Friend
Professional
- Messages
- 2,659
- Reaction score
- 864
- Points
- 113
New domains have found their place not only in business, but also in cybercrime.
Over the past year, 19 new top-level domains (TLDs) have been issued, and a study by Palo Alto Networks found that these domains are actively used for a variety of cyberattacks. Among the identified threats are large-scale phishing campaigns, the distribution of potentially unwanted programs, torrent sites, and even projects related to pranks and memes.
The Internet today includes more than 1,000 generic top-level domains (Generic TLDs, gLTDs) registered in the Internet Assigned Numbers Authority (IANA) database. Every year, new domains are added to this number, which opens up more opportunities for attackers. TLDs that resemble popular file extensions, such as .zip, or specialized identifiers, such as .bot, pose a particular danger.
The researchers found that there is a clear link between the availability dates of new domains and their popularity. This indicates that various groups – both bona fide users and malicious actors – are closely monitoring the launch of new TLDs in order to begin registering domains. Some of them use domains for legitimate purposes, but others see it as an opportunity for cyberattacks and fraud.
Domains such as .zip, .ing, and .bot attracted the most attention. So, the .zip domain, which became available on May 10, 2023, immediately attracted attackers. Already on May 16, a significant increase in traffic to .zip domains was recorded, which indicates a mass registration of domains in this TLD. Similarly, the .ing domain, which became available on December 5, 2023, attracted a significant number of users and attackers on the first day of its launch.
Popularity of the top 10 new TLDs over the past year
One example is a campaign that redirects traffic to phishing sites. The campaign found 112 domains registered in new TLDs, which form a closely related cluster phishing network. All domains redirected users to various URLs, indicating that they were involved in a coordinated attack.
Redirect campaign with 112 domains from 11 different newly released TLDs
Another identified threat is related to the use of .bot domains. The attackers registered 92 domains with names resembling people, cities, or random words, and used them to redirect users to fake chat services. These services could be used for fraud, spam, or personal data collection.
Two different landing pages on the same domain for URLs ending in harriet[.]php and chicken[.]php
The use of .esq, .zip, and .foo domains to distribute torrent links was also detected. Such a cluster of domains demonstrates the evolution of an infrastructure that adapts to security blocks, continuing to distribute content through new domains.
In addition, the researchers noticed that domains resembling file extensions are increasingly being used for trolling. For example, .zip and .mov domains were identified that redirected users to a popular rickroll meme, a video with the song "Never going to Give You Up" by Rick Astley.
As a result of the study, it became clear that the emergence of new top-level domains poses a serious threat to cybersecurity. To minimize risks, companies should closely monitor domain registrations in new TLDs and respond promptly to suspicious activity. Experts emphasize the importance of implementing modern security tools that will help detect and prevent attacks using new top-level domains.
Source
Over the past year, 19 new top-level domains (TLDs) have been issued, and a study by Palo Alto Networks found that these domains are actively used for a variety of cyberattacks. Among the identified threats are large-scale phishing campaigns, the distribution of potentially unwanted programs, torrent sites, and even projects related to pranks and memes.
The Internet today includes more than 1,000 generic top-level domains (Generic TLDs, gLTDs) registered in the Internet Assigned Numbers Authority (IANA) database. Every year, new domains are added to this number, which opens up more opportunities for attackers. TLDs that resemble popular file extensions, such as .zip, or specialized identifiers, such as .bot, pose a particular danger.
The researchers found that there is a clear link between the availability dates of new domains and their popularity. This indicates that various groups – both bona fide users and malicious actors – are closely monitoring the launch of new TLDs in order to begin registering domains. Some of them use domains for legitimate purposes, but others see it as an opportunity for cyberattacks and fraud.
Domains such as .zip, .ing, and .bot attracted the most attention. So, the .zip domain, which became available on May 10, 2023, immediately attracted attackers. Already on May 16, a significant increase in traffic to .zip domains was recorded, which indicates a mass registration of domains in this TLD. Similarly, the .ing domain, which became available on December 5, 2023, attracted a significant number of users and attackers on the first day of its launch.
Popularity of the top 10 new TLDs over the past year
One example is a campaign that redirects traffic to phishing sites. The campaign found 112 domains registered in new TLDs, which form a closely related cluster phishing network. All domains redirected users to various URLs, indicating that they were involved in a coordinated attack.
Redirect campaign with 112 domains from 11 different newly released TLDs
Another identified threat is related to the use of .bot domains. The attackers registered 92 domains with names resembling people, cities, or random words, and used them to redirect users to fake chat services. These services could be used for fraud, spam, or personal data collection.
Two different landing pages on the same domain for URLs ending in harriet[.]php and chicken[.]php
The use of .esq, .zip, and .foo domains to distribute torrent links was also detected. Such a cluster of domains demonstrates the evolution of an infrastructure that adapts to security blocks, continuing to distribute content through new domains.
In addition, the researchers noticed that domains resembling file extensions are increasingly being used for trolling. For example, .zip and .mov domains were identified that redirected users to a popular rickroll meme, a video with the song "Never going to Give You Up" by Rick Astley.
As a result of the study, it became clear that the emergence of new top-level domains poses a serious threat to cybersecurity. To minimize risks, companies should closely monitor domain registrations in new TLDs and respond promptly to suspicious activity. Experts emphasize the importance of implementing modern security tools that will help detect and prevent attacks using new top-level domains.
Source
