Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
The Internet

Phish-Friendly Domain Registry '.top' Put On Notice (krebsonsecurity.com) 22

Posted by BeauHD from the top-level-trouble dept.
Investigative journalist and cybersecurity expert Brian Krebs writes: The Chinese company in charge of handing out domain names ending in ".top" has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in ".com." On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD). Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.

"Based on the information and records gathered through several weeks, it was determined that .TOP Registry does not have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse," the ICANN letter reads (PDF). ICANN's warning redacted the name of the recipient, but records show the .top registry is operated by a Chinese entity called Jiangsu Bangning Science & Technology Co. Ltd. Representatives for the company have not responded to requests for comment.

Domains ending in .top were represented prominently in a new phishing report released today by the Interisle Consulting Group, which sources phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. Interisle's newest study examined nearly two million phishing attacks in the last year, and found that phishing sites accounted for more than four percent of all new .top domains between May 2023 and April 2024. Interisle said .top has roughly 2.76 million domains in its stable, and that more than 117,000 of those were phishing sites in the past year.
This discussion has been archived. No new comments can be posted.

Phish-Friendly Domain Registry '.top' Put On Notice More

Phish-Friendly Domain Registry '.top' Put On Notice

Comments Filter:
  • Comment removed based on user account deletion

  • .top is not the top offender, .com is. Just block new dot com domains from being issued. Also make all dot com owners pay a policing fee. Dot com owners have gotten away with far too much for far too long. They need to start paying up or face consequences.

    • Re: (Score:1)

      by taustin ( 171655 )

      It isn't about who gets the most complaints, it's about who ignores them complaints they get.

      These are two different things, and the difference matters.

      • Re: (Score:2)

        by Rei ( 128717 )

        All I know is, this looks like bad news for my massive phishing botnet :(

  • block them (Score:4, Informative)

    by awwshit ( 6214476 ) on Wednesday July 24, 2024 @07:03PM (#64653346)

    I block .top and a bunch of other newer/less-used TLDs in SMTP because we only get spam/phishing from them.

    • In terms of email, if it's not .com or a Western country TLD I really only see a need for allowing mail from China since so much is manufactured there.

      For web sites in a bit more relaxed.

    • Re: (Score:2)

      by kmoser ( 1469707 )
      That's really the way to do it. Who cares what the registrar does? There are some well maintained blocklists out there, and if these phishing TLDs are really as prevalent as people say, ISPs, mail providers, etc. will simply block mail and other traffic from the .top TLDs that are the worst offenders, rendering them useless.

  • In other news, the ocean is wet (Score:5, Interesting)

    by Arrogant-Bastard ( 141720 ) on Wednesday July 24, 2024 @08:20PM (#64653436)
    The .top TLD has been a massive problem from the moment it was launched -- and it's not the only one, not even close. I'm involved in a project which monitors domains and we've looked at hundreds of millions of domains over the past 20+ years. Summary: registrars have completely failed to take even rudimentary steps to stop abuse -- no doubt because abusers are their best/largest/repeat customers -- and as a result of this, best practice is to block entire TLDs.

    For example: we're aware of just over 29 million .top domains and we've found less than 100 that we believe are truly legitimate. (And one must ask: why would anyone doing something legitimate choose to locate in the .top TLD? Even if they're honest people doing honest things, they have incredibly poor judgment.)

    I strongly recommend blocking .top in your MTA (if you're running one), using DNS RPZ to block it in your DNS servers (if any), and using your outbound web proxy (if any) to block access to any web site in it. Yes, it's possible that you'll need to punch a hole in this for some domain because some user needs it: but unless you're a large operation, that's unlikely. I make this recommendation because there's no chance of fixing this: even if Jiangsu Bangning responds, I can pretty much guarantee that whatever they do will be the very minimum necessary to placate ICANN, so that they can go right back to work providing services to as many phishers, spammers, typosquatters, etc. as possible.

    I further recommend that you do the same thing for every one of the new TLDs, unless you have an operational reason to do otherwise. Several of us have been doing this on production networks for many years, and our aggregate experience is that the sporadic issues that this causes (all of which can be fixed by creating point exceptions) are very minor, particularly when weighed against the enormous reduction in attack surface that this strategy yields.

    Let me note that we also do this with new TLDs as soon as they're announced. There's no point in waiting for them to go live: we know the abuse is coming, there's no reason to wait for it before taking action.

  • Yeah, I suspected this was only news because it mentions China and Americans love to hate China.
    However, I didn't really know either way, but reading the consensus here, it seems my suspicions are correct.

    It's just more anti-China hate.

    So, since anti-China news is usually an attempt to distract, I wonder what we should be paying attention to, but aren't.

    • organ harvesting, re-education camps, muslim genocide, political violence, police state, probable covid outbreak source etc... where is the good stuff that china does, and whom does it benefit?

  • Oh well, it's time to hit them with the meatstick either way.

  • Time to register s.top

  • I run several email servers all around the world and the .TOP TLD has been blocked for a few years now. We have been receiving literally ZERO legitimate emails from that TLD, so we simply blocked it among a few others.

  • When I was getting into the ISP business in the 90's, there was some entity pushing an addition to the root DNS. At the time, I think General Atomics was bowing out and Network Solutions was poised to be the insanely $$$ winner. (Hi Kim, hope you made millions from NS. And I probably dealt with you later getting my /19.)

    Anyway, this "alternic?" asked us to use their root servers to go to the accepted .com, .mil, .org, and country codes to go to the usual servers, but they wanted to add all kinds of TLDs, e

Slashdot Top Deals

Five is a sufficiently close approximation to infinity. -- Robert Firth "One, two, five." -- Monty Python and the Holy Grail

Close