What’s in a (domain) name? For generic TLD hackers, a lot

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

For most of its exis­tence the Inter­net was lim­it­ed to no more than 20 or so top-lev­el domains, or TLDs, includ­ing .com and .org., as well as nation­al TLDs, like .ca for Cana­da and .ru for Russia.

Today, thanks to a 2013 rule change, there are 635 so-called gener­ic top-lev­el domains, or gTLDs. This new tier of the Inter­net rep­re­sents fer­tile ground for folks to reg­is­ter new web­sites append­ed to .eat, .bike, .love and many oth­er cool terms.

ICANN, the group that over­sees Inter­net stan­dards, intro­duced gTLDs hop­ing to alle­vi­ate pres­sure on .com. The degree to which that’s been accom­plished is debatable.

Free IDT911 white paper: Breach, Pri­va­cy and Cyber Cov­er­ages: Fact and Fiction

 But what is clear—and what should come as no surprise—is that cyber crim­i­nals are mov­ing to take advan­tage, as shown by research from net­work secu­ri­ty firm Blue Coat.

Blue Coat researcher Chris Larsen has exam­ined web­site traf­fic flow­ing in and out of the net­works of Blue Coat’s clients, keep­ing close tabs on the new gTLDs.

Larsen dis­cov­ered a pat­tern of web­sites attached to legit-sound­ing gTLDs that are being used to con­duct activ­i­ties that are shady at best, mali­cious at worse.

New tool for cyber criminals

For instance, Larsen has dis­cov­ered numer­ous web­sites using the .sci­ence and .work gTLDs that are set up pri­mar­i­ly to broad­cast spam and help car­ry out social engi­neer­ing scams.

It’s clear that there is nobody on guard at the shack for these gTLDs,” Larsen told ThirdCertainty.

Any­one the­o­ret­i­cal­ly can pro­pose a new, gener­ic TLD, but gain­ing approval from ICANN isn’t cheap or easy. The appli­ca­tion fees are steep and the approval process lengthy. Google, for instance, report­ed­ly spent near­ly $2 mil­lion to sub­mit 101 TLD names last year and gain con­trol of .android and .youtube, among many others.

Google pre­sum­ably wants to keep squat­ters away from gTLDs asso­ci­at­ed with its flag­ship prod­ucts. But oth­er gTLD investors may sim­ply want to make a return on their invest­ment by sell­ing web­site domains to who­ev­er wants to pay a fee deter­mined by mar­ket forces, Larsen says.

The num­ber of gTLDs is expect­ed to steadi­ly increase for a while more, as ICANN has received a total of 1930 appli­ca­tions, of which just 630 have been approved.

It’s an expen­sive process to apply for and to be grant­ed one of these gTLDs,” Larsen says. “There appear to be peo­ple with dol­lar signs in their eyes think­ing, ‘Hey, we can set up this cool gener­ic TLD, and then we’ll get lots of peo­ple reg­is­ter­ing domains here, then we’ll make back our investment.”

Will new gTLDs be used or abused?

The risk ques­tion for con­sumers and busi­ness­es is this: Will most­ly legit­i­mate orga­ni­za­tions and busi­ness­es pop­u­late gTLD web­sites; or will gTLDs become infest­ed with web­sites oper­at­ed by spam­mers and hack­ers?

The lat­ter rep­re­sent two pow­er­ful forces that can clear­ly make prof­itable use of addi­tion­al tiers of domain names in sup­port of pitch­ing ques­tion­able prod­ucts, spread­ing PC infec­tions, and ramp­ing up iden­ti­ty theft and online scams

Spam­mers and hack­ers are in con­stant need of fresh web­sites because Google and the tech secu­ri­ty ven­dors are con­tin­u­al­ly and inten­sive­ly seek­ing out and black­list­ing web­sites asso­ci­at­ed with mali­cious activity.

The bad guys have to have new domains to sup­port the next spam run,” Larsen notes. “So they keep refresh­ing their sup­ply of web­sites and domains to use in their attacks.”

More on emerg­ing best practices
Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things