Login
Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.
That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.
.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.
Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.
“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”
Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.
“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”
Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.
“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”
Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.
In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.
Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the US.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.
GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.
“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.
GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”
“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”
Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target.
“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”
The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.
Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.
In a written statement, the NTIA said DNS abuse is a priority issue for the agency, and that NTIA supports “evidence-based policymaking.”
“We look forward to reviewing the report and will engage with our contractor for the .US domain on steps that we can take not only to address phishing, but the other forms of DNS abuse as well,” the statement reads.
Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).’
Update, Sept. 5, 1:44 p.m. ET: Updated story with statement provided today by the NTIA.
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.
The volume of phishing websites registered through Freenom dropped considerably since the registrar was sued by Meta. Image: Interisle Consulting.
Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has always waived the registration fees for domains in these country-code domains, but the registrar also reserves the right to take back free domains at any time, and to divert traffic to other sites — including adult websites. And there are countless reports from Freenom users who’ve seen free domains removed from their control and forwarded to other websites.
By the time Meta initially filed its lawsuit in December 2022, Freenom was the source of well more than half of all new phishing domains coming from country-code top-level domains. Meta initially asked a court to seal its case against Freenom, but that request was denied. Meta withdrew its December 2022 lawsuit and re-filed it in March 2023.
“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” Meta’s complaint charged. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta pointed to research from Interisle Consulting Group, which discovered in 2021 and again last year that the five ccTLDs operated by Freenom made up half of the Top Ten TLDs most abused by phishers.
Interisle partner Dave Piscitello said something remarkable has happened in the months since the Meta lawsuit.
“We’ve observed a significant decline in phishing domains reported in the Freenom commercialized ccTLDs in months surrounding the lawsuit,” Piscitello wrote on Mastodon. “Responsible for over 60% of phishing domains reported in November 2022, Freenom’s percentage has dropped to under 15%.”
Interisle collects data from 12 major blocklists for spam, malware, and phishing, and it receives phishing-specific data from Spamhaus, Phishtank, OpenPhish and the APWG Ecrime Exchange. The company publishes historical data sets quarterly, both on malware and phishing.
Piscitello said it’s too soon to tell the full impact of the Freenom lawsuit, noting that Interisle’s sources of spam and phishing data all have different policies about when domains are removed from their block lists.
“One of the things we don’t have visibility into is how each of the blocklists determine to remove a URL from their lists,” he said. “Some of them time out [listed domains] after 14 days, some do it after 30, and some keep them forever.”
Freenom did not respond to requests for comment.
This is the second time in as many years that a lawsuit by Meta against a domain registrar has disrupted the phishing industry. In March 2020, Meta sued domain registrar giant Namecheap, alleging cybersquatting and trademark infringement.
The two parties settled the matter in April 2022. While the terms of that settlement have not been disclosed, new phishing domains registered through Namecheap declined more than 50 percent the following quarter, Interisle found.
Phishing attacks using websites registered through Namecheap, before and after the registrar settled a lawsuit with Meta. Image: Interisle Consulting.
Unfortunately, the lawsuits have had little effect on the overall number of phishing attacks and phishing-related domains, which have steadily increased in volume over the years. Piscitello said the phishers tend to gravitate toward registrars that offer the least resistance and lowest price per domain. And with new top-level domains constantly being introduced, there is rarely a shortage of super low-priced domains.
“The abuse of a new top-level domain is largely the result of one registrar’s portfolio,” Piscitello told KrebsOnSecurity. “Alibaba or Namecheap or another registrar will run a promotion for a cheap domain, and then we’ll see flocking and migration of the phishers to that TLD. It’s like strip mining, where they’ll buy hundreds or thousands of domains, use those in a campaign, exhaust that TLD and then move on to another provider.”
Piscitello said despite the steep drop in phishing domains coming out of Freenom, the alternatives available to phishers are many. After all, there are more than 2,000 accredited domain registrars, not to mention dozens of services that let anyone set up a website for free without even owning a domain.
“There is no evidence that the trend line is even going to level off,” he said. “I think what the Meta lawsuit tells us is that litigation is like giving someone a standing eight count. It temporarily disrupts a process. And in that sense, litigation appears to be working.”
The domain name registrar Freenom, whose free domain names have long been a draw for spammers and phishers, has stopped allowing new domain name registrations. The move comes after the Dutch registrar was sued by Meta, which alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.
Freenom’s website features a message saying it is not currently allowing new registrations.
Freenom is the domain name registry service provider for five so-called “country code top level domains” (ccTLDs), including .cf for the Central African Republic; .ga for Gabon; .gq for Equatorial Guinea; .ml for Mali; and .tk for Tokelau.
Freenom has always waived the registration fees for domains in these country-code domains, presumably as a way to encourage users to pay for related services, such as registering a .com or .net domain, for which Freenom does charge a fee.
On March 3, 2023, social media giant Meta sued Freenom in a Northern California court, alleging cybersquatting violations and trademark infringement. The lawsuit also seeks information about the identities of 20 different “John Does” — Freenom customers that Meta says have been particularly active in phishing attacks against Facebook, Instagram, and WhatsApp users.
The lawsuit points to a 2021 study (PDF) on the abuse of domains conducted by Interisle Consulting Group, which discovered that those ccTLDs operated by Freenom made up five of the Top Ten TLDs most abused by phishers.
“The five ccTLDs to which Freenom provides its services are the TLDs of choice for cybercriminals because Freenom provides free domain name registration services and shields its customers’ identity, even after being presented with evidence that the domain names are being used for illegal purposes,” the complaint charges. “Even after receiving notices of infringement or phishing by its customers, Freenom continues to license new infringing domain names to those same customers.”
Meta further alleges that “Freenom has repeatedly failed to take appropriate steps to investigate and respond appropriately to reports of abuse,” and that it monetizes the traffic from infringing domains by reselling them and by adding “parking pages” that redirect visitors to other commercial websites, websites with pornographic content, and websites used for malicious activity like phishing.
Freenom has not yet responded to requests for comment. But attempts to register a domain through the company’s website as of publication time generated an error message that reads:
“Because of technical issues the Freenom application for new registrations is temporarily out-of-order. Please accept our apologies for the inconvenience. We are working on a solution and hope to resume operations shortly. Thank you for your understanding.”
Image: Interisle Consulting Group, Phishing Landscape 2021, Sept. 2021.
Although Freenom is based in The Netherlands, some of its other sister companies named as defendants in the lawsuit are incorporated in the United States.
Meta initially filed this lawsuit in December 2022, but it asked the court to seal the case, which would have restricted public access to court documents in the dispute. That request was denied, and Meta amended and re-filed the lawsuit last week.
According to Meta, this isn’t just a case of another domain name registrar ignoring abuse complaints because it’s bad for business. The lawsuit alleges that the owners of Freenom “are part of a web of companies created to facilitate cybersquatting, all for the benefit of Freenom.”
“On information and belief, one or more of the ccTLD Service Providers, ID Shield, Yoursafe, Freedom Registry, Fintag, Cervesia, VTL, Joost Zuurbier Management Services B.V., and Doe Defendants were created to hide assets, ensure unlawful activity including cybersquatting and phishing goes undetected, and to further the goals of Freenom,” Meta charged.
It remains unclear why Freenom has stopped allowing domain registration. In June 2015, ICANN suspended Freenom’s ability to create new domain names or initiate inbound transfers of domain names for 90 days. According to Meta, the suspension was premised on ICANN’s determination that Freenom “has engaged in a pattern and practice of trafficking in or use of domain names identical or confusingly similar to a trademark or service mark of a third party in which the Registered Name Holder has no rights or legitimate interest.”
A spokesperson for ICANN said the organization has no insight as to why Freenom might have stopped registering domain names. But it said Freenom (d/b/a OpenTLD B.V.) also received formal enforcement notices from ICANN in 2017 and 2020 for violating different obligations.
A copy of the amended complaint against Freenom, et. al, is available here (PDF).
March 8, 6:11 p.m. ET: Updated story with response from ICANN. Corrected attribution of the domain abuse report.
FreshRSS 