Compare distributions of phishing and malware content in different TLDs

We are pleased to announce that the REMEDI3S-TLD project website is now live (https://remedi3s-tld.sidnlabs.nl). It enables registries and other interested DNS service operators to compare distributions of phishing and malware content in different TLDs, relative to their size and evolution over time.

REMEDI3S-TLD Project

REMEDI3S-TLD stands for REputation MEtrics Design to Improve Intermediary Incentives for Security of Top-Level Domains. The goal of REMEDI3S-TLD is to develop security metrics for TLDs and to measure their operational values using DNS query data and other data sources, such as botnet and phishing feeds. The work was particularly challenging because a TLD is not a single organization but constitutes an entire “eco system” of different types of players (e.g., TLD registry, registrars, and DNS operators) that all influence the TLD’s security posture.

REMEDI3S Security Metrics

In our metrics, we use heterogeneous blacklists provided by StopBadware and Anti-Phishing Working Group (APWG). The three types security metric that provide insight into the distribution of abuse across TLDs are as follows:

  1. Unique blacklisted domains aggregated by TLD. An example is: malicious.pl, or malicious.com.pl.

  2. Unique blacklisted fully qualified domain names (FQDNs) aggregated by TLD. An example is: 1234.malicious.pl, 5678.malicious.pl.

  3. Unique blacklisted URLs (distinctive paths) aggregated by TLD. An example is: malicious.pl/wp-content/gallery/photo-1.jpg, malicious.pl/wp-content/gallery/photo-2.jpg.

We normalized each of them according to the size of the corresponding TLD (number of domains in registry) and we aggregated monthly statistics per 100’000 domains. Please visit our website to learn more about the methodology and the rationale behind the selection of the proposed metrics (https://remedi3s-tld.sidnlabs.nl).

Key Results

Concentrations of abuse are, to a large extent, a function of the size of the TLD. More registered domains mean higher numbers of compromised websites. In addition to size other relevant factors are: the service portfolio of the market players, their business type, the legal framework under which market players operate and the overall maturity of ICT infrastructure development in a country. Last, but not least, the security efforts of the hosting providers or registries influence the abuse rate.Concentration of abuse is also driven by attackers behaviour.  Our analysis has revealed that a reputation score can be driven by a single phishing campaign. For example, we found seventeen second-level domains under one ccTLD, presumably maliciously registered, and 32,596 corresponding FQDNs (third-level domains) involved in the same malicious phishing campaign in 2014. In addition to maliciously registered and compromised domains used in malware or phishing attacks, abusers increasingly choose legitimate services:

  1. Free hosting and dynamic DNS (DDNS) services offering shared higher-level domains

  2. Cloud-based file sharing services

  3. Other legitimate applications such as URL shortening services

Broadly speaking, our analysis and experience in security reputation metrics design for TLDs and hosting providers has led us to the conclusion that a clear distinction should be made between measurement of the security metrics proposed here for TLDs and measurement of the security performance of registries or other groups of market players, because they are driven by multiple factors rather than by the security practices of a single type of intermediary.

Data Sharing

Although we do not publish any details of the blacklisted domains (please contact APWG and StopBadware), we do provide the aggregated data in JSON format on our website, including scores for all the TLDs considered in our analysis. Also, please let us know if you need any further information regarding the methodology described.

Project Partners

The REMEDI3S-TLD project is collaboration between SIDN Labs and TU Delft Economics of Cybersecurity research group and a subproject of the broader REMEDI3S project, which is collaboration between SIDN, the National Cyber Security Centre, and TU Delft. REMEDI3S is co-sponsored by NWO.Maciej Korczyński, Ph.D. Post-Doctoral ResearcherEconomics of Cyber Security Group Delft University of Technology