• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Attack Prediction: Malicious gTLD Squatting May Be The Next Big Threat

Author avatar of Security Research TeamSecurity Research Team
Updated — March 11, 2020 • 5 minute read
View blog >

Late last year, ICANN began expanding the generic Top-Level Domains (gTLDs). In addition to the standard .COM, .ORG, and .NET TLDs, over 1,300 new names could become available in the next few years. These new  gTLDs and internationalized domain names (IDNs) are awesome ideas if you think about the creativity sparked around the names one can possibly register.

Some examples include .SINGLES (2013-08-28) and .SEXY (2013-09-11). Right before last holiday season, .CHRISTMAS (11-21-2013) was made available for use. We are seeing more interesting ones coming out such as .RICH (2013-11-21) and .MEME (01-30-2014). .WTF became available on 03-07-2014.  The full effective list and registration can be found at ICANN or Mozilla Public Suffix list.

204 new gTLD names were released between Oct 23, 2013 and April 04, 2014. DomainTools provides some excellent charts on the proliferation of the gTLDs.

Daily Growth of New gTLD registrations

Security concerns and other risks around these new gTLDs have been extensively discussed as the new gTLD act rolls out. Unfortunately, the primary concern has focussed on traditional domain squatting for monetization purposes – and not on gTLD squatting for malicious purposes. According to a February 27, 2014 article published in Forbes by Daniel Fisher:

[Domain squatters] might profit by snapping up domain names that happen to belong to well-known consumer brands. With the cost of dislodging a cybersquatter starting at a few hundred dollars and quickly escalating past $10,000 – with no possibility of imposing those costs back on the loser without engaging in even more expensive litigation — brand owners might find it easier to pay them to go away.

With so many new gTLDs, perhaps it’s a good time to do a bit of data extraction and analysis here at OpenDNS. Using an hour time slice, on two different days, across all of OpenDNS’ 22 data centers we discovered some interesting usage statistics.

Security Risk #1. Name Collisions

Internal network entities are often named with a set of unofficial gTLDs that are not yet available for registration in the public domain name space, such as .CORP, .HOME, .SITE, .GLOBAL, .LOCALHOST, or .LOCAL. Attackers may register hostnames that purposefully collide with these internal names in an effort to see the traffic that is only supposed to be visible on the internal network. A good practice against such attacks is to use internal DNS resolvers and declare them as authoritative for internal TLDs.

.LOCAL, among a number of other gTLDs, are in the ICANN reserved gTLD and are immune to the collision problem.  The following is the list of reserved gTLDs:

AFRINIC  IANA-SERVERS  NRO   ALAC  ICANN  RFC-EDITOR   APNIC  IESG  RIPE  ARIN
IETF  ROOT-SERVERS  ASO  INTERNIC  RSSAC  CCNSO  INVALID  SSAC  EXAMPLE  IRTF
TEST  GAC  ISTF  TLD  GNSO  LACNIC  WHOIS  GTLD-SERVERS  LOCAL  WWW  IAB
LOCALHOST  IANA  NIC

.CORP, .HOME, .SITE aren’t yet in the public gTLD pool. However, .NETWORK is a different story. We’re seeing hundreds of thousands requests to .HOME.NETWORK,  largely due to routers’ WIFI lookup queries. None of the 3000 hostnames on .NETWORK are currently resolving, but we’ll probably see name collisions as soon as the attackers figure out how useful squatting on this particular gTLD can be.

 Some examples of the .HOME.NETWORK gTLDs that we are currently seeing include:
  • tracker.openbittorrent.com.home.network
  • localhost.home.network
  • internalcheck.apple.com.home.network
  • us.launcher.battle.net.home.network
  • api.openweathermap.org.home.network
  • us.patch.battle.net.home.network
  • tracker.istole.it.home.network
  • windows.home.network
  • newuser.home.network
  • desktop.home.network
  • isatap.home.network
  • master.home.network
  • http.home.network
  • nas.home.network

As you can see, it would be quite easy for an attacker to register a number of commonly (and actively used) hostnames that a user’s computer might try to access outside of its home network. In fact, this ‘leakage’ is happening all over the world. Based on a quick query of yet-to-be-public gTLDs on April 5, 2014 we discovered 1,808 unique hosts leaking gTLD hostnames. A geographic distribution of these hosts can be seen below.

The following chart shows the top 30 new gTLDs ranked by the number of unique hostnames queried.

Security Risk #2. Phishing, Spamming, Typosquatting

Phishing, spamming and typo squatting can take advantage of the much larger name space. In addition, some of these gTLDs like .BUSINESS, .ENTERPRISE or .WORK delivering a trustworthy business name will allow free or much cheaper name association compared to registering on .COM or .NET. For instance, facebookgame.directory is seen on the same IP (184.168.221.96) as  www.coresfacebook.net, which is a known spam site.

Some of other example names (not necessarily malicious) seen in OpenDNS traffic are:

 api.facebook.com.blue.
 api.facebook.com.business.
 api.facebook.com.life.
 b-api.facebook.com.internet.blue.
 graph.facebook.com.business.
 graph.facebook.com.casa.
 orcart.facebook.com.business.
 orcart.facebook.com.casa.
 orcart.facebook.com.life.
 puntlandpost.facebook.com.home.network.
 vh89cm7thwnvq1qc.www.facebook.com.network.
 www.facebook.com.hi.link.

Another interesting domain that we found was: api.opendns.com.work.

Security Risk #3: Are Designated Registrars for New gTLDs Easier to Compromise?

There used to be only a handful root servers managing gTLDs and, historically speaking, these servers have been fairly secure and reliable. The new registrants of these gTLDs, however, could potentially be more easily compromised than their well-established peers. The same can be said of any new online service provider rushing to get operational too quickly. The gTLD names we’re seeing are allocated across roughly 200 registrars and the following chart shows the top 10, ranked by the number of unique names served.

Security Risk #4. Too Little Information

Generic Whois databases are not yet giving whois information on these domains and Google is not yet indexing these domains. The names appear to be in a huge Internet ‘fog’ that the world cannot yet peer into – a great scenario that attackers can take advantage of.  There is nothing we can find around these names except the traffic patterns we’re seeing at OpenDNS and the IP addresses some of them resolve to. Roughly 12% of names on the new gTLD now resolving a valid IPs.

When evaluating the IP addresses we’re seeing, there are a good number associated with known malicious sites. One example of this is where fruit.directory is hosted – 72.52.4.90. We have observed this IP address hosting more than 170 malicious domains over the past week.

OpenDNS Labs will continue to monitor and report on the usage of these new DNS names. Some final notes to consider:

  • The defenders have yet to catch up with deriving methods for evaluating the security risks of these new TLDs,
  • Many reputation based system are rendered useless with so little known about them. For example, we have established reputation indicators around existing TLDs such as .RU, .KZ. Those TLDs have a statistically larger ratio of bad domains vs. benign ones.
  • Algorithmic detection methods need to pick up an entirely new spectrum of heuristics and indicators to correctly classify them.
  • Samples from these new name spaces must be collected and analyzed before they can be used to derive machine learning models to classify the names in the new TLD space.

That’s all for now. Look for future research on the proliferation of these in-the-wild gTLDs including how OpenDNS classifies the domains and has observed their use.

Photo Credit: Skley via Compfight cc

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella