Where do criminals shop for phishing domains?
Contributed by Dave Piscitello, Interisle Consulting Group
Today, we will use records published at the Cybercrime Information Center to study where criminals shop for phishing domains in generic Top-level Domains (gTLDs).
We use the term malicious domain registrations to distinguish domain names that are purposely registered for phishing attacks from domain names that were registered for legitimate purposes but were compromised and misused to host phishing pages.
Distinguishing malicious phishing domains from compromised web sites where phishing pages are hosted without authorization is a useful distinction for phishing mitigation (e.g., takedowns) and to identify parties whose processes or practices make them vulnerable to abuse.
Most abused TLDs Jan 2022
Download a TLD data file
Go to the Cybercrime Information Center’s Records Repository at https://www.cybercrimeinfocenter.org/records.
Select the TLD Phishing Table Data from the February 2022 – April 2022 pulldown menu to download the file phishing-tldstats-Feb2022-Apr2022.csv.
Run Excel
For this demonstration, we’ve used the Hide Columns feature in Excel to hide all but columns A, G, I, L, N and P. We’ll look at only gTLDs, so we’ll select column A, TLD and then we’ll choose Text Filters -> Does Not Equal from the ▽ pulldown, and finally, we’ll type ?? into the Custom Autofilter and hit OK.
Now, we’ll select column N, Registrar's Phishing Domains (%), and from the ▽ pulldown, and we’ll Sort Largest to Smallest.
We see that for 13 of the new TLDs, over 50% of the reported phishing domains were processed by a single registrar.
We want to study registrations made by phishers. If we look at the top registrar’s malicious reported phishing domains, we see for 11 of these 13 new TLDs, the percentages of malicious phishing domains reported are approximately the same as those of phishing domains reported (the 11 TLDs are shown in dark red).
“What attracts phishers to these registrars when they purposely register domain names for phishing attacks?” is a question worth further investigation.
Let’s next look at TLDs where we see large numbers of phishing domains reported. Excel tells us that the average count of phishing domains reported for the 65 TLDs in our “working set” table is 2144.0625, so let’s use that as a number filter for column G. Since we’ve also used Unhide on Column I, Malicious Phishing Domains, we can also study malicious phishing domain registrations of TLDs with large counts of reported phishing domains.
From the table, we see 7 TLDs, again shown in red, where the top registrar’s the percentages of malicious phishing domains reported are approximately the same as phishing domains reported. So while the percentages are much lower here, the question “What attracts phishers to these registrars?” remains interesting.
These examples show how measurements that we publish quarterly at the Cybercrime Information Center can shape questions for policy makers, legislators, regulators, researchers and investigators.
If you have a novel use for Cybercrime Information Center Data and are interested in sharing with our community, contact us at
criminaldomainabuse@interisle.net