[HN Gopher] Phish-friendly domain registry ".top" put on notice
___________________________________________________________________
Phish-friendly domain registry ".top" put on notice
Author : LinuxBender
Score : 111 points
Date : 2024-07-24 16:03 UTC (6 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| bell-cot wrote:
| Daydream: Browsers and email programs are shipped with "Default
| Allow" lists, which include only the older & higher-quality
| TLD's. While users _can_ add whatever TLD 's they want to the
| lists, that default behavior destroys 99% of the value of new &
| crap-infested TLD's.
| lainga wrote:
| Ate some cheese before dreaming: Google and MSFT (as
| maintainers of the dominant mail clients) start charging TLDs
| under the table to go on GMail/Outlook's "Default Allow" list,
| except, of course, the ones that Google administers
| bell-cot wrote:
| Sadly, yes. And no "dream" disclaimer is needed.
| sureIy wrote:
| If you want to do that you can already knock yourself out with
| a custom DNS. Browsers must be neutral.
|
| From the article:
|
| > .top was the most common suffix in phishing websites over the
| past year, second only to domains ending in ".com."
|
| Does that mean you want to block .com domains?
| dylan604 wrote:
| # .top phishing websites / # .top websites total
|
| vs
|
| # .com phishing websites / # .com websites total
|
| make educated decisions
| throwaway4pp24 wrote:
| Why does that matter at all? If I go and create a bunch of
| legitimate .top domains, is it suddenly better somehow? No,
| it's still the first of the list, and .com is still second.
| dylan604 wrote:
| yes, precisely. if you and a bazillion other people do it
| so that the percentage goes down. it's the fact that
| scammers are glomming onto a trendy TLD ruins the
| reputation of that TLD. If the percentage of scam is
| higher in one TLD over another, people will consider it a
| TLD used for scams. Not sure where the logic breaks down
| here
|
| > No, it's still the first of the list, and .com is still
| second.
|
| also, what do you mean .com is second? it states that
| .top was second to .com
| TJSomething wrote:
| This made me sad when got a domain that used the TLD for a
| domain hack, then realized that I couldn't use it for emails.
| ErikAugust wrote:
| " top was the most common suffix in phishing websites over the
| past year, second only to domains ending in ".com."
|
| So should we default not allow .com?
| BobbyJo wrote:
| Quality is relative. A far larger percentage of .com domains
| are legitimate.
| rvnx wrote:
| Quora, Pinterest, Medium, The New York Times, Scribd, etc
| shreddit wrote:
| I think the blog universe would only benefit if medium
| ceased to exist.
| Volundr wrote:
| Per the article 0.2% of .com domains are phishing vs 4.2% of
| .top. Or put another way, if you have a .top domain it's
| about 17 times as likely to be phishing than a .com domain.
|
| .com has the most phishing domains by virtue of by far being
| the biggest, not because they have looser controls or are
| less reliable.
| arp242 wrote:
| Only if you select a random domain from a list of all .com
| or .top domains. No one does that of course. The chance a
| random .top (or .com) you encounter is a phishing domain
| isn't so easily calculated, depends on where you see it,
| etc.
| ricardobayes wrote:
| Got to love the mindset of the "old-school" cybersecurity
| folks.
| bell-cot wrote:
| MS-DOS - 42 years without a remote hole in the default
| install!
| tristor wrote:
| I already do this with NextDNS, I block all the "new" TLDs
| except for .io, .tv, and .ai because they're used for tech
| sites that are legitimate. I know that many organizations do
| the same, in fact it's mentioned in another comment.
| glitcher wrote:
| Strange coincidence, moments ago I just received a phishing SMS
| about some bogus package that couldn't be delivered attempting to
| get me to visit a link on a ".top" address!
| bluejekyll wrote:
| This really makes me wonder about the value of TLDs in general.
| Let's say that "gmail" is a well known enough name that
| "gmail.com", "gmail.org", ..., "gmail.top" should be reserved by
| default. If that's the case, then the value of separate TLDs
| becomes interesting because two companies "abc.com" and "abc.top"
| would now have competing concerns. It seems like only small
| companies would then be open to phishing, and large ones would
| possibly be able to use trademark law across all TLDs. In fact
| large companies tend to try and reserve their name in all major
| TLDs.
|
| I'm not really arguing for or against greater or fewer TLDs, but
| it does seem like an awkward situation.
| Cthulhu_ wrote:
| In theory, Google could pay for the TLD ".google" so that...
| anything .google is reserved by default for google domains.
|
| But this isn't going to work in practice; people don't read
| URLs so it doesn't matter. Second, for years there was this
| idea that all porn sites should be forced to go to a .xxx TLD
| so that it's easy to block, but that's impossible to legislate
| and / or enforce.
| anamexis wrote:
| Not sure if this is your point, but Google _does_ have the
| .google TLD which it reserves for google domains.
| numbsafari wrote:
| I think mean the .goog TLD:
|
| https://icannwiki.org/.goog
| anamexis wrote:
| I did mean .google, but .goog fits as well.
|
| https://icannwiki.org/.google
|
| See also .apple, .microsoft, .amazon, .aws, and many
| more.
| Zambyte wrote:
| https://en.wikipedia.org/wiki/.google
| jsheard wrote:
| Though Google _still_ doesn 't use .google for much of
| anything a decade after establishing it, because it's
| confusing for normal users.
|
| Their best known gimmick URL is the goo.gl shortener, which
| is actually the ccTLD for (not) Greece (actually Greenland)
| rather than a Google-specific one.
| mr_mitm wrote:
| gl is greenland
| jsheard wrote:
| Oops, so it is. Not sure how I got that mixed up.
| arp242 wrote:
| I've seen blog.google a few times.
|
| Things like "google.com" and "gmail.com" are established
| brands; switching that to "search.google" or
| "gmail.google" isn't really going to improve anything for
| anyone. I guess it's kinda cute for blog.google, but
| other than that it's pretty useless.
|
| A bunch of companies bought these brand TLDs only to
| never use it and then abandon them a few years later.
| Probably a "zomg this is a new internets thing and if we
| don't do all the new internets things it we'll be left
| behind on the internets, and we can't be left behind on
| in the internets!!!11"-type affair.
|
| Here's a list:
| https://www.icann.org/resources/pages/gtld-registry-
| agreemen...
| hypeatei wrote:
| gmail.google also doesn't make sense "Google mail dot
| Google"
|
| mail.google would be better.
| seanw444 wrote:
| And then people would be confused at how it's not an
| incomplete URL, because mail.google.com exists.
| saghm wrote:
| > Their best known gimmick URL is the goo.gl shortener,
| which is actually the ccTLD for (not) Greece (actually
| Greenland) rather than a Google-specific one.
|
| Not for long https://developers.googleblog.com/en/google-
| url-shortener-li...
| breakingcups wrote:
| So odd, it must cost them approximately nothing to serve
| redirects for the static set of links they still had. Now
| they'll break links all over the web again.
| KomoD wrote:
| They've got .gle and .goog too. .gle for goo.gle
| fragmede wrote:
| Stupidly enough, they did, and then didn't glue things to it.
| yjftsjthsd-h wrote:
| If I could go back in time and change how domain names work, I
| would probably do 2 things:
|
| 1. Flip the order of parts, ex. com.ycombinator.news - this
| makes the _whole_ URL big-endian, instead of the absurd middle-
| endian system we have now.
|
| 2. _Either_
|
| a. drop the requirement to have TLDs at all - gmail would just
| be "https://google.mail/inbox" (including my first suggestion;
| "google" is the root domain), or perhaps just
| "https://gmail/inbox"
|
| OR
|
| b. actually commit to a small number of strictly-enforced TLDs
| - com is not the default, it _requires_ a corporate entity to
| register, we probably push on having a single TLD for
| individual humans so ex. blogs tend to live under... actually
| the "name" TLD wasn't a _terrible_ idea but I 'm flexible on
| exact details of that TLD, just so there's only one of them.
| Second-levels like us or eu are fine but should again actually
| enforce having an entity in that country so almost nobody ends
| up using io or such.
| hobs wrote:
| If you want trust having a corporate entity is not it, you
| can make them with no actual humans in the chain of trust,
| and you can easily register the same company name in multiple
| countries and cause havoc (as demonstrated with the EV certs)
| yjftsjthsd-h wrote:
| It's not really about "trust" per se, more about forcing
| domains to be in the right TLD. Today my personal blog
| lives on a .com domain, which is absurd except that .com is
| de-facto the default. I aspire to a world where that
| doesn't happen, because _all_ domains that aren 't
| literally for a business are on something else, so com
| can't be a default.
|
| (Corollary: If you create legal entities in multiple
| countries, I don't care if you have domains to match. I
| just want to avoid the current sillyness where people use
| the io TLD even they have _zero_ association, even on
| paper, with the British Indian Ocean Territory (or whoever
| you believe should control that TLD))
| mock-possum wrote:
| Yeah I like knowing that .us.gov is _always_ a government
| site, and .edu is _always_ an educational site, and there are
| governing bodies enforcing that policy - but for the rest,
| biz and net and com and io are cute, but completely
| unnecessary. I'd love to just go to https://gmail .
| tok1 wrote:
| This "trust aspect" implied (or assured?) by certain TLDs,
| or for the non-US world by second-level domains under
| ccTLDs, has been, interestingly, completely missed by
| several countries in the early Internet days, including
| fairly large ones like e.g. Germany: Annoyingly, you cannot
| identify a federal agency or otherwise "official" website
| by its domain--no trailing .gov.de or the likes, it will
| alway be "just" ending in .de, which makes things like
| phishing but also deception (by implying a certain level of
| authority but in fact selling services from a private
| entity) unnecessarily easy. This is contrary to other
| countries' .gov.uk, .gv.at, .edu.au, etc. Although created
| for different reasons, I think, the Public Suffix List
| gives some indication of which countries enforce such
| namespaces (or did), see https://publicsuffix.org/list/
| emilecantin wrote:
| Here they do have such domains: .gc.ca for the Government
| of Canada, and .gouv.qc.ca for the Quebec government. But
| annoyingly they both seem to be moving towards canada.ca
| and quebec.ca, respectively. There's even a whole .quebec
| TLD now that they could use, but no.
| metadat wrote:
| I like #1, but won't domain squatting become even more severe
| with #2.a?
|
| Maybe there should be a regional prefix, e.g. us.gov, nz.gov,
| cn.gov.. and even this still comes with obvious issues and
| possible confusion. No silver bullets to be had, only
| tradeoffs.
| yjftsjthsd-h wrote:
| That's a good point - I would be very much on board with
| mandating per-country TLDs, which is extra helpful because
| then you can deal with domain squatter through the legal
| system.
| bluejekyll wrote:
| I like reordering of the named components to big-endian, but
| just for reference, the current system dates back to the idea
| of "search domains", which allows you to do things like "www"
| and that takes you to "www.example.com" because that is in
| your search or domain list in your stub resolver config.
| (This behavior can be skipped by using the fqdn with a dot at
| the end, "www.example.com.")
|
| I think moving to a new ordering of the name would then imply
| that we'd either need a different DNS or a new separator for
| specifying the reverse name ordering (that's compatible with
| existing URL syntax).
| yjftsjthsd-h wrote:
| Well, that's why this is purely a time-travel fantasy - I
| don't think we'll ever get a do-over:) And I can see the
| appeal to search domains, but I think _in hindsight_ they
| pretty much failed, and what utility they have can be
| replaced with local or internal or something -
| "internal.www" can still be your intranet site, but now
| it's explicit. Or if we go with the other suggestion to
| force country TLDs then maybe it's fine for local DNS
| resolvers to do nonstandard TLDs, though I'm not super fond
| of that.
| bluejekyll wrote:
| If we're going to do some time travel, I'd also like to
| make the DNS packets easily versionable and add some
| space for additional version codes, the current extension
| mechanism with eDNS is quite cumbersome.
| yjftsjthsd-h wrote:
| Oh yeah, I don't usually work at that layer so didn't
| think about it, but I'd probably also make it TCP only so
| we could skip it being a DDoS vector.
| lijok wrote:
| Could go the other way. Make TLDs trivial to set up for
| anyone, so "gmail" becomes the TLD. Without changing how DNS
| resolution works I don't think the root domain would be happy
| to handle that kind of traffic however.
| tok1 wrote:
| One could almost wonder if the explosion of gTLDs in the 2010s
| has been pushed by registrars as they were seeing Big Money. In
| (my personal) retrospective, the value for Internet users and
| their actual usage is vanishingly small--compared to the
| downsides of massively increased phishing risks and, as you
| mentioned, the need for companies/brands to nowadays having to
| register (and pay for) a gazillion of irrelevant TLDs, merely
| for brand protection and abuse prevention.
| donatj wrote:
| Since when has it been the responsibility of the registry to
| police the content of its domains?
|
| This feels like a slippery slope from phishing to piracy to
| censoring unpopular political beliefs.
| fckgw wrote:
| For like several decades? If registrars don't respond to
| complaints of abuse then they don't get to be registrars
| anymore.
| TheCleric wrote:
| Based on the title I thought this was about the band and was very
| confused.
| fortran77 wrote:
| I just read this article about Phish and the Dead at the Sphere
| and had the same confusion:
| https://www.newyorker.com/magazine/2024/07/29/reckoning-with...
| chupon wrote:
| They should reserve rocky.top
|
| https://phish.net/song/rocky-top
| rconti wrote:
| Same. I figured "welp, 'top' is yet another weird phenomenon in
| the world of Phishdom".
| w-m wrote:
| I have a story on using weird/fishy/phishy TLDs: Recently my
| colleagues and I started collecting information on all the
| available compression methods for 3D Gaussian Splatting (3DGS, a
| popular method for 3d scene representation). There were quite a
| few works in the area with naming conflicts already, so I thought
| to give it a unique short name to refer to - and came up with
| "3dgs.zip".
|
| A few days later we started putting together a web page, and I
| noticed that .zip actually is available as a TLD. Impulsively I
| bought the domain, https://3dgs.zip/, launched it and printed it
| on a few shirts before heading off to a conference. Felt a bit
| weird that there is a .zip TLD, but I was in a rush and I didn't
| ponder its existence any further.
|
| But strange things started happening: setting up the domain for a
| GitHub page worked, but in the process downloaded a 0 Byte file
| called "3dgs.zip", when submitting content one of the GitHub.com
| forms. And a few days later colleagues told me they had trouble
| accessing the site. After some DNS sleuthing and then some back-
| and-forth with our IT dept, it turned out that our organization
| has blocked the whole TLD - for every Windows user, out of
| phishing concerns of people being confused.
|
| I'm no security person, so the reasoning felt a bit weird to me,
| as I guess the .zip TLD can't hurt anybody; downloading a .zip
| might, which you can attach to any link name? But in any case I
| wasn't able to find any .zip URL with a purpose, but lots of
| Reddit posts of angry sysadmins who bemoaned the influx of
| terrible TLDs with mostly phishing use and vowed to block them
| all. So they probably have a point in downright blocking the
| whole TLD.
|
| Now I'm sitting here with my .zip url. Had to revert the page to
| use github.io, so people in my organization (and similarly
| thinking ones) would be able to access it. Guess I'm cured for a
| while, won't be using any novelty TLDs anytime soon...
| walls wrote:
| I grabbed two .zip domain names that I knew were used
| frequently as filenames and set them up to return a zip with an
| html inside. The html tries to load a specific resource from
| the server to let it know the html was opened.
|
| There are dozens of unique opens per week.
|
| I'm very curious how an executable would do, but I'm not trying
| to cause any problems.
| codetrotter wrote:
| http://iloveu.exe would be a neat website tho
| w-m wrote:
| Ah that makes a lot more sense as an attack vector. Thanks
| for explaining! Indeed, checking a list of common .zip file
| names, most of them are registered domains. Uhhh.
| heraldgeezer wrote:
| So these type of filters work on massive lists that IT or Sec
| admin configure. Its not that they specifially blocked .zip but
| software like Umbrella, Zorus DNS etc have a filter for
| "phising domains" and that TLD is probably part of it. Blocks
| at the DNS level, its actually useful.
|
| Demo for ZorusTech DNS blocker:
| https://www.youtube.com/watch?v=MeubLoEHW9E
| TonyTrapp wrote:
| > I'm no security person, so the reasoning felt a bit weird to
| me, as I guess the .zip TLD can't hurt anybody; downloading a
| .zip might, which you can attach to any link name? But in any
| case I wasn't able to find any .zip URL with a purpose, but
| lots of Reddit posts of angry sysadmins who bemoaned the influx
| of terrible TLDs with mostly phishing use and vowed to block
| them all. So they probably have a point in downright blocking
| the whole TLD.
|
| The problem is auto-linkification. It is extremely common in
| forum posts or emails to refer to attached filenames. Most
| forum softwares or email clients are helpful it automatically
| turning obvious URLs (doesn't start with a protocol:// but ends
| in a .tld) into clickable links. Anybody's reference to a zip
| filename is now a clickable link, only waiting to be registered
| for phishing attempts.
| n_plus_1_acc wrote:
| That's not a new problem tho. .TS and .CS are TLDs and Heck
| even .COM is also a file extension, should we block that too?
| What changed suddendly?
| wlesieutre wrote:
| The type of user who has email conversations about .COM
| files is the same type of user who will realize that the
| link was automatically created by someone's email client
| and have a laugh about it.
|
| I don't know if you can say the same about zip files, an
| average user they might encounter someone mentioning a zip
| filename a handful of times in a year and they might click
| on the link expecting to get that zip file.
| chrisfosterelli wrote:
| COM files are a good point I hadn't considered.
| w-m wrote:
| That makes sense. Funnily enough I had kind of an inverse
| problem building the https://3dgs.zip/ landing page, or
| linking to the project from elsewhere - I'd point a link to
| the compression survey with the link text "survey.3dgs.zip".
|
| And had to have people point out to me that they don't want
| to click on that, because they don't want to download a big
| file.
| tetha wrote:
| > I'm no security person, so the reasoning felt a bit weird to
| me, as I guess the .zip TLD can't hurt anybody; downloading a
| .zip might, which you can attach to any link name?
|
| Turn of all of your developer knowledge for a minute.
|
| You click on a link "very-trustworthy-ceo-information.zip" in a
| mail, since you want to download this very important
| information from your CEO. Sure, your browser pops up, but it
| does that all the time so who cares, and then there is a file
| "very-trustworthy-ceo-information.zip" in your downloads
| folder. Native Outlook might usually open it in a different way
| usually, but who cares? OWA - you won't notice a difference in
| the UI at all. But anyway, important CEO information. Open the
| zip, open the PDF, oops your workstation is compromised.
|
| If we turn our technical knowledge back on, it's rather simple.
| A user was phished to open a link to "https://very-trustworthy-
| ceo-information.zip". This returned with a file download,
| obviously called "very-trustworthy-ceo-information.zip",
| containing whatever I want to contain based off of IPs and
| whatever I can stuff into the link in a hidden fashion the
| average user won't note.
|
| A lot of people would not be able to distinguish between
| https://foo.zip answering with a binary content type and naming
| the file foo.zip through content disposition headers and
| foo.zip coming from a trusted source.
|
| And honestly, I would personally have to double-check what's
| going on there if it happened to me.
| w-m wrote:
| My point was that the person fooled by https://foo.zip/ would
| have been also fooled by https://foo.com/bar.zip, so the
| existence .zip wouldn't change much.
|
| But now I've understood that the auto-linkification of a
| simple non-link mention like update.zip can be indeed
| dangerous.
| floam wrote:
| Some firewalls just block newly-registered domains. Are you
| totally sure it wasn't that category?
| w-m wrote:
| Yep, I checked other, established .zip domains. Finding one
| was quite a hard task, which gave me pause. I found a link
| shortener site on some Google promotional page for .zip (.zip
| is a Google-TLD). Accessing any .zip url was denied on the
| tested machines.
|
| So this matches what IT told me and what the sister comments
| state here: some tool blocks the whole .zip TLD on the DNS
| level.
| annoyingnoob wrote:
| I block .top and several other of the newer TLDs in SMTP. We
| get tons of spam from these TLDs, and we don't otherwise
| interact with those TLDs in our business.
| nulld3v wrote:
| A big reason why .top is used so much is because it is so cheap.
| Phishers can rotate through many more domains using .top compared
| to other domains.
|
| IMO this isn't a particularly big problem, it's cool to let
| people buy cheap domains. It also doesn't really save the
| phishers that much money. You aren't going to solve the problem
| by making domains more expensive, it might impact phishers'
| margins but they will continue phishing.
| Retr0id wrote:
| Impacting phishers' margins is all we _can_ do, really.
| inetknght wrote:
| Stronger investigative and enforcement actions is something
| we _can_ do.
|
| But it's something that we don't stomach. I wonder why. I
| suppose it's because the modern business-centric Internet is
| centered on the ability to scam people out of money.
| Investigations and enforcements would open the floodgates to
| every "normal" business too.
| mschuster91 wrote:
| The problem is it's cross-border. Domestic law enforcement
| will almost always run into dead ends, maybe they'll catch
| some money mule that got conned into the job, but that's
| it.
|
| The real dent would be to get India (for US scammers) and
| Turkey (for German scammers) to cooperate, the way to do it
| would be to threaten devastating sanctions ("clean up your
| scammer scenes, _or else_ "), but that cannot be done as it
| is important for geopolitical reasons to appease India (a
| significant portion of the world's pharmaceutical base
| compounds originate from there, not to mention the Ukraine
| conflict) and Turkey (same reason, Ukraine conflict + about
| 2 million Syrian refugees that Erdogan already abused as a
| political weapon once).
| efilife wrote:
| And harm everyone else who wants a cheap domain.
| Retr0id wrote:
| If they can't price-in effective anti-abuse measures, then
| maybe the price should be higher.
| nevi-me wrote:
| This is encouraging. We have a big tender (procurement) scam in
| our country, and I receive at least 10 different emails daily
| about fake procurement requests (the central gov database was
| either leaked, or the criminals are working in tandem with its
| administrators).
|
| At times I have reported the impersonating domains, and I'd say
| that registrars have acted on under 5% of my complaints (within
| reasonable time). If they use a local domain name, it's easier to
| complain directly with our country's registry administrator.
|
| My problem is often with registrars that are in random countries.
| It's encouraging that some action is being taken, and I think in
| future I should also lay complaints with ICANN.
| pnw wrote:
| This has been an issue for decades in my experience. ICANN has
| rules but they do very little to resolve complaints against bad
| registrars.
| duskwuff wrote:
| > This is encouraging. We have a big tender (procurement) scam
| in our country, and I receive at least 10 different emails
| daily about fake procurement requests (the central gov database
| was either leaked, or the criminals are working in tandem with
| its administrators).
|
| It's not just you, and I don't think it's targeted - I'm
| getting these messages as well on my personal email. This
| appears to be a major ongoing spam wave.
| Jerry2 wrote:
| They need to do exact same thing with .xyz TLD. It's gotten so
| bad that I had to block .xyz on our router.
| autoexec wrote:
| Now do the same for .io .site and .cc
|
| I've see tons of phishing from those domains. Even the ones who
| eventually take down sites that I report, they don't look for
| other sites/domains from the same scammers or that have the same
| content, and they don't do anything to stop the same person from
| getting another domain and then putting the exact same content on
| it.
|
| I shouldn't be hard for a company to identify most of these
| scammers. They are not subtle. Very basic automated checks to see
| what content is being served from new domains based on previously
| discovered phishing sites could catch a lot of it. Company's just
| aren't required by law to care so they don't.
|
| Even big companies are terrible when it comes to phishing. I
| found out recently that for some google sites you can't even
| report the phishing site to Google without first signing into a
| google account. Why someone should have to hand over their
| personal info to Google in order to report a phishing site is
| beyond me. It's bad enough that Google refuses to respect RFC
| 2142 and accept reports at an abuse@ address. Internet standards
| exist to prevent exactly this kind of bullshit.
| ffhhj wrote:
| Strange that .co doesn't even show up in the list. I have a 3
| letter .co similar to another .com domain and constantly receive
| customer id's and internal communications.
| iancmceachern wrote:
| Bummer, I was hoping this had something to do with the band
| reaperducer wrote:
| While I don't disagree with warning .top, I notice in the report
| that .lol and .bond have higher "Phishing Domain Scores" than
| .top. Hopefully they got a nastygram, too.
| diego_sandoval wrote:
| An organization like ICANN should not be concerned with the
| specific uses people are giving to their domain names.
|
| Their mission should be to create a system that makes it
| convenient for actors to identify each other across the Internet,
| so that they can communicate arbitrary data. ICANN should be
| agnostic to the contents of the communications.
___________________________________________________________________
(page generated 2024-07-24 23:01 UTC)