Threat Intelligence Blog

Posted September 10, 2015


By: Greg Ogorek

Blue Coat Systems, a network security firm, published an interesting report[1] last week highlighting top-level domain names (TLDs) that may be associated with suspicious websites. Among their findings, they claim that 95 percent of 10 different TLDs are rated as suspicious, with two of them (.zip and .review) reaching a mind blowing 100 percent.

Blue Coat’s definition of a suspicious site is one that exhibits one of the following types of behavior:

Most Common Malicious Activity:

  • Spam
  • Scam
  • Suspicious
  • Potentially Unwanted Software (PUS)

Less Common Malicious Activity:

  • Malware
  • Botnet
  • Phishing

According to the Blue Coat report, domain names in their database that were not classified in one of these buckets were counted as “non-shady.”

We agree that a domain name should be dubbed dubious if it exhibits activities like the ones listed above. We also agree that if a percentage of the domain names existing within a TLD are flagged as suspicious, that TLD should be properly regarded with concern within network security circles. However, we’d argue that the number of TLDs being analyzed before an extension is considered shady (or not) needs to be examined.

For example, .zip was ranked as 100 percent shady. However, this TLD only has one domain name registered at this point (perhaps a few more by the time you’ve read this) according to[2], a site that tracks new gTLDs as they are delegated into the root for general availability. As Ars Technica’s IT Editor Sean Gallagher pointed out[3], the only site currently sporting an actual .zip domain name is Google’s site advertising the TLD[4].

Blue Coat has since offered an explanation of got on the “shady” list. While it may be a safe precaution to block .zip based on their assessment, going off of the data from a single domain name in general could present an incomplete picture of the threat a particular extension poses.

On the flip side, the other new gTLD that Blue Coat ranked as 100 percent shady was .review. This TLD currently supports over 47,000 registered domain names, and is growing. To be called out as 100 percent shady with this volume of registered domain names is quite a statement to make about the safety of names in that extension, and doesn’t speak well of the registry operator.

This brings up the question of how security professionals should treat new gTLDs. If proper registry safeguards aren’t in place for the launch of new extensions, criminals and malicious actors can set up shop quickly. Considering the challenges of enforcing legitimate registrations, and how quickly domains can be repurposed, it may be prudent to suggest a preemptive block of all new gTLDs on your network until there can be supportable evidence of legitimate activity. It’s standard security practice to lock systems down when standing up new servers and firewalls. Ports are blocked and services are shutdown, except for ones needed to transact business. In the end, though, how you choose to interact with newly launched gTLDs should relate to your tolerance for risk.

Protecting the network is a priority for all information security professionals. Being able to properly identify and categorize threats is fundamental to building a stable, operational security plan. We need to develop better information though, in order to fully support practical decision making when it comes to protecting the stability and integrity of our infrastructure. Safety and security comes first. Let’s make wise decisions about how we interact with the landscape of potential threats.

You May Also Be Interested In…


Additional Posts

Weekly Phishing Report – September 14, 2015

Phishing Report: Top Targets Week of September 6-12, 2015 Author: Robert McDaniel In this week's ...

Security Pros on High Alert for Philadelphia Papal Visit

By: Hans Mathias Moeller and Marc Larson In just a few weeks, Pope Francis is visiting Philadelphia ...