• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Start a Free Trial
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud-Delivered Firewall
      • Malware Protection
      • Remote Browser Isolation (RBI)
      • Data loss prevention (DLP)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Attack Prediction: Malicious gTLD Squatting May Be The Next Big Threat

By OpenDNS Security Research
Posted on April 23, 2014
Updated on March 11, 2020

Share

FacebookTweetLinkedIn

Late last year, ICANN began expanding the generic Top-Level Domains (gTLDs). In addition to the standard .COM, .ORG, and .NET TLDs, over 1,300 new names could become available in the next few years. These new  gTLDs and internationalized domain names (IDNs) are awesome ideas if you think about the creativity sparked around the names one can possibly register.

Some examples include .SINGLES (2013-08-28) and .SEXY (2013-09-11). Right before last holiday season, .CHRISTMAS (11-21-2013) was made available for use. We are seeing more interesting ones coming out such as .RICH (2013-11-21) and .MEME (01-30-2014). .WTF became available on 03-07-2014.  The full effective list and registration can be found at ICANN or Mozilla Public Suffix list.

204 new gTLD names were released between Oct 23, 2013 and April 04, 2014. DomainTools provides some excellent charts on the proliferation of the gTLDs.

Daily Growth of New gTLD registrations

Security concerns and other risks around these new gTLDs have been extensively discussed as the new gTLD act rolls out. Unfortunately, the primary concern has focussed on traditional domain squatting for monetization purposes – and not on gTLD squatting for malicious purposes. According to a February 27, 2014 article published in Forbes by Daniel Fisher:

[Domain squatters] might profit by snapping up domain names that happen to belong to well-known consumer brands. With the cost of dislodging a cybersquatter starting at a few hundred dollars and quickly escalating past $10,000 – with no possibility of imposing those costs back on the loser without engaging in even more expensive litigation — brand owners might find it easier to pay them to go away.

With so many new gTLDs, perhaps it’s a good time to do a bit of data extraction and analysis here at OpenDNS. Using an hour time slice, on two different days, across all of OpenDNS’ 22 data centers we discovered some interesting usage statistics.

Security Risk #1. Name Collisions

Internal network entities are often named with a set of unofficial gTLDs that are not yet available for registration in the public domain name space, such as .CORP, .HOME, .SITE, .GLOBAL, .LOCALHOST, or .LOCAL. Attackers may register hostnames that purposefully collide with these internal names in an effort to see the traffic that is only supposed to be visible on the internal network. A good practice against such attacks is to use internal DNS resolvers and declare them as authoritative for internal TLDs.

.LOCAL, among a number of other gTLDs, are in the ICANN reserved gTLD and are immune to the collision problem.  The following is the list of reserved gTLDs:

AFRINIC  IANA-SERVERS  NRO   ALAC  ICANN  RFC-EDITOR   APNIC  IESG  RIPE  ARIN
IETF  ROOT-SERVERS  ASO  INTERNIC  RSSAC  CCNSO  INVALID  SSAC  EXAMPLE  IRTF
TEST  GAC  ISTF  TLD  GNSO  LACNIC  WHOIS  GTLD-SERVERS  LOCAL  WWW  IAB
LOCALHOST  IANA  NIC

.CORP, .HOME, .SITE aren’t yet in the public gTLD pool. However, .NETWORK is a different story. We’re seeing hundreds of thousands requests to .HOME.NETWORK,  largely due to routers’ WIFI lookup queries. None of the 3000 hostnames on .NETWORK are currently resolving, but we’ll probably see name collisions as soon as the attackers figure out how useful squatting on this particular gTLD can be.

 Some examples of the .HOME.NETWORK gTLDs that we are currently seeing include:
  • tracker.openbittorrent.com.home.network
  • localhost.home.network
  • internalcheck.apple.com.home.network
  • us.launcher.battle.net.home.network
  • api.openweathermap.org.home.network
  • us.patch.battle.net.home.network
  • tracker.istole.it.home.network
  • windows.home.network
  • newuser.home.network
  • desktop.home.network
  • isatap.home.network
  • master.home.network
  • http.home.network
  • nas.home.network

As you can see, it would be quite easy for an attacker to register a number of commonly (and actively used) hostnames that a user’s computer might try to access outside of its home network. In fact, this ‘leakage’ is happening all over the world. Based on a quick query of yet-to-be-public gTLDs on April 5, 2014 we discovered 1,808 unique hosts leaking gTLD hostnames. A geographic distribution of these hosts can be seen below.

The following chart shows the top 30 new gTLDs ranked by the number of unique hostnames queried.

Security Risk #2. Phishing, Spamming, Typosquatting

Phishing, spamming and typo squatting can take advantage of the much larger name space. In addition, some of these gTLDs like .BUSINESS, .ENTERPRISE or .WORK delivering a trustworthy business name will allow free or much cheaper name association compared to registering on .COM or .NET. For instance, facebookgame.directory is seen on the same IP (184.168.221.96) as  www.coresfacebook.net, which is a known spam site.

Some of other example names (not necessarily malicious) seen in OpenDNS traffic are:

 api.facebook.com.blue.
 api.facebook.com.business.
 api.facebook.com.life.
 b-api.facebook.com.internet.blue.
 graph.facebook.com.business.
 graph.facebook.com.casa.
 orcart.facebook.com.business.
 orcart.facebook.com.casa.
 orcart.facebook.com.life.
 puntlandpost.facebook.com.home.network.
 vh89cm7thwnvq1qc.www.facebook.com.network.
 www.facebook.com.hi.link.

Another interesting domain that we found was: api.opendns.com.work.

Security Risk #3: Are Designated Registrars for New gTLDs Easier to Compromise?

There used to be only a handful root servers managing gTLDs and, historically speaking, these servers have been fairly secure and reliable. The new registrants of these gTLDs, however, could potentially be more easily compromised than their well-established peers. The same can be said of any new online service provider rushing to get operational too quickly. The gTLD names we’re seeing are allocated across roughly 200 registrars and the following chart shows the top 10, ranked by the number of unique names served.

Security Risk #4. Too Little Information

Generic Whois databases are not yet giving whois information on these domains and Google is not yet indexing these domains. The names appear to be in a huge Internet ‘fog’ that the world cannot yet peer into – a great scenario that attackers can take advantage of.  There is nothing we can find around these names except the traffic patterns we’re seeing at OpenDNS and the IP addresses some of them resolve to. Roughly 12% of names on the new gTLD now resolving a valid IPs.

When evaluating the IP addresses we’re seeing, there are a good number associated with known malicious sites. One example of this is where fruit.directory is hosted – 72.52.4.90. We have observed this IP address hosting more than 170 malicious domains over the past week.

OpenDNS Labs will continue to monitor and report on the usage of these new DNS names. Some final notes to consider:

  • The defenders have yet to catch up with deriving methods for evaluating the security risks of these new TLDs,
  • Many reputation based system are rendered useless with so little known about them. For example, we have established reputation indicators around existing TLDs such as .RU, .KZ. Those TLDs have a statistically larger ratio of bad domains vs. benign ones.
  • Algorithmic detection methods need to pick up an entirely new spectrum of heuristics and indicators to correctly classify them.
  • Samples from these new name spaces must be collected and analyzed before they can be used to derive machine learning models to classify the names in the new TLD space.

That’s all for now. Look for future research on the proliferation of these in-the-wild gTLDs including how OpenDNS classifies the domains and has observed their use.

Photo Credit: Skley via Compfight cc

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2022 Cisco Umbrella