[HN Gopher] Phishers Love New TLDs Like .shop, .top and .xyz
___________________________________________________________________
Phishers Love New TLDs Like .shop, .top and .xyz
Author : todsacerdoti
Score : 91 points
Date : 2024-12-03 13:30 UTC (9 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| dmurray wrote:
| > new gTLDs introduced in the last few years command just 11
| percent of the market for new domains, but accounted for roughly
| 37 percent of cybercrime domains reported between September 2023
| and August 2024.
|
| > .com and .net domains made up approximately half of all domains
| registered...they accounted for just over 40 percent of all
| cybercrime domains.
|
| Hardly earth shattering. .net and .com are still pulling 80% of
| their weight when it comes to cybercrime. And the article
| concludes that the main reason the new TLDs are
| disproportionately used is because you can sometimes buy them
| cheap in bulk.
|
| Maybe the real story here is that the ccTLD registrars, who
| weren't mentioned, are disproportionately good at deterring
| cybercrime.
| zinekeller wrote:
| > Maybe the real story here is that the ccTLD registrars, who
| weren't mentioned, are disproportionately good at deterring
| cybercrime.
|
| I think that some ccTLDs requiring positive identification,
| usually as a side effect of residency or nationality
| requirements, immensely help here (versus most gTLDs requiring
| f***-all identification).
| reaperducer wrote:
| _.net and .com are still pulling 80% of their weight when it
| comes to cybercrime._
|
| The article states it's half that.
|
| "while .com and .net domains made up approximately half of all
| domains registered in the past year... they accounted for just
| over 40 percent of all cybercrime domains. Interisle says an
| almost equal share -- 37 percent -- of cybercrime domains were
| registered through new gTLDs."
| a_gray wrote:
| > The article states it's half that.
|
| No, the article agrees with dmurray. Read again: 80% of 50%
| is 40%.
| lexicality wrote:
| Honestly the only "legitimate" use for these TLDs seem to be
| fediverse/bsky vanity URLs.
|
| Everything outside that just looks like a scam, even if it isn't.
| runamuck wrote:
| Interesting! Now that you mention it, I did buy a .luxury
| domain for this purpose - a Gemini server. I also bought a .ski
| to have a domain with my (polish) last name.
| lexicality wrote:
| It's great to be able to get silly domains for projects, back
| to the old days of IRC vanity hosts, but can you imagine
| seeing a link to something like jackets.luxury and going
| "yeah that seems legit, I'm definitely giving them my card
| details"
| Symbiote wrote:
| The first English result on Google for a .luxury site is
| this: https://leon.luxury/
|
| It looks legitimate, and it's probably enabled Leon to use
| their business name in the domain.
|
| The first American site is https://roughwood.luxury/, it
| also looks fine.
| qup wrote:
| But then I remember it's just a pointer to 19.124.217.99
| and I have no idea if it's legit or not, just like all the
| .coms.
| digital_sawzall wrote:
| Yes that is completely normal and the my younger relatives
| would not even think twice.
|
| In the TikTok and Instagram community people are spending
| billions not only on random domains (like tiedyeshirts.xyz)
| but often to venmo or zelle listed on profiles. My sister
| and thousands like her send money to faceless profiles to
| buy mystery boxes.
| ErikAugust wrote:
| Once I found I couldn't iMessage a .xyz link I decided to stay
| away...
| 15155 wrote:
| This would have me staying away from iMessage. What other
| content is Big Brother not transmitting for my "protection?"
| kevincox wrote:
| This is actually why I moved off of Facebook Messenger. It
| started blocking random links I tried to send so I moved to
| something E2E encrypted.
| Ajedi32 wrote:
| Facebook Messenger is E2E encrypted now (though obviously
| that's not going to prevent the developer from blocking
| links unless the client is also open source).
| larrik wrote:
| it didn't send, or it didn't linkify?
| ErikAugust wrote:
| Right, didn't send.
| drummojg wrote:
| I have always thought the infinite proliferation of TLDs was a
| stupid idea. I'd be enlightened if I could think of one scenario
| that benefits from it outside of the registrars.
| echoangle wrote:
| I would actually think that consumers (of domains) benefit more
| than the registrars, because there is more competition. If I
| want a specific word as a domain, there are multiple options of
| TLD for me.
| edent wrote:
| There are lots of people called John Smith. They all want a
| domain name. There's only so many variations of jsmith,
| j-smith, etc you can squeeze into .com, .net, and a few others.
|
| Why shouldn't they be able to buy a domain name which contains
| their name?
|
| Is it useful to be able to differentiate between McDonald's the
| restaurant and McDonald's the legal firm and McDonald's garage?
|
| Why shouldn't each of those industries get their own TLD?
|
| The original list of TLDs aren't some platonic good written by
| ineffable sages. It's OK for things to change.
| gruez wrote:
| >There are lots of people called John Smith. They all want a
| domain name. There's only so many variations of jsmith,
| j-smith, etc you can squeeze into .com, .net, and a few
| others.
|
| >Why shouldn't they be able to buy a domain name which
| contains their name?
|
| I fail to see how johnsmith[insert number here].com is any
| worse than johnsmith.[insert TLD here]. If anything a number
| is less likely to get mixed up than tlds, which have
| confusing pairs like ".tech" and ".technology", or
| ".engineer" and ".engineering".
| edent wrote:
| Surely the number 14 is likely to get misheard as 40. And
| 13135432 is easily typo'd to 13134532.
| gruez wrote:
| It's not about typos or mishearing stuff, it's about
| words being jumbled in memory. Unlike a sequence of
| digits, people don't store words "engineering" in their
| head as a string (eg. "E-N-G-I-N-E-E-R-I-N-G"). It's
| stored as something like "[concept of engineer] +
| [present participle]". That's far more likely to get
| jumbled in people's head during recall.
| rhplus wrote:
| And... predictably, johnsmith.com ends up offering no utility
| to any of the John Smiths out there because it's being held
| for ransom by a squatter:
|
| https://www.afternic.com/forsale/johnsmith.com
| 9dev wrote:
| The only actual answer would have been to drain the TLD swamp
| and open up the root zone. Give us john.smith,
| website.jsmith, and mc.donalds. It's just a label anyway, and
| one that normies don't pay any attention to--save that even
| if they did, it's hard not to fall for mc-donalds.com or
| mcdonalds-restaurant.com anyway.
|
| If the whole EV certificates thing would have been set up in
| a way that it wasn't just a money extraction racket, that
| would be the way forward. Let user agents convey whether a
| site is trusthworthy, and what entity it is connected to.
| politician wrote:
| DNS should be a destination, not a utility. Every John Smith
| has a legitimate claim on smith.com.
|
| DNS should offer disambiguation services. Instead, we have this
| awful system.
|
| My dream is to fork a browser and replace the DNS component
| with an entirely new protocol that respects the notion that
| people in the real world share names.
| machinestops wrote:
| Petnames?
|
| https://files.spritely.institute/papers/petnames.html
| ryan29 wrote:
| Domains are the ultimate identity system for building a more
| trustworthy internet without handing over control to some kind
| of verified ID scheme or being forced into publishing your
| personal details to gain credibility.
|
| You can build reputation and trust using a handle, even if it's
| not associated with your real world identity. For example, I
| know that if 'ryao' replies to a question about ZFS, the
| response can be considered trustworthy. I don't know who that
| is or even what country they live in, but I know they're a
| contributor that isn't speculating or guessing when they reply
| and that's all that matters to me.
|
| Domains can be used as verifiable, globally unique handles
| which simplifies things for the average user because it makes
| it easier to help users avoid impersonation and confusion if
| you can point them to something simple and verifiable. For
| example, look at Bluesky [1].
|
| I've been wanting domain based namespaces and handles for a
| solid 5 years because it just makes sense. Here's my oldest
| mention of it (asking why package managers don't use domain
| verified namespacing) I have on HN [2]:
|
| > It seems like a waste to me when I'm required to register a
| new identity for every package manager when I already have a
| globally unique, extremely valuable (to me), highly brandable
| identity that costs $8 / year to maintain.
|
| You can tell it's old because .com domains only costed $8 back
| then. IMHO, domain based handles are _the_ #1 reason to use
| Bluesky over X /Twitter. People used to spend $10-15k buying
| "noteworthiness" via fake articles, etc. to get verified on
| Twitter. I can't find any links because search results are
| saturated with talk of X wanting $1000 _per month_ for
| organization validation (aka a gold check mark). Domain
| validation is just as good as that kind of organization
| validation, at least for well known individuals and
| organizations.
|
| Given that, I think there would be a bigger market for domains
| if domain validated identities catch on. It could even spawn
| specialty gTLDs that do extra identity or notoriety checks (if
| that's allowed) or maybe attestations would become a big thing
| if there were an easy way to do them against a domain verified
| handle.
|
| 1. https://bsky.social/about/blog/3-6-2023-domain-names-as-
| hand...
|
| 2. https://news.ycombinator.com/item?id=24674882
| carbine wrote:
| have you gone through the process of naming and securing
| domains for startups over and over again because let me tell
| you, it's brutal. the more TLDs, the better.
| xelamonster wrote:
| The implication that gTLDs are bad and new ones shouldn't be
| introduced because of this is a bit silly to me. The argument
| that they somehow have lower registration requirements makes no
| sense, .shop .top and .xyz registrations involve the exact same
| amount of verification as .com (none). Prices aren't really that
| different and plenty of gTLDs are more expensive than traditional
| ones.
|
| Registering a domain is frustrating these days, too many already
| taken and a lot of them by squatters not even intending to use
| it. I'd love to see more options personally even if it makes it
| slightly easier to create a phishing domain. We need better tools
| than memorizing a domain name to deal with that anyways.
| NotSammyHagar wrote:
| I think the issue is you can register a known company name on
| one of these and plenty of people will think it's legit.
| Companies have to register on all these random domain to
| protect themselves.
|
| dell.shop, that's probably the dell computer I know, right?
| zanderwohl wrote:
| The people who would fall for that would probably also fall
| for `dell.computerdealshop.com` though
| 0xCMP wrote:
| They're different. Companies register all kinds of crazy
| domains and redirect you through them all the time. Why is
| it crazy that some marketing person at Dell thought it
| would be cool to link people to 'dell dot shop'? I would
| check the certificates, but honestly only as a precaution.
| If the website looks correct that isn't such an insane
| thing.
|
| _That is exactly why it 's so dangerous and effective
| versus your example._
| jeroenhd wrote:
| > Companies register all kinds of crazy domains and
| redirect you through them all the time
|
| That's the real problem with domain trust these days.
| Companies go out of their way to make sure you know to
| only visit official links, and then do stupid stuff like
| buying vanity domains for one-time deals, or make you
| click through mailchimp tracking URLs because marketing
| tracking is more important than your customers falling
| for phishing. Those vanity domains then end up expiring,
| and now emails and web links that used to go to an
| official $brand server are all ready to be swooped up by
| scammers. Customers never stood a chance.
|
| This isn't a TLD problem. It's a shitty company problem.
| Symbiote wrote:
| A little searching shows Dell have dell.to, used as a
| link shortener, even though Dell has little business in
| Tonga.
| marxisttemp wrote:
| I wholeheartedly agree. Subdomains exist for a reason.
| Vanity domains are so incredibly sloppy and unserious.
|
| Another issue is that they can make password management
| more of a chore. Every time I need to look up my
| Microsoft login, I have to remember to actually look up
| "live.com". Except sometimes the login page is served
| from "microsoft.com". Oops, you forgot your password and
| reset it; now your password for the other domain is out
| of date. Utterly ridiculous behavior from a company of
| their stature.
| nemomarx wrote:
| bitwarden can list multiple domains in one entry for a
| password - it might be good to find out if you're manager
| can do that and merge some?
| zokier wrote:
| There is no domain trust problem, because there is no
| trust to be had on domains.
| BlueTemplar wrote:
| Maybe companies should stop doing that then ? Also,
| homonyms aren't uncommon for smaller companies,
| especially across the world.
|
| EDIT : and ninjaed...
| clan wrote:
| I do not think so. I think if someone would have made an
| effort to rip off the real Dell site I would fall for it. I
| am just so lucky that scammer mostly prefer to go after the
| easier marks.
|
| I am not sure what a better solution could be. The idea of
| EV certificates was good but executed poorly. Maybe a way
| to link certificated to business IDs.
|
| I do however still prefer more gTLDs to minimize domain
| squatting.
| furyofantares wrote:
| When a scam hits someone's inbox or text message, it finds
| them in a particular time in their life, in a particular
| state of mind, and in a particular context. It's not just
| about how gullible or uninformed or whatever they are. They
| may be tired, they may be drunk, they may be spending all
| their energy worrying about a sick relative, or trying not
| to.
|
| They may have just been shopping for a computer, maybe even
| a dell. Or maybe they need a computer for their kid and
| don't have the means to afford one and are more likely to
| fall for a scam advertising a good deal on a computer than
| for any other scam.
|
| These all add to the probability that someone falls for a
| scam. Phishing is all about casting a wide enough net that
| the probabilities align against some of the people you hit
| at the time you hit them.
|
| Victims are not just uninformed. They are also compromised,
| and/or incentivized to believe this particular scam, and/or
| unlucky enough that the scam takes place when they were
| recently engaged in activity that makes the scam more
| believable.
|
| Seeing dell.computerdealshop.com will snap a lot of people
| out of it where seeing dell.shop would not have.
| blululu wrote:
| Whether people are more easily fooled by dell.shop
| dell.computershop.com is a non sequitur from the rather
| wordy disquisition about why people fall for the scams in
| general. The eye sees dell first in clear letters for
| both urls. Their sick relative doesn't change much here.
| I would honestly not be sure if either is a scam for the
| url alone. The improbable deal at the other end is the
| only meaningful signal.
| furyofantares wrote:
| > Whether people are more easily fooled by dell.shop
| dell.computershop.com is a non sequitur from the rather
| wordy disquisition about why people fall for the scams in
| general.
|
| It isn't. People fall because probabilities align.
| Something can catch their eye to knock them out of it.
|
| A bad URL is a bad probability (for the scammer) in the
| chain, a really good URL is another good probability. If
| your assessment is that both URLs look equally good/bad
| to you, I, of course, won't deny that claim about your
| own experience. But to my eye, dell.computershop.com
| looks pretty bad and dell.shop looks pretty good.
|
| I only answer my phone if I'm in the middle of getting a
| loan and so expecting a call from some unknown number at
| any time, and even then some numbers look too phishy to
| answer. The last time I got a loan I got a call from a
| local area code near the bank, answered, and found myself
| talking to a scammer about a loan. It was confusing, I
| believed it was the bank at first! Everything needed to
| align for them to get that far, including the phone
| number looking legit to my eyes. To someone else's eyes a
| number halfway across the country may have looked just as
| legit. Or the nearby number may have looked instantly
| bogus. This is exactly my point!
| echelon wrote:
| Most people don't understand URLs.
|
| Remember that Google was (is?) trying to remove the URL
| bar. Not just because it reinforces search as the main
| product and gateway to the web, but also because URLs are
| kind of hard for most people.
|
| Which brings us to the original argument: is this a
| reason to ban gTLDs? Surely the cost of banning gTLDs
| outweighs the enormous benefits of making it easy for
| society's productive users to find names they like.
|
| We also shouldn't discount the incredible benefit of
| having additional namespaces and markets positioned
| against domain name squatters. gTLDs linearly increase
| the costs to squatters. Good names can be found with lots
| of alternative gTLD offerings, which greatly increases
| the supply side for builders and entrepreneurs.
|
| Ultimately gTLDs probably won't be banned simply because
| there's money to be made by the ICANN and registrars.
| furyofantares wrote:
| Many people do not understand URLs, many people do, and
| many people have an understanding in between. And they
| are all targets for scammers.
|
| And I don't think gTLDs should be banned! But I don't
| like bad arguments even when they support my preference.
| usrusr wrote:
| And then there are plenty of companies who put some
| legitimate part of their business on a wonky gtld domain
| they only bought so that it's not bought by a scammer.
| Systems run by the investor relations department might
| run on examplecompany.biz, some hiring SAAS on
| examplecompany.work, the CRM on examplecompany.business
| and the tech support occasionally instructs someone to
| get a preview update from examplecompany.cc. Not because
| that's a smart thing to do, but because coordinating
| namespaces is not easy and dedicating an otherwise unused
| domain only bought to keep out the scammers is a tempting
| shortcut. And because training internet users that
| sometimes wonky TLD are ok is an externality.
| brabel wrote:
| > Seeing dell.computerdealshop.com will snap a lot of
| people out of it where seeing dell.shop would not have.
|
| Would love to see citations for that.
| inopinatus wrote:
| That's kinda the point. Scammers want to deal with the
| poorly informed, the gullible, the vulnerable. They
| concomitantly prefer that the wary and street-smart select
| themselves away. A marketing professional would recognise
| the effective segmentation going on, and every new TLD is
| an opportunity in that regard.
| mikestew wrote:
| Maybe, maybe not. [citation needed] But store.apple.com is
| perfectly legit, so what's wrong with apple.shop[0]? Sure,
| you and I know that one is a subdomain and one is a TLD.
| How many random folks on the street in Des Moines know
| this? 15%? Less? "Say what? It matters which end the 'shop'
| part is on? Whose brilliant idea was _that_?"
|
| [0] _sigh_ Apparently nothing is wrong with it, as it
| redirects to apple.com. So much for that example; take in
| the spirit intended.
| xelamonster wrote:
| Yep that's the issue, I'm just saying I'd rather have that
| problem than the one where I can't register a clean looking
| personal domain because every idea I have is already
| registered (with 95% of them leading to a parking page
| untouched for years except to pay the bill). Feels like we
| just need more names available and I don't see how else we
| could get them.
| throitallaway wrote:
| I'm doubtful that most non-technical people familiarize
| themselves with TLDs/domain names. They use a search provider
| for whatever they need. As far as emails/phishing goes, it's
| a game of cat and mouse; it will never be over. Basically,
| don't trust unprompted email links and just go to the site if
| it's something you really want.
| michaelt wrote:
| The problem is the new gTLDs don't increase the useful supply
| of domains.
|
| For casual usage like personal blogs and whatnot? Sure, use
| whatever.
|
| But if I was starting a web-based business and couldn't afford
| the .com? I'd rename the company before I'd use .xyz - if your
| business takes off the squatters will notice and raise their
| prices, so the .com will never be cheaper.
|
| If you got an "urgent e-mail" saying your employer needed you
| to confirm you're legally allowed to work, and they directed
| you to experianrtw.app - would you go there and send them a
| photo of your passport?
| mrsilencedogood wrote:
| There are a few options, though. The fact that .io got so
| popular shows that we are not forever chained to .com. It's
| just that a lot of the nuTLD options are honestly hilariously
| bad, most of them are just lame. My personal top picks are
| ".online" and ".software" with mention to ".network" but
| they're all WAY too long. I actually use ".cafe" for my
| personal stuff because it's short and cute. Obviously can't
| use that for your SV rocketship company though.
|
| Would it have been so hard to sit down and pick a couple
| short ones - yknow, ones people might actually use?
| politician wrote:
| Unfortunately, .io is now also unsafe with the upcoming
| transfer away from the UK; another cautionary tale for
| those considering not getting a .com.
|
| I've been seeding government and business forms with a .io
| email address for years (to counter gmail dominance), and
| I'm quite concerned about the situation now.
| mrsilencedogood wrote:
| That's because it's a ccTLD, not because it's not dot-com
| though. The powers that be could very well decide to just
| promote it to be a gTLD if they wanted to not destroy
| stuff for no reason. Actual gTLDs aren't susceptible to
| the same kinds of issues.
| teddyh wrote:
| > _The powers that be could very well decide to just
| promote it to be a gTLD_
|
| No, they can't do that. Every two-letter TLD is defined
| to be a ccTLD, and nothing else.
| mrsilencedogood wrote:
| If they did that anyway, who would stop them? This seems
| like a great time to make an exception.
| miningape wrote:
| Literally, these are arbitrary strings following
| arbitrary rules. It's time to ditch ICANN and develop a
| parallel DNS that makes sense for today not the 90s.
| ArchOversight wrote:
| I use .network for my internal network with a proper FQDN.
| This allows me to get certs for internal services that
| validate in all browsers.
| yawaramin wrote:
| If I got an 'urgent email' I wouldn't go to _any_ domain, I
| would contact my employer directly and confirm with them
| before doing anything. The people who would fall for this
| phishing scam would fall for almost any domain, because it 's
| not about the domain.
| panarky wrote:
| Millions of people don't have an employer with an HR
| department they can call on the phone to confirm that an
| email is legitimate.
|
| What if your primary source of income is Uber or Doordash
| or Etsy or Youtube?
| poincaredisk wrote:
| What it you get an email from [yourbank].bank? Or if your
| mother got one?
|
| It's never a single signal, and the more legitimate a domain
| looks, the bigger a chance is that someone fells victim to a
| scam.
| ToucanLoucan wrote:
| The lions share of issues with domains would go away if we made
| squatting illegal, or at the least, extremely expensive.
|
| Tbh I'm increasingly thinking that just about any speculative
| instrument in the economy is just grift and drag. If you want
| to make money, _make things._ Stop trying to extract rent or
| exorbitant prices for land, for domains, for PS5s, etc. Feels
| like 9 /10ths of the economy now is nothing but fucking
| middlemen, when we have a dearth of need of ANY middlemen at
| all anymore.
| gruez wrote:
| >The lions share of issues with domains would go away if we
| made squatting illegal, or at the least, extremely expensive.
|
| How do you define squatting? Is the owner of nissan.com
| "squatting" on it because he wouldn't sell to the japanese
| car company? How much interest do you need in a given domain
| before it's not squatting?
| ToucanLoucan wrote:
| I would argue if you aren't doing some combination of:
|
| - Hosting a website
|
| - Operating email accounts
|
| - Infrastructure (mail, DNS, etc.)
|
| - Misc. Services (Minecraft server, TeamSpeak server,
| something)
|
| Then you're squatting. Like if you own turkeyonapig.com and
| it's literally just a web page with a picture of a turkey
| sitting on a pig? Not squatting. It's odd but it's clearly
| doing exactly what it's meant to be doing. If you own
| turkeyonapig.com and are doing nothing but advertising that
| fact, and that someone can buy it? Squatting.
|
| > Is the owner of nissan.com "squatting" on it because he
| wouldn't sell to the japanese car company?
|
| I mean, it depends. One would argue that people going to
| nissan.com are clearly looking for the Japanese car
| company, so it's in the public's interest that that domain
| be sold to them. On the other hand, if someone owns it and
| is using to run a Nissan fan website? Well I suppose that's
| trickier, but that would also probably be better suited to
| something like nissanfans.com.
|
| It's a tricky thing but not impossible to figure out.
| dist-epoch wrote:
| > a web page with a picture of a turkey sitting on a pig?
| Not squatting
|
| GPT/Cursor will create that page for you in 5 min. I bet
| a NotSquattingAsAService startups will appear which will
| create the "not squatting" fake site for you for $2.
| ToucanLoucan wrote:
| I mean, that's an improvement in my mind over millions of
| insipid "BUY THIS DOMAIN!" web pages. At the least the
| internet would be more interesting?
|
| But also like, then you aren't advertising it for sale.
| So I'm wondering how many offers you're going to get to
| sell that domain, which is the point of squatting it.
| dist-epoch wrote:
| That's not how most squatting pages are sold. They are
| registered for sale in places like NameCheap and you can
| see it directly when you search for domains.
| reaperducer wrote:
| _NotSquattingAsAService startups will appear which will
| create the "not squatting" fake site for you for $2._
|
| That's an improvement. Adding $2 to $5 to the cost of a
| squatted domain will start to dissuade people who squat
| on tens of thousands of domains, if they have to suddenly
| have to pay $20,000 to $50,000 for the not squatting
| service.
| gruez wrote:
| >That's an improvement. Adding $2 to $5 to the cost of a
| squatted domain will start to dissuade people who squat
| on tens of thousands of domains
|
| There's no way static site hosting and a email service
| costs $2-$5 per year per domain, especially for bulk
| users. Even if we take that price at face value, a .com
| domain already costs around $10/year. A 20%-50% increase
| will only change behavior at the margins. It won't make
| chat.com magically become available, and at best will
| make some D tier domains available. Ironically the
| introduction of gTLDs probably had the same effect.
| Squatting harrisonburgrealty.com is suddenly going to be
| less profitable when there's harrisonburg.{realty,realest
| ate,realtor,homes,house,place,properties,rent,apartments}
| available as well.
| ToucanLoucan wrote:
| To be clear, when I said make it cost more, I was
| thinking more like taxes. Similar to how we should be
| taxing vacant homes to raise the cost of keeping empty
| properties and lower the rents in turn.
| echoangle wrote:
| And you think a domain squatter would be deterred by high
| pricing and not just point every single domain to a VPS
| with a ,,Hey guys buy my domains" page? Or even just
| point them to any random IP, since DNS is one of the
| legitimate uses you named?
| ToucanLoucan wrote:
| I mean that's basically what most do now. I'm saying the
| domain should direct to _an actual website,_ irrespective
| of how useful or large it is.
|
| See my example of turkeyonapig.com.
| jocoda wrote:
| > It's a tricky thing but not impossible to figure out.
|
| Good to hear. So after that you'll be sorting out world
| peace - right?
| beeflet wrote:
| I really don't think eliminating domain squatters is some
| impossible task. you could probably just tax sales of
| domain names to death (90% sales tax on any resold domain
| names) to disincentivize it vs registration upkeep costs.
|
| Squatters are a massive blight on the internet.
| gruez wrote:
| >I would argue if you aren't doing some combination of:
| [...]
|
| cloudflare offers free website hosting and email
| forwarding, so it's basically free for a squatter to
| check those boxes.
|
| >I mean, it depends. One would argue that people going to
| nissan.com are clearly looking for the Japanese car
| company, so it's in the public's interest that that
| domain be sold to them.
|
| So you basically want the Kelo v. City of New London
| decision to be applied to domains as well? You own
| "erictrump.com" but aren't the president-elect's son?
| Well tough luck because it's "in the public's interest"
| that president-elect's son gets it rather than you.
| ToucanLoucan wrote:
| > cloudflare offers free website hosting and email
| forwarding, so it's basically free for a squatter to
| check those boxes.
|
| Sure. But it still takes time, or as someone else
| suggested, a GPT query. Putting literally even the
| tiniest amount of work in front of squatting will reduce
| the amount of squatting.
|
| > So you basically want the Kelo v. City of New London
| decision to be applied to domains as well? You own
| "erictrump.com" but aren't the president-elect's son?
| Well tough luck because it's "in the public's interest"
| that president-elect's son gets it rather than you.
|
| I mean, it is. And putting the phrase in scare quotes
| isn't a counterpoint.
|
| One could argue in fact that one of the multitude of
| reasons for the rise of platforms is that it's so hard to
| find anything on the actual internet, and part of that in
| turn can be blamed squarely on squatting.
| jltsiren wrote:
| It's not a particularly hard problem. Most countries have
| rules on what you can use as a business name or register as
| a trademark. Domain names are just more of the same.
|
| And you don't really own your domain. You are just renting
| it from whichever authority is responsible for the TLD. If
| you stop paying, the authority will eventually take it
| back.
| zokier wrote:
| Trademarks are specific to the field it is used on.
| Classic example is Apple Records vs Apple Computers,
| which one should get apple.com?
| jltsiren wrote:
| And there are also businesses with identical names. But
| the basic idea was already established long before the
| internet. If you have a legitimate claim to a name, you
| have a legitimate claim to that name. There may be
| multiple entities with a legitimate claim to a particular
| name, in which case the first one that used it in a
| particular context gets to use it in that context. And if
| you think that someone is using a name you have claimed
| in a misleading way or acting in bad faith, you can sue
| them and let the courts decide.
| zokier wrote:
| The problem is that as you note, trademarks and company
| names are not unique, but domain names are required to be
| unique. So that n to 1 relationship between
| trademarks/names and domain names intrisically creates
| problem, how to allocate the domains when there are many
| equally legitimate pre-existing claimants. This is not
| solved problem the way you portray it, because domain
| names have this novel uniqueness requirement.
|
| Of course this raises valid question if using names in
| this way at all is a good idea. For example telephone
| system and lots of banking stuff is based on simple
| numerical identifiers, and lots of countries have also
| some unique (numerical) identifiers for companies and
| persons. So there is fairly strong precedent for using
| assigned ids instead of names when uniqueness/specificity
| is required. But somehow we have jumped to the conclusion
| that for example IP addresses would be too confusing to
| average joe, and in attempt to hide them we have created
| even more confusing system.
| jltsiren wrote:
| Many countries already solved this problem with their
| ccTLDs decades ago. It only required taking the
| established practices and applying them to a new class of
| names. There are always some edge cases, but domain name
| assignment is pretty much a solved problem.
| reaperducer wrote:
| _The implication that gTLDs are bad and new ones shouldn 't be
| introduced because of this is a bit silly to me._
|
| That wasn't what the article stated. The article stated that
| the problem is that the new TLDs are so cheap as to be
| disposable, and the registration requirements are lax. The
| combination makes them attractive to criminals.
|
| It's literally the first sentence of the article:
|
| "Phishing attacks increased nearly 40 percent in the year
| ending August 2024, with much of that growth concentrated at a
| small number of new generic top-level domains (gTLDs) -- such
| as .shop, .top, .xyz -- that attract scammers with rock-bottom
| prices and no meaningful registration requirements, new
| research finds."
| humanfromearth9 wrote:
| What looks like squatters might also be people who just want
| their own domain only for email, not hosting.
| neilv wrote:
| > _John Levine is author of the book "The Internet for Dummies"
| and president of CAUCE. Levine said adding more TLDs without a
| much stricter registration policy will likely further expand an
| already plentiful greenfield for cybercriminals._
|
| He's from pre-gold-rush Internet, and still making the net
| better: https://en.wikipedia.org/wiki/John_R._Levine
| felideon wrote:
| OT, but man, I remember reading that book when I was a kid.
| Then started reading HTML books and, of course, the Llama book.
| smitelli wrote:
| The whole environment of the newer gTLDs just feels... gross. I
| rarely find a reputable business that is using anything but .com
| or .co.XX as the primary domain.
|
| Putting on my regular-person hat: When I see a billboard or print
| ad with e.g. `example.travel`, I read that as a social media
| handle and not a website address like `example.com` would convey.
| In public perception, dot com means websites. Always has.
|
| (Tangentially, the `.sucks` TLD in particular should never have
| been allowed. How many brands out there have to maintain a
| perfunctory registration there just to prevent somebody else from
| doing so?)
| RegnisGnaw wrote:
| Really? what about countries that allow just .ccTLD?
| jeroenhd wrote:
| I never deal with co.xx to be honest. Most websites I visit are
| on ccTLDs. Whenever I see a .com link to any local business, I
| start out by assuming it's a scam website.
|
| That said, .app has found plenty of adoption. Tech companies
| absolutely love .io and .ai is now also gaining popularity. The
| good American URLs have all been bought years ago so people
| flock to ccTLDs and gTLDs for new products and businesses. Even
| .engineering has a few interesting businesses on it these days.
|
| As for .sucks, it's clearly a cash grab, but banning it hardly
| solves a problem. ycombinatorsucks.com is a lot cheaper than
| ycombinator.sucks, and if ycombinator pre-emptively buys
| ycombinatorsucks.com, you could just buy ycombinatorisshit.com
| or ycombinatorisadoodoohead.com.
| Symbiote wrote:
| This is very regional.
|
| .co.xx is common in Britain (.co.uk), Japan (.co.jp), New
| Zealand (.co.nz) and probably others. It's perfectly
| legitimate for a site linked to those countries.
| craigds wrote:
| NZ didn't allow registration of raw .nz domains until 2014
| so anything registered before that was a .co.nz or similar.
| It's still more common than .nz due to inertia / muscle
| memory I guess. I get weird looks when I give people my
| (name).nz email address - usually people ask if I meant
| .co.nZ
| cesarb wrote:
| BR went the other way. Registration of raw .br domains
| used to be allowed for universities, but AFAIK other than
| grandfathered registrations it's no longer allowed (new
| registrations have to use .edu.br).
|
| My suspicion is that it was due to abuse; a long time
| ago, I noticed some university had registered IIRC .co.br
| (our correct equivalent to the .com gTLD is .com.br; this
| is a notable exception to the assertion above that "I
| rarely find a reputable business that is using anything
| but .com or .co.XX as the primary domain", since plenty
| of reputable businesses use .com.br as their primary
| domain, not .co.br which doesn't exist).
| ourmandave wrote:
| Remember reading Ford Motor Company already registered
| FordSucks.com and a bunch of permutations of that way back
| when.
| sofixa wrote:
| > I rarely find a reputable business that is using anything but
| .com or .co.XX as the primary domain
|
| What about all the other ccTLDs? Okay, maybe not .ly, .by, .ru
| and friends, but what do you have against .it, .fr, .de, es?
| Symbiote wrote:
| .ly, .by and .ru are legitimate in their own context.
|
| https://www.mos.ru (Moscow's city site),
| https://www.belarus.by/ (Belarus' tourism site) and
| https://libyaobserver.ly (Libyan newspaper) are three
| examples.
|
| And I'd be almost as suspicious of buy-viagra-pills.de as I
| would be of buy-viagra-pills.ru.
| kotaKat wrote:
| I'm disappointed at the arbitrary decision-making that lets the
| registrars deem certain domains to automatically be "premium"
| and mark them up appropriately. It feels like that's an
| additional layer of extortion on top (doubly so when the
| premium price carries into the full renewal price, too).
| ryan29 wrote:
| It's the _registries_ not the _registrars_ that classify some
| domains as premium. I think they 're a risky product because
| you don't even get the limited price protections provided by
| section 2.10c of the registry agreement, but there seems to
| be a market for them [1].
|
| 1. https://domainnamewire.com/2024/08/28/radix-sets-record-
| for-...
| t-writescode wrote:
| So, to be clear, the following tend to be seen as problems by
| their interested parties: * withholding tons
| of domains to watch them go up in value means people can't
| get those domains (scammers, regular people) *
| registries do not make a high price when they sell high-value
| domains (registries) * there's only so many words /
| groups of words that are easily typeable (everyone) *
| reducing scarcity reduces the value of digital real estate
| (domain squatters / traders)
|
| Which of these issues / values / interested parties are more
| important to help than others, and what, if anything, should
| change?
|
| I, personally, tend to be in favor of reducing the impact of
| scalpers by increasing total available volume. As a
| consequence, I'm also willing to accept some terms for the
| registries that they get to set higher prices for the most
| premium of their domains to: * sweeten the
| pot for both registries and registrars to even support all
| these new domains * reduce a squatter / trader /
| speculator / scalper's ability to sit on vast tracts of
| digital land.
| ryan29 wrote:
| I think first year premium pricing makes a lot of sense.
| I'm not sure what the average time to sell is for a domain
| investor, but say it's 10 years for an easy example.
|
| If you go from a standard registration price of $12 / year
| to a first year premium of $132, you double the 10 year
| carrying cost of a domain. That, naively, means domain
| investors can only speculate on half as many domains.
|
| By having a first year premium price and then dropping
| domains back into the 'standard' tier, you also leave
| registrants with a semblance of price protections via
| section 2.10c of the registry agreement. As-is, premium
| domains have _zero_ guarantees when it comes to premium
| renewal pricing.
|
| There's a lot of room between squeezing domain investors
| and asking registrants to pay $100-1000+ _per year_ for
| premium domains.
| ryan29 wrote:
| > When I see a billboard or print ad with e.g.
| `example.travel`, I read that as a social media handle and not
| a website address like `example.com` would convey.
|
| This is where I think the new gTLDs registries could do better.
| Using your domain as a handle on Bluesky is a perfect example
| of something they could push for to grow the industry, but they
| seem to think the status quo with a sprinkle of price
| discrimination is the winning formula.
|
| Most of the new gTLDs work great as domain verified social
| media handles, but no one is going to use them for that if all
| the good keywords are classified as premium with $100+ annual
| renewal fees. However, if you make them too cheap and they get
| popularized, domain investors will register everything good and
| try to flip them.
|
| I think first year premium pricing strikes a good balance that
| doesn't limit novel, non revenue generating use cases too much.
| Charging $100-200 for the first year causes a very large
| increase in the amount of capital domain flippers need to
| invest to acquire a large portfolio of good names.
|
| If Bluesky catches on I think we could hit a point where non-
| technical people are suddenly shocked when the see someone
| "using their social media handle for a website." Getting back
| to having people understand there's more than just Facebook and
| Twitter would be a step in the right direction IMO, so it would
| be nice to see Bluesky continue to gain popularity.
| zahlman wrote:
| >(Tangentially, the `.sucks` TLD in particular should never
| have been allowed. How many brands out there have to maintain a
| perfunctory registration there just to prevent somebody else
| from doing so?)
|
| The entire reason for allowing that TLD is a presumption that
| _brands are not entitled_ to prevent the registration of
| domains which exists specifically to criticize them.
| jimmySixDOF wrote:
| gTLDs also have cost risks like when .tech was taken over by a
| holding company and then 3x the registration price. Who knows
| about next year and the year after that.
| dist-epoch wrote:
| If you run a business you can buy the domain for 10 years,
| right?
| anonymouscaller wrote:
| As much as some gTLDs are known for spam, it's dangerous to
| generalize certain domains as spam. I used to run a website with
| a somewhat niche gTLD and it was a headache getting blocked by
| spam filters who just blocked *.mygTLD
| hoistbypetard wrote:
| > John Levine is author of the book "The Internet for Dummies"
| and president of CAUCE. Levine said adding more TLDs without a
| much stricter registration policy will likely further expand an
| already plentiful greenfield for cybercriminals.
|
| Holy shit. CAUCE is a name I haven't heard in a long time. He's
| been around for a while and is one of the good ones.
| paxys wrote:
| Domain names becoming cheaper (and having greater variety) is a
| _good_ thing. Yes that comes with an equivalent rise in scam
| domains, but the answer isn 't to add further barriers to entry
| for everyone else.
| anticorporate wrote:
| My primary catch-all email domain for accounts is at a silly TLD
| (.rodeo).
|
| My biggest complaint is that some large retailers/services
| completely refuse to believe it is a valid domain. (I'm looking
| at you, Walgreens. You blocked me during a pandemic from signing
| up for a vaccine with my actual email address, which is why
| fuckwalgreens@myother.domain is now my email in your system.)
| CarpaDorada wrote:
| If you see a phishing link, you can perform a DNS A record
| request to find their IPs, typically behind Cloudflare. You can
| report them to Cloudflare. Their WHOIS record will tell you who
| their registrar is, and again you can report them there too. If
| they use URL shorteners, you can report those.
| acheron wrote:
| on the other hand, new TLDs make ICANN a lot of money, and isn't
| that the important thing?
| billy99k wrote:
| A friend of our family almost got scammed from a .top domain.
| They convinced her she needed 'tech support' and transferred
| $30,000 from her savings to checking and tried to get her to go
| to the bank to get more money. She got suspicious and got new
| bank accounts and thankfully didn't get any actual money stolen.
|
| She's retired and it could have ruined her financially. I don't
| think she realizes how close she was to this.
|
| The software they used bypassed windows defender because it was
| legitimate software called 'screen connect'. I was able to remove
| it pretty easily. It looked like a reverse-shell attached to a
| windows service (small .exe with no front-end).
| xg15 wrote:
| I wonder if part of the "business model" behind the ever-growing
| gTLD list is that all the companies with well-known brands
| essentially _have_ to also register their brand under the new TLD
| as well if they don 't want to risk it being taken by criminals
| or competitors.
|
| Why only make money _once_ by selling apple.com if you can also
| sell apple.biz, apple.xyz, apple.froom etc ad infinitum?
| undersuit wrote:
| Ultimately every trademark/company has to buy all the domains
| under their soon to be gTLDed trademark/company.
|
| apple.* takes time to gather revenue. *.apple gathers an
| infinite amount of money quicker.
| fortran77 wrote:
| I once worked for a big Hollywood studio and they finally
| stopped registering their name in every new .tld. They reasoned
| that if anyone used the domain in a way that is a trademark
| violation, then they could shut them down in court. Otherwise,
| they'd be chasing ever-increasing (extortion) rates for each
| new .tld.
| ChrisArchitect wrote:
| Dunno why he had to single out those 3 TLDs in his title. Doesn't
| really matter that they're the most registered, there's soooo
| many TLDs now and all equally susceptible to phishing use because
| users aren't looking closely enough (nor should they really?
| nobody even knows what a browser is vs 'the internet') or there's
| no way for anyone to know what's official etc. We needed more
| TLDs in general, this is just a side effect of the scale.
| miohtama wrote:
| In the similar note, would be nice to see a number how many of
| .net and .com domains are squatted?
| Havoc wrote:
| I've got a somewhat questionable tld for my main email address
| (really nice short one)
|
| So far zero issue - somewhat to my surprise (was expecting
| delivery issues). Even got some compliments from people that
| thought it's great
| torton wrote:
| When I used to run my own email, .top and .xyz received an
| automatic -10 on spam evaluation. I can't remember a single
| legitimate website that I actually used and would have had an
| account on from these TLDs; all I ever saw was spam.
| a-loup-e wrote:
| I see a lot of personal blogs that use .xyz here on HN.
| snats wrote:
| I use .XYZ because it was pretty cheap when I bought it
| carbine wrote:
| I do too, aesthetically it's great. Unfortunately the rise
| in phishing from xyz domains means if you use it to send
| email your deliverability is likely to suck.
| forty wrote:
| I thought the same, out of the 5 domains listed, I'm not sure I
| have used any legitimate website using them, so I might as well
| block them entirely
| cristoperb wrote:
| I hope this sentiment isn't too widespread... I use .xyz for my
| personal blog and primary email :shrug:
| moelf wrote:
| I love https://frame.work/ though
| davb wrote:
| I use a .xyz for my personal domain (I could get my real name as
| the domain, and it was cheap). I use FastMail for email.
| Deliverability has been fine, with one exception - Radisson Red
| hotels. I've had two occasions in the last year when I've needed
| to email different Radisson Red properties, and both silently
| dropped emails from .xyz domains.
| annoyingnoob wrote:
| I've been blocking .shop, .top, .xyz, and several other new TLDs
| but only specific TLDs where we see high (or all) spam. For our
| org, this means I also block .in and .jp in SMTP, as those are
| almost exclusively spam for us too.
| Animats wrote:
| It's open season on suckers.
|
| With a new crypto-friendly administration coming in, it's going
| to get much worse. If you haven't been following this, there's a
| whole industry pushing "meme coins" via pump and dump operations.
| Some even admit they are pump and dump operations.
| soygem wrote:
| >xyz >new >doesn't mention .zip Krebsisters, it's so over
| notatoad wrote:
| it seems like if this is a problem, then the whole domain system
| is a problem.
|
| there's nothing that makes .top or .xyz more problematic than
| .net or .org. if the assertion is that it's too confusing for
| people to pay attention to all the parts of a domain name, then
| why do domain names continue to have multiple parts? let's just
| deprecate everything other than .com and be done with it.
___________________________________________________________________
(page generated 2024-12-03 23:00 UTC)