RSA: The TLD Explosion

Share with your network!
One of Thursday's RSA sessions discussed the sudden rise of thousands of new top level domains (TLDs) and some unexplored areas that are now subject to abuse that weren't before. Chris Larson and Daniel Hardman, researchers at Blue Coat, presented some background and findings. With only a few domains available, most notably .com, there was a problem with all the "good" domains being taken. To solve this and provide more options, ICANN and IANA began approving thousands of more domains. Unfortunately, (as covered in our Q3 2015 Cloudmark Threat Report), these domains are not well known to the public, nor are they well-regulated, and so they are subject to high levels of abuse. For Blue Coat, a network security company, .xyz was particularly a problem, but the owner of .xyz reached out to them to clean up their domain. .xyz alone had over 2 million domains, so with their help, they set up an abuse tracking system. By looking for patterns instead of playing whack-a-mole, they were able to notify registrars, investigate payment fraud (because domains used for criminal activity are often paid for illicitly), and contact registrants to observe their response. This brought down their levels of abuse dramatically. Blue Coat started releasing information about the most abused new TLDs and showed that .zip had a 100% rate of abuse, which is impossible, because .zip is not a TLD. The reason for this is a new ambiguity in the omnibox of web browsers that can interpret searches (in this case, for .zip files) as requests for .zip websites. This resulted in a lot of unresolved web traffic, which looked suspicious and was marked as such. They found evidence that this was happening to their customers too, as .zip was showing up in customer submissions for blacklisting. As for the omnibox issue, Chromium has declared the issue as Won't Fix. The bug for Mozilla's Firefox browser is still open. Curious, they investigated .date, which had been set up for dating websites. At the time, it had zero registrants, which seemed a missed opportunity for spammers. They then discovered that there are a lot of collisions between .date and various programming languages, meaning that one could theoretically register, for example, java.util.date as a website, assuming you were willing to pay $650. Cloudmark has found that expensive domains are far less likely to be abused, so this would tend to discourage abuse. This could be combined with the omnibox issue to allow an attacker to trick someone into "searching" for a java class, only to have the omnibox take them to a website of the same name. The site could contain any number of malicious behaviors. This hasn't been abused yet, but they believed it was important to get the word out so people were aware of the problem before it started. They also created a tool on github called ns-gtld-collide that can help find these collisions.