[This is #22 in our on-going series on Shady TLDs. Links to the previous posts are found at the bottom of the page.]
With the close of Q3, it's time to update our Top Ten list of the shadiest Top Level Domains (TLDs), as well as profile another of the shady ones.
First, the Top Ten list for Q3 of 2017:
| 1 |
.country |
99.95% |
| 2 |
.stream |
99.74% |
| 3 |
.download |
99.58% |
| 4 |
.gdn |
99.50% |
| 5 |
.racing |
99.27% |
| 6 |
.xin |
99.25% |
| 7 |
.bid |
98.97% |
| 8 |
.reise |
98.97% |
| 9 |
.win |
98.75% |
| 10 |
.kim |
98.74% |
* As of the end of September, 2017. Shady Percentage is a simple calculation: the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research; if they were, the percentages would be higher.
While eight of the Top Ten were on the membership list last quarter, and one (.win) has been profiled before, the .reise member is new, and therefore somewhat interesting. It's a German word, meaning "travel, trip, journey", and I wouldn't read too much into its presence in this quarter's Top Ten list. It hasn't been around long, and its percentage is based on just a few hundred ratings (barely over the minimum needed to make the list), rather than on thousands or tens of thousands (or even hundreds of thousands), like the other Top Ten members.
Caveats
As always, we caution against reading too much into the relative positions of TLDs on this list. Rankings are very fluid from quarter to quarter. Also, we are not advocating setting up policy to block all domains on all of these TLDs. Any such recommendation would come only after more research into a TLD. In particular, .xin is rather popular in China, as is .kim in South Korea, and it would not be wise to automatically block such domains if you do any business there. Also, several TLDs have percentages based on lower numbers of domains than some of the other TLDs in the list. (As with .reise above.) In general, it's better to leave shady domain blocking up to the professionals...
.Men in Black (and Gray)...
One of last quarter's Top Ten that has dropped a bit (it's actually down to #33 in this quarter's rankings) is .men, the subject of this "deep dive".
Looking at the top 100 hosts (by number of requests in our traffic), we see the following breakdown of a recent week of world-wide traffic:
| Malware |
7 |
| Phishing |
5 |
| Suspicious |
63 |
| P.U.S. |
1 |
| Spam |
1 |
| Scam |
2 |
| Porn |
3 |
| Adult |
3 |
| Piracy Concern |
14 |
| Health |
1 |
In other words, going by our official list of "shady" categories, 79% of the hosts were in the Red Zone, and another 20 were in the Yellow Zone (not directly related to a security concern, but still somewhat shady). Keep in mind that both Porn and Piracy are common lures used by malicious actors.
That left only one site -- about Men's Health -- rated with a normal/clean category.
How Dangerous?
In checking some of our database notes for the sites with the worst ratings, it's a mixed bag:
- A site serving a cryptocurrency "miner" script. (More in the Potentially Unwanted Software realm than true Malware.)
- Several sites initially flagged as Suspicious, with notes about using shady redirects; these were later upgraded to Malware when they were seen triggering IDS alerts for malicious traffic.
- Several reported as Phishing, although given the frequent use of the word "winner" in some form in the domain name, and coupled with the fact that plain old spam is often labelled "phishing" by well-meaning but casual observers, I'm not sure that a category of Phishing is justified. But they're clearly shady.
- A bunch of others in the "shady redirect" group, that follow some particular domain naming patterns that make them easy to group. (Normally "shady redirect" sites are involved with either shady advertising or spam...)
- There were several of the sites included above in the Suspicious category that also had a category of WebAds/Analytics, indicating their likely usage. (These followed a different naming scheme that the more-numerous network in the previous item.)
Overall, most of these .men were not in black, but more dark- to light-gray. But still well worth blocking. We didn't see many .men in "white" in our traffic survey.
--C.L.
@bc_malware_guy
P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series:
.country
.kim
.science
.gq
.work
.ninja
.xyz
.date
.faith
.zip
.racing
.cricket
.win
.space
.accountant (and .realtor)
.top
.stream
.christmas
.gdn
.mom
.pro