 years, out of more than 7,500 ratings, nearly 99 percent are shady,” Larsen says.
Most of the abuse of .gq noted by Blue Coat has been in the form of search engine poisoning and a large number of cookie-cutter “shady video” sites associated with PUS. It also features some “shocking video” spam/scam sites that spread via social media and a smattering of malware, phishing and porn sites.
The .link TLD rounds out Blue Coat’s top 10 list. The TLD is rife with porn content delivery networks and piracy sites, neither of which is counted as “shady” by Blue Coat. There’s also a content delivery network for a Japanese sports network primarily focused on rugby, and another content delivery network serving news to broadcast stations in the U.S. But beyond these legitimate domains are a host of survey scam sites.
“Historically, it’s been a place for spammers to live,” Larsen says.