Every domain name includes two primary components: the second-level domain name located to the left of the dot (usually consisting of a brand name or relevant keywords), and the top-level domain or domain extension (TLD) situated to the right. These domain names form the core of readable web addresses, enabling users to access internet pages and build email addresses.



Different types of TLDs exist, such as generic (gTLDs) intended to describe the site type, like .COM for company websites, country-code TLDs (ccTLDs) for specific countries, and new gTLDs launched since 2013 that usually relate to specific content types, geographic locations, or business areas. Each TLD is managed by a registry organization that takes care of its infrastructure.

While domain names are employed for legitimate use by brands or individuals, they are also used for infringing or criminal activity. Specific TLDs tend to be more attractive to infringers due to various reasons such as the cost of registration and difficulties in enforcing takedown actions against infringing content. In this context, low- or no-cost domain registrations and lax registration security policies increase the likelihood of TLDs being used for infringing activities. Wealth disparity among countries also affects the technical expertise of ISPs, making domains more susceptible to compromise.

This two-part blog post aims to evaluate the threat levels related to specific domain extensions or TLDs. The first part analyzes data from CSC's Fraud Protection services to identify the TLDs associated with domains utilized for phishing activity. Determining the overall threat frequency for each TLD helps prioritize targets for future tracking, identify TLDs where it's advisable to register domain defensively, and pinpoint TLDs where brand protection service providers can offer blocks or alerts when malicious attempts are made to register a domain containing a brand-related term.

One factor contributing to this phenomenon is the ease with which malicious actors can obtain these domains. TLDs such as .tk, .ga, .cf, and .ml, for example, are associated with free domain registration services. While these free domains can be used for legitimate purposes, they are also attractive to fraudsters looking to create disposable, low-cost websites for phishing, scamming, or distributing malware.

Additionally, some TLDs have looser registration requirements, making it easier for bad actors to remain anonymous. Domains with minimal verification processes or lax enforcement policies may attract fraudsters who seek to operate with relative impunity. This is in contrast to TLDs with stricter registration policies and more rigorous identity verification procedures, which can act as a deterrent to fraudulent activity.

Here are some additional examples of how specific top-level domains (TLDs) may be associated with fraudulent activity:

1. Country Code TLDs: Some country code TLDs, such as .ru (Russia), .cn (China), .br (Brazil), and .in (India), have been associated with a higher prevalence of fraudulent websites and online scams. This is not a reflection on the countries themselves, but rather due to the fact that fraudsters may exploit the relative ease of registering domains within these TLDs or take advantage of the perception that websites under these TLDs are less likely to be scrutinized by users or law enforcement from other regions.

2. Obscure or Uncommon TLDs: TLDs such as .xyz, .club, .top, and other newer or less traditional TLDs have been exploited by fraudsters due to the perception that they may receive less oversight or attention from security professionals. Additionally, the novelty and low cost of registering domains within these TLDs can make them attractive for malicious actors seeking to quickly establish a large number of potentially disposable fraudulent websites.

3. Typosquatting and Homograph Attacks: Fraudulent websites often utilize domain names that closely resemble well-known brands or popular websites, a tactic known as typosquatting. Some TLDs, particularly those that may be easily mistyped or closely resemble more reputable TLDs, are frequently used in this type of fraudulent activity. For example, using the .cm TLD instead of .com, or utilizing non-Latin characters in internationalized TLDs to create visually deceptive homograph domains.

4. Generic TLDs with Subdomain Abuse: Even widely recognized TLDs, such as .com, .net, and .org, can be exploited for fraudulent purposes through the use of subdomains. Fraudsters may leverage vulnerable or unsecured subdomains to host phishing pages, distribute malware, or carry out other malicious activities, taking advantage of the reputation and perceived trustworthiness associated with these generic TLDs.