Full Report
Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) -- such as .shop, .top, .xyz -- that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.
Analysis Summary
# Tool/Technique: Abuse of Generic Top-Level Domains (gTLDs) and Subdomains for Phishing
## Overview
This summary analyzes the techniques related to the increased use of inexpensive, low-requirement Generic Top-Level Domains (gTLDs) and free subdomain services by cybercriminals to host phishing sites, as detailed in research by Interisle Consulting. The focus is on the infrastructure and operational advantages these domains provide to attackers.
## Technical Details
- Type: Technique (Infrastructure Abuse)
- Platform: Internet Infrastructure (Domain Name System)
- Capabilities: Rapid, low-cost domain registration or high-volume subdomain creation for hosting malicious content, bypassing traditional identity verification checks common with established TLDs.
- First Seen: Ongoing trend, significantly highlighted in the year ending August 2024.
## MITRE ATT&CK Mapping
The primary activity relates to establishing infrastructure:
- **TA0011 - Command and Control**
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms (While not strictly DGA, the selection of rapidly provisioned, disposable domains aligns with dynamic infrastructure use for C2/Delivery)
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If used for delivery)
- T1566.002 - Spearphishing Link (Primary application for leveraging these domains)
## Functionality
### Core Capabilities
- **Low-Cost Infrastructure:** Utilizing gTLDs like `.shop`, `.top`, and `.xyz` which offer registration for less than \$1 or \$2, making domain acquisition cheap.
- **Minimal Verification:** Registrars associated with these gTLDs often have little to no identity verification requirements, allowing anonymity.
- **Subdomain Exploitation:** Abusing free services like `blogspot.com`, `pages.dev`, and `weebly.com` to host phishing content, relying on the provider's infrastructure.
### Advanced Features
- **High Volume:** Ability to register large numbers of domains or create high-volume automated account sign-ups on subdomain providers to quickly deploy and discard malicious sites.
- **Target Diversification:** Increased use of specific targets, such as the U.S. Postal Service, often facilitated by specialized phishing kits (e.g., kits sold by "Chenlun" targeting postal services).
## Indicators of Compromise
- File Hashes: N/A (Focus is on infrastructure, not specific malware executables)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Newly registered gTLDs: `.shop`, `.top`, `.xyz`, etc., exhibiting high abuse scores.
- High volume of subdomains hosted under providers like `blogspot.com` and `pages.dev` associated with malicious activity.
- Behavioral Indicators: Rapid creation and expiration of infrastructure; phishing campaigns spoofing specific entities (e.g., USPS, Apple, Google, PayPal).
## Associated Threat Actors
- Generic Spammers and Scammers
- Threat actor nicknamed **"Chenlun"** (known for selling phishing kits targeting domestic and international postal services).
## Detection Methods
- Signature-based detection: Monitoring domain blocklists and known malicious TLDs/subdomains.
- Behavioral detection: Detecting high-volume, automated account creation on legitimate subdomain services; monitoring domains registered through registrars offering extremely low initial pricing with weak identity checks.
- YARA rules: N/A (Not applicable for infrastructure analysis unless analyzing associated phishing webpage content).
## Mitigation Strategies
- **Domain Registration Policy Stricter Enforcement:** Encouraging or requiring ICANN and domain registrars to implement stricter identity verification for gTLDs with low registration costs.
- **Subdomain Provider Controls:** Subdomain providers should limit the number of subdomains/user accounts a customer can create simultaneously and suspend high-volume, automated account sign-ups.
- **Phishing Threat Intelligence Consumption:** Organizations should actively ingest threat intelligence regarding highly-phished entities (like USPS) to update user training and email filtering rules.
## Related Tools/Techniques
- Phishing Kits (e.g., those sold by Chenlun)
- Brand Spoofing Techniques (Used in conjunction with the malicious infrastructure)
- Domain Shadowing (Though less direct, it shares the goal of using existing infrastructure trust)