Study reveals that new gTLDs comprise seven of the top 10 domains used by spammers

Preliminary findings of research conducted by IBM indicate that new gTLDs are among the most widely used top-level domains in email spamming activities. With spam containing malicious attachments on the rise, the report notes that new gTLDs are becoming more popular because they allow spammers to vary their domain URLs and thus bypass spam filters.

IBM will publish the latest edition of its annual X-Force Threat Intelligence Index at the end of this month. However, writing for IBM’s Security Intelligence blog, manager of X-Force Content Security at the company Ralf Iffert has provided a sneak-peek of some of his team’s findings regarding email spam.

In this context, ‘spam’ refers to unsolicited and often irrelevant emails that are typically sent to a very large number of recipients. Many such emails are sent with more nefarious purposes in mind than are immediately obvious. They may include innocuous-looking file attachments containing malware or viruses, or apparently familiar links that take users to phishing sites or websites hosting malware.

Iffert writes that, while targeted attacks make headlines, “the prevalence of spam traffic means that a variety of attackers are still finding success in this scattershot method to gain access to protected data”. His research team found that during 2016, spam volume grew dramatically, with a marked increase in mail featuring malicious file attachments in the form of banking Trojans and ransomware.

Another notable trend which will be of particular interest to trademark and brand professionals is the growing role of new gTLDs in spam activity. As Iffert puts it: “The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks.”

Of the spam emails that the researchers analysed which contained URLs, the top three most popular TLDs being used by spammers were ‘.com’ (approximately 26%), ‘.ru’ (20%) and ‘.info’ (8%). Altogether, just over a third of the analysed spam emails containing URLs used the ‘.com’ and ‘.info’ legacy TLDs.

But following these three, the next seven most-used domains were all new gTLDs – ‘.click’, ‘.top’, ‘.xyz’, ‘.link’, ‘.club’, ‘.space’ and ‘.site’. Honing in only on those spam campaigns utilising new gTLDs, ‘.click’ accounted for 5.4% of the total, followed by ‘.top’ (4.6%) and ‘.xyz’ (3.9%). Combined, ‘.link’, ‘.club’ and ‘.space’ make up 6.3%. Overall, the top 20 new gTLDs used in spam campaigns comprised just over 22% of top-level domain usage in spam emails during 2016.

Intriguingly, the IBM team’s analysis also looks at the distribution of new gTLDs in spam usage at different points during 2016. The popularity of ‘.xyz’ grew steadily throughout the year; Iffert suggests that this may be due to the relatively low price of ‘.xyz’ domains, which sell for an average of $0.59. Also, he writes that in June last year there was a “dramatic increase in ‘.xyz’ domain registration due to a price blitz on that particular gTLD that made domains available for one or two cents… In fact, some domains were simply given away for free”.

The researchers predict that ‘.xyz’ is likely to feature more prominently in spamming activity in the near future, and note that the Chinese Ministry of Industry and Information Technology’s (MIIT) accreditation of the ‘.xyz’ domain back in December – which makes it legal for use in China – will “definitely be something to look out for” in 2017 with regards to potential impact on Chinese-language spam.

While the upcoming IBM report only looks at the use of new gTLDs by spammers, it does nevertheless provide more food for thought in terms of the programme’s societal benefits – something that many trademark holders and others from the brand-owner community were critical of. Another recent study – this one from cybersecurity firm PhishLabs – found that new gTLDs were also increasingly being used in phishing attacks, another illicit online activity.

Taken together, it would seem that evidence is mounting in support of the argument put forward by many in the trademark world – that the new gTLD programme would multiply opportunities for wrongdoers at least as much as for brand owners and consumers.