Reading:
Top 10 TLDs Threat Actors Use for Phishing

Top 10 TLDs Threat Actors Use for Phishing

August 24, 2022

A TLD is the last character of a domain name, such as .com, .net, .org, etc. Domains play a crucial role in phishing attacks. A threat actor can use free domains to create a distribution of phishing. In addition, if they are willing to pay the price, known TLDs such as .com and .org can be used and are likely to bring more success in phishing attacks.

Generic Top-Level Domains (gTLDs) and country-code Top-Level Domains (ccTLDs) are the two primary categories of TLDs. 

The term “generic” (gTLDs) implies that they are not tied to any particular region or nation. On the internet, anyone can register them from anywhere in the world. The well-known gTLDs are “.com,” “.net,” “.business,” “.info,” and “.org”

Country code Top-Level Domains (ccTLDs) are two-letter TLDs that are given to nations primarily based on their country codes. For instance, “.sg” stands for Singapore, “.vn” for Vietnam, and “.in” for India. A country and geographic designation are included in a ccTLD, which is exclusively intended for one country or region. Due to their exclusive management by their respective governments, several ccTLDs are closed and restricted.

Top Used Phishing TLDs in 2022 

According to research done by the Cybercrime Information Center, the top 10 TLDs are: 

  • .com 
  • .cn 
  • .tk 
  • .ml 
  • .xyz 
  • .buzz 
  • .shop 
  • .cf 
  • .net 
  • .ga 

The non-free TLDs range in price, but the most expensive ones are the best for social engineering attacks. When a user sees a .com domain, they immediately think it is legitimate due to .com being standard in online commerce. The user is more likely to fall for the phishing scam if they are familiar with the TLD. 

Four of the top ten-ranked ccTLDs (.tk, .ml, .ga, and .cf) are run by Freenom, a Dutch firm that provides free domain registrations in these ccTLDs. 

For the 2022 period, in place of .top and .gq, two new TLDs, .shop and .buzz, have entered the Top 10.

Statistics of Phishing 

Legacy gTLDs are used in about half of all phishing attacks that target businesses. According to research, the most utilized Legacy gTLD in the group is .com, which is used in nearly 40% of attacks

In a study by Interisle, they found the number of cryptocurrency-related phishing attempts increased 257% year to year. Crypto wallets were the most often targeted businesses, and over 80% of the generic top-level domains (gTLD) identified for phishing were maliciously registered.

Top 10 TLDs Threat Actors Use for Phishing
Phishing Activity (Source: Interisle)

The same study shows that phishers created domains specifically registered for their bitcoin attacks, usually including two or more brands or keywords. The following samples of URLs demonstrate this technique:

Strategies Followed by Phishers 

Phishers are always looking for businesses that may have valuable user information, are just starting to gain popularity, or are unprepared to deal with phishing attacks. 

Phishers also employ several strategies to attract users to their phishing pages, such as: 

  • a new product release, 
  • a problem with a social network account or financial account, 
  • an upcoming technology or service like cryptocurrency
  • information regarding a criminal investigation or tax violation, 
  • a necessary software upgrade to obtain. 

Hackers Use SSL Certificates to Gain Trust 

Examining URLs carefully and avoiding sites that don’t have an SSL certificate have been two of the main recommendations for avoiding phishing sites for many years. When people see that tiny padlock sign in the browser, it gives confidence that they will be secure and no one will steal their money.

A site with an SSL certificate and the HTTPS encryption protocol is identified by the URL prefix “HTTPS” (rather than “HTTP”).

However, using this method to identify suspicious websites is no longer effective. According to the APWG, 83% of the phishing sites reviewed in the first quarter of 2021 had SSL encryption enabled. 

Top Targeted Brands

Researchers found that, between 1 May 2021 and 30 April 2022, phishers attacked over 2,000 firms or organizations, including banks, social media platforms, webmail, games, national tax services, universities, and cryptocurrency exchanges. The most targeted brands are listed below: 

  • Facebook 
  • Amazon
  • Microsoft
  • WhatsApp
  • Apple 
  • Crypto/Wallet 
  • Instagram 
  • Outlook 
  • DHL 
  • Chase
  • PayPal 
  • Adobe
  • PenSam 
  • Wells Fargo
  • Netflix
  • AT&T
  • Tencent 
  • Citi
  • IRS
  • Webmail

How to Defend Against Phishing Attacks 

It is essential to understand that phishing can occur from any source, regardless of how secure a website may seem. Monitoring network activity and managing your digital assets to keep the attack surface as small as possible are the only ways to ensure that phishing won’t seriously impact your company. The AI-enabled SOCRadar Digital Risk Protection platform examines millions of domains from most of the top domain registrars to find malicious domains targeting your brand and your whole company network. While keeping your online presence secure, real-time alerts will help you to be informed before your domains and SSL certificates expire. Also, the following recommendations can help you protect yourself from phishing attacks: 

  • Using security software to protect your computer. 
  • Enabling auto-updates for software to protect your smartphone. 
  • Utilizing multi-factor authentication to secure your accounts. 
  • Making a backup of your data to protect it. 
  • Informing employees about phishing. 

There’s a tool available to protect yourself against phishing scams. Check here whether the emails you receive every day come from a secure source.