The .US Domain Registry cesspool – Part 2

By December 16, 2023

This post builds upon an observation from our previous quote: “virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse [than the .US ccTLD] due to their policies and oversight”. [1-2] In this installment, we’ll validate this insight through a comparative analysis of four European ccTLDs (country-code Top Level Domains). Additionally, we’ll showcase how DomainTools and Generative AI can deepen our understanding of these issues, paving the way for remediation.

Our investigation began by building a peer group data collection of European ccTLDs comparable in size to the .US ccTLD. We used DomainTools TLD Statistics [3] as our data source. (Figure 1) We selected .eu, .ch (Switzerland), .pl (Poland), .es (Spain), and .us (United States). 

Figure 1. DomainTools: Domain Count Statistics for TLDs

Next, we built an analytical data set using the DomainTools Iris® Internet Intelligence Platform. [4] We selected all domains first seen within the last 90 days, filtering for those with a high risk score (95+ out of 100) according to DomainTools classifiers. (Table 1, Figure 2). The .us ccTLD risk ratio was more than triple that of the next highest (.pl) and 14 times higher than .es ccTLD. (Figure 3)

Table 1. Summary Table Derived from DomainTools using Iris

Figure 2. newly observed domain names with high risk domain names in per group within last 90 days
Figure 3. high risk domain names as % of total newly observed domains within last 90 days

While this data indicates a significantly higher reputational risk for the .us ccTLD, it does not explain possible reasons behind it. Machine Learning classifiers used for domain modeling consider numerous domain features, such as domain age, TLD, hosting provider, registration costs, domain name string patterns and length, registrar information, etc. [5-6]. Registrars play a crucial role in domain management. NameSilo and Namecheap have been flagged by Infoblox and the Interisle Consulting Group for lax oversight, [7-8] and are among those few that accept cryptocurrency payments, which is often an indicator of malicious activity. [9-10]

The correlation of the largest lax registrars with malicious .us ccTLD domains is dramatic.  As shown in Table 2, NameSilo, Namecheap and Porkbun are responsible for more than 75% of the malicious domain registrations. All of these accept cryptocurrency payment. 

Table 2. High-risk .us domains by Registrar

Finally, we enlisted Generative AI to help explain the poor performance of the .us ccTLD. We used both ChatGPT 4.0 and the Bing-Chat feature. While both Chat services provided good answers, we found that the Bing-Chat integration response far exceeded expectations in two respects as shown in Figures 4- 5: 

  • First, its answer succinctly approximated the answer we would have expected from a senior analyst after hours of research. (Figure 5) It highlighted with formatting three reasons: 1) less stringent registration requirements and lower costs, 2) less effective monitoring and enforcement of domain abuse, 3) higher perception of trust among users. We were particularly impressed that it cited the same recent KrebsonSecurity research referenced in our previous research with a link. As a bonus, it even found the image we are using for this post, even though we did not ask for it. [2] 
  • Second, the explanations it provided suggest opportunities for further research in future posts. Stay tuned.
Figure 4. Bing-Chat Integration Prompt for ‘why .US ccTLD has higher phishing rate’
Figure 5. Bing-Chat Integration Answer to prompt for ‘why .US ccTLD has higher phishing rate’

References

  1. Cybercrank – Peering into the .US Domain cesspool shows governance failure in reflection , 9-Nov-2023.
  2. Krebsonsecurity.com – Why is .US Being Used to Phish So Many of Us?   , 9-1-2023. 
  3. DomainTools – Domain Count Statistics for TLDs:  Domain Count Statistics for TLDs
  4. DomainTools – Iris® Internet Intelligence Platform
  5. DomainTools, White Paper –  Detecting Malicious Domains Using Artificial Intelligence and Machine Learning , 11-Dec-2019
  6. EURid – 1st AI-driven proactive suspension system for domain names , 4-Feb-2020 
  7. Infoblox – Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime  , 10-31-2023 
  8. Interisle Consulting Group – Phishing Landscape 2023 , 8-9-2023
  9. Domain Name Wire – A counterparty wanting to use cryptocurrency for a domain is a red flag, 5-11-2021. https://domainnamewire.com/2021/05/11/a-counterparty-wanting-to-use-cryptocurrency-for-a-domain-is-a-red-flag/
  10. Monierate – How to Buy a Domain Name With Bitcoin (Top Registrars), 8-8-2023. https://monierate.com/blog/how-to-buy-a-domain-name-with-bitcoin-top-registrars

3 thoughts on “The .US Domain Registry cesspool – Part 2”

    1. Gerry Eaton

      Thanks for the comment. Generally, DomainTools would consider anything 70+ as high risk. The definition I used was 95+ on the DomainTools scale of 0 – 100

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest