ICANN report: more hacked domains in legacy gTLDs, more maliciously registered domains in new gTLDs

ICANN announced the publication of the report, “Statistical Analysis of DNS Abuse in gTLDs” [PDF, 2.23 MB].

The study aims to compare rates of these activities between new and legacy gTLDs, as well as employs inferential statistical analysis to measure the effects of DNSSEC, domain parking, and registration restrictions on abuse rates using historical data covering the first three full years of the New gTLD Program (2014 – 2016).

Key Findings:

  • The amount of “compromised” (i.e. “hacked”) domains appear higher in legacy gTLDs
  • The amount of “maliciously registered” (i.e. domains registered for malicious purposes) appear higher in new gTLDs
  • Registration restrictions appear to have an impact on reduced abuse rates
  • Abuse counts—or absolute number of abused domains—show relatively constant and higher levels of abuse in legacy gTLDs and an upward trend of abuse in new gTLDs
  • With some exceptions and spikes, rates of phishing and malware domains in new gTLDs, which are based on an “abused domains per 10,000” ratio, tend to be lower than in legacy gTLDs. Phishing and malware trends in new and legacy gTLDs appear to be converging to similar levels by the end of 2016
  • Privacy and proxy service-associated domains do not appear to correlate with abnormally high levels of abuse

It seems natural that the hacked domains appear higher in legacy gTLDs because these are the more valuable domains and the domains with the most traffic. And of course New gTLDs have a higher amount of domains registered for malicious purposes as they are very cheap to register, use and then dump. Cheap registration prices have this effect and may end up with ISPs, IT professionals and regular internet users banning entire extensions.

The study was requested by the Competition, Consumer Trust and Consumer Choice Review Team (CCTRT). In defining the parameters of the study, the CCTRT sought to measure rates of common forms of abusive activities in the domain name system, such as spam, phishing, and malware distribution.

ICANN commissioned the study and it was conducted by researchers from SIDN and the Delft University of Technology. The report is available for public comment through 19 September 2017.


About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the OnlineDomain.com blog in 2012.

One comment

  1. It used to be .info considered to be the spammers extension now cheaper New Gtld’s mean cheaper spam outlays ($1 .gdn) … etc

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.