Google removes over 11 million ‘’ websites from search results

It was recently reported that Google had removed over 11 million websites with addresses ending in ‘’ from its search results, as it considered their content to be primarily spam or phishing-related. ‘Phishing’ is the term coined to describe how fraudsters may attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity.
The ‘.cc’ domain name extension is an official Internet Corporation for Assigned Names and Numbers (ICANN) accredited country-code top-level domain (ccTLD), representing the Cocos (Keeling) Islands. However, ‘’ is an unofficial subdomain, not recognised by ICANN or any authorised authority independent of ICANN.
The subdomain ‘’ is run by a commercial company based in Korea, CO.CC Inc. The company provides third-level domain name registrations hosted on its own domain name servers, such as ‘’.
Domain names under ‘’ may be registered very cheaply in bulk and, as a result, are popular with bad actors who wish to use them to point to phishing websites. James Kim, the General Manager of .CO.CC, argued that Google's decision was incorrect, and his open letter to Google was posted in the Google Webmaster Help forum. There were also posts from innocent users of the ‘’ extension voicing their disapproval. However, many internet users disagreed with Kim's assessment and supported Google's decision.
Google's actions are backed up by a recent report published by the Anti-Phishing Working Group, which found that "over 40% of attacks using subdomain services occurred on ‘’", although the report also noted that .CO.CC was very responsive to abuse reports. The report also notes that the use of ‘’ domain names for the purposes of phishing has increased further since the tightening of registration policies for ‘.cn’ domain names by CNNIC, the Chinese domain name registry, which means that phishers are searching for alternative cheap and convenient sources of domain names. In relation to unofficial subdomains, the report comments:
"We have identified nearly 700 subdomain registration providers, which offer services on more than 3,200 domain names. This is a space as rich as the current ‘regulated’ domain space, as each subdomain service is effectively its own ‘domain registry’. The subdomain services have many business models, and are unregulated. It is not surprising to see criminals gravitating towards this space as registries and registrars in the gTLD and ccTLD spaces implement better anti-abuse policies and procedures. We are seeing some interesting changes in this market space as well. For example, many subdomain resellers now offer WHOIS services and anti-abuse support, and we've even seen ‘failures’ of such services."
Interestingly for brand owners, the report found that only about 9% of domain names used for phishing contained a brand name or variation thereof. This may be linked to the fact that phishers are aware that brand owners are likely to take action, but is also due to the fact that the actual domain name used to send the malicious emails can often be masked by clever use of technology.  In the case of domain names used to point to phishing websites, it is often enough to place the brand name somewhere in the string appearing in the address bar, as many internet users are not sophisticated enough to distinguish the base domain name used.
David Taylor, Tony Vitali and Jane Seager, Hogan Lovells LLP, Paris

Unlock unlimited access to all WTR content