Security Firm Recommends Blocking ICANN's "Shadiest" New gTLDs

UPDATE: "We have nothing against Google, we don't mean to imply that they're running a shady operation. This is just all about the unintended consequences of having .zip as a TLD" - Hugh Thompson, Blue Coat's Chief Technology Officer, (source: Reuters).
Question: Would Google (or anyone) apply for .exe as a new gTLD in the next round?

UPDATE September 3, 2015: In a separate post yesterday, security firm Blue Coat explains Why You Should Block Domains on a TLD That Doesn't Have Any -- .ZIP URLs or why Google's new gTLD .ZIP is really bad news--

 "... What makes the .zip TLD interesting is that it really only has one live domain as of today: nic.zip, which is Google's pre-registration page. Actually, it's a bit of a stretch to even call it a domain -- it just relays to a page on google.com talking about their new TLDs. Regardless of this, .zip URLs are showing up in our traffic logs, among the billion or so anonymized Web requests that our customers send us every day to be categorized in our WebPulse system. Generally, if you look closer, most of these appear to be filenames, not URLs – but they somehow ended up in somebody's browser somewhere as a URL, and got treated accordingly. (For example, many of the requests are for [whatever].zip/favicon.ico URLs.) Now that .zip is no longer exclusively a file extension, but is also a TLD, browsers have to treat something that's now a legal URL as a URL, not as a filename, or a search term, or anything else ... We also have a number of large customers who have good -- no, make that really good -- in-house security teams. Those teams investigate threats, and they report associated indicators to us (IPs, domains, etc.). These reports include a variety of .zip URLs, flagged as being associated with malware ..." (emphasis added)

The above should come as no surprise for regular readers of Domain Mondo--this is a type of "collision" problem or just another known issue among the many problems impacting ALL of ICANN's new gTLDs (new generic top-level domains)--here are just two of the many Domain Mondo posts on these "problems" with new gTLD domain names:
Here are links to earlier posts in Blue Coat's "Shady TLD" series:
--end of Sept 3 update--
Press Release from enterprise security firm Blue Coat [domain name: bluecoat.com] (emphasis added):

Blue Coat Reveals the Web's Shadiest Neighborhoods

Report shows that more than 95 percent of websites in 10 new Top Level Domains (TLDs) are suspicious
Tuesday, September 01, 2015
SUNNYVALE, Calif., September 1, 2015 – Blue Coat Systems, Inc., a market leader in enterprise security, today revealed new research for consumers and businesses that shows the Top-Level Domains (TLDs), or “neighborhoods,” most associated with suspicious websites. Among the key findings in the report are that more than 95 percent of websites in 10 different TLDs are rated as suspicious, with that percentage increasing to 100 percent for the top two highest ranking TLDs, .zip and .review.

Blue Coat analyzed hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to create “The Web’s Shadiest Neighborhoods,” a new report that combines research with tips and tricks for Web users and enterprise security and IT departments looking to avoid viruses and other malicious activity. For this research, Blue Coat counted a domain as “shady” if it was rated in its database with a category such as:

Most Common Malicious Activity |Less Common Malicious Activity
Spam                                               |Malware
Scam                                               |Botnet
Suspicious                                       |Phishing
Potentially Unwanted Software (PUS) |

Domains in the database that were not classified in one of these ways were counted as “non-shady.”

Much has changed since the early days of the Internet when the Web had only six common top level domains (TLDs). Back then, what most consumers and businesses encountered were a small number of standard TLDs, such as .com, .net, .edu and .gov, as well as some “country code” domains like .fr (France), and .jp (Japan). However, since 2013, the number of new TLDs has skyrocketed. There has been an explosion of new neighborhoods on the Web, many of which may be considered for web security purposes as neither safe nor friendly. By June 2015, the count of validly issued TLDs stood at over one thousand. As the number of TLDs has increased, so have the opportunities for attackers. These TLDs, with high numbers of shady sites dubbed “Shady TLDs” can provide fertile ground for malicious activity including spam, phishing, and distribution of Potentially Unwanted Software (PUS).

The Web’s Top 10 "TLDs with Shady Sites*"
Rank | Top-Level Domain Name | Percentage of Shady Sites

#1 .zip 100.00%
#2 .review 100.00%
#3 .country 99.97%
#4 .kim 99.74%
#5 .cricket 99.57%
#6 .science 99.35%
#7 .work 98.20%
#8 .party 98.07%
#9 .gq (Equatorial Guinea) 97.68%  [note: .gq is a ccTLD]
#10 .link 96.98%

*As of August 15, 2015 – Percentages are based on categorizations of web sites actually visited by our 75 million users. A TLD having 100 percent shady sites correlates to sites categorized by Blue Coat.

Recent Risky Activity from the Web’s Shadiest Neighborhoods
The report also reveals examples of nefarious activity taking place on shady websites of some of the top ranked Shady TLDs, including the fourth most seemingly dangerous neighborhood, .kim. Blue Coat researchers recently discovered websites serving up pages which mimic popular video and image sites and prompt unprotected visitors to unwittingly download malware.

“Due to the explosion of TLDs in recent years, we have seen a staggering number of almost entirely shady Web neighborhoods crop up at an alarming rate,” said Dr. Hugh Thompson, CTO for Blue Coat Systems. “The increase in Shady TLDs as revealed by Blue Coat’s analysis is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike.”

Minimizing the Risk for Businesses and Consumers
As organizations and consumers look to safeguard themselves against these shady TLDs, they can draw key lessons from the report to inform and strengthen their security posture, including:
  • Businesses should consider blocking traffic that leads to the riskiest TLDs. For example, Blue Coat has previously recommended that businesses consider blocking traffic to .work, .gq, .science, .kim and .country.
  • Users should use caution to click on any links that contain these TLDs if they encounter them in search results, e-mail, or social network environments.
  • If unsure of the source, hover the mouse over a link to help verify that it leads to the address displayed in the text of the link.
  • “Press and Hold” links on a mobile device (not just click) to verify it leads where it says it does.
Full Report Available
Please click here [pdf] to view a full copy of “The Web’s Shadiest Neighborhoods.”

About Blue Coat Systems
Blue Coat is a leader in enterprise security, providing on-premise, hybrid and cloud-based solutions for protecting web connectivity, combating advanced threats and responding to security breaches. Blue Coat is the global market leader in securing connection to the web and counts nearly 80 percent of the Global Fortune 500 as its customers. Blue Coat was acquired by *Bain Capital in March 2015. For additional information, please visit www.bluecoat.com.

--end of press release--

*Bain Capital Completes Acquisition of Blue Coat Systems | Blue Coat (May 26, 2015)"Bain Capital acquired Blue Coat from Thoma Bravo, LLC, in an all-cash transaction valued at approximately $2.4 billion."

According to namestat.org, Blue Coat's top 10 list of "shadiest" TLDs includes several of the largest new gTLDs delegated by ICANN, in total domain name registrations:
Rank |TLD  |Total registrations
3 .science  324,836
6 .party  206,925
8 .link 151,205

See also: Web address explosion is bonanza for cyber-criminals: study: (source: CNBC)

and Domain Mondo: Goldman Sachs Offices, Shenzhen, China: REAL and FAKE (video)


Domain Mondo archive