Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Opening Phishing Holes with New Top-Level Domains

You’re used to seeing domains ending in .com, .net, and many other of
what are called the top-level domains.

But … .bank? .microsoft? .paypal?

Perhaps even .leo? .askleo?

ICANN, the Internet Corporation for Assigned Names and Numbers, is in the
process of rolling out the ability to purchase your own top level domain. It’s
not cheap (you won’t be seeing .askleo any time soon), but it is
happening.

Unfortunately, one of the expected side effects is a massive increase in
phishing attempts. And if you’re not careful, you could fall victim.

]]>

New top-level domains

The concept is very simple: there’s no technical reason that the internet should be limited to domains that all end in one of a small set of tightly controlled top-level domains or TLDs.

They are somewhat useful – aside from the ubiquitous .com, .net, and other generic TLDs (gTLD) – most of the existing TLDs be used to identify the country of registration. Even though some countries don’t restrict registration (Bit.ly, for example, is not related to Libya, and about.me has nothing to do with Montenegro), many, if not most, do.

But those are all standards of convenience – there’s really no technical reason that TLDs need to be limited to only that set.

And, beginning this year, they won’t be.

For the modest sum of $185,000 US, you can apply for a new, generic top-level domain (there is an application process and certain requirements must be met).

Assuming that you are successful and gain ownership of that domain, then you control what happens on that entire top level domain. Were I to own .leo then I could create ask.leo as a domain for my website or mail. (Don’t worry, I don’t have a spare $185,000 to do it.)

The controversy

The introduction of new, open gTLDs has been fairly controversial.

Some have likened it to a protection racket, encouraging companies and other institutions to purchase related top level domains, even if they had no intention of using it. “I’d sure hate to see someone register your gTLD and damage your name – but for only $185,000, you can protect it”.

Many have expressed concerns that ICANN has ignored consistent and negative feedback from the tech community before proceeding with the gTLD expansion.

Regardless of the confusion, or even the varying opinions on the matter, it appears to be here.

The risk to the average user

On the surface, it appears to be fairly benign to the average user, but even without purchasing a single new gTLD, the fact that they might exist enables a whole new world of phishing.

Imagine receiving a message that appears to be from your bank:

Here at [bank name], we’re proud to announce that we’re changing our web address from the old [bank name].com to the fantastic and wonderful for our customers [bank name].bank.

Followed by an obfuscated URL, encouraging you to “login with your credentials” as needed for the change. (See Coming in your Future! – “An important message from your .bank!” from Lauren Weinstein’s excellent Network Neutrality Squad and People For Internet Responsibility mailing lists for the complete example.)

While the possibilities for phishing attempts leveraging the confusion surrounding domain names far exceeds just the potential .bank gTLD, that one has enough issues alone that the European Banking Authority has told ICANN it believes that proposed financially-oriented gTLDs such as .bank are dangerous and should be banned. Beyond simple phishing, the concern here is that having a .bank domain might imply more – such as regulation and perhaps even legitimacy – to consumers that it would actually warrant.

“In a world where people use search engines as a primary navigation tool, actual domain names become significantly less relevant…”

The new TLDs might be moot in practice

What’s interesting here is that the new gTLDs might well be trying to fix something that for all intents and purposes isn’t broken.

Part of that is simply that many people don’t use top-level domains the way we might think. Many don’t type them in at all – ever – relying instead on search engines to act as their navigational portal to the rest of the internet.

For example, Google’s #1 search term for 2011? Facebook. Not because people couldn’t find Facebook, but because they were entering “facebook” into the search engine as their way of going to Facebook.

Facebook’s actual domain would be irrelevant as long as it was the first search result that people would click on.

The same has been true for other popular sites for a long time. The terms “Hotmail” and “Yahoo” have also ranked highly for the exact same reason.

In a world where people use search engines as a primary navigation tool, actual domain names become significantly less relevant, regardless of what top level domain they happen to be on.

What this all means to you

I think it boils down to two very simple things:

  • Distrust new top-level domain names by default. I know I will. I’m not saying avoid them completely, but I am saying think twice before visiting any site that uses a gTLD that you don’t recognize. An overabundance of caution is absolutely called for, particularly until the new ecosystem of domain names and owners settles down.

  • Don’t fall for phishing. This isn’t new, but the risks of phishing attempts that will no doubt accompany the confusion surrounding new top-level domains will be significant. The old adage of not clicking on links in email that you aren’t 100% certain of applies now more then ever. If you’re the least bit uncertain, avoid the email and visit the site that it claims to be from directly – using extreme caution if it’s a new gTLD based domain. Consider using a search engine to find the correct URL.

Hopefully, with luck and a little bit of caution, we’ll look back in a few years and think of this as a non-issue. Unfortunately, the risks until then remain high.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “Opening Phishing Holes with New Top-Level Domains”

  1. A student of mine was a member of the ICANN. He told me in 2003 (or thereabouts) that Microsoft, Google and a couple of other giants were pushing for open top level domains. At the time they rejected this request because it would create an unfair advantage for large companies where smaller companies would have a disadvantage in having to open up subdomains in each new top level which was created. For example a lot companies would have the expense of creating a sub domain for .shop or .electronics.

    Reply
  2. The first thing I thought about when I heard about the new top levels was phishing, mainly because I’m an IT guy for a small office and it has taken me 6 YEARS to educate my users how to identify phishes. They know to hover over a link before clicking it but it’s the complicated addresses that they always get confused about. I can only imagine how the spammer’s/phisher’s creativity is going to manifest itself in the coming years.

    Reply
  3. Leo, This is good information, as always. I really appreciate your advice on cyber matters. You put it in plain English which I understand. It must take hours of your time researching so you can make it easier for us out here on the planet. Just a big thank you for your generous contribution for our benefit. Thanks for you and your site. Fran

    Reply
  4. g for Generic Top Level Domains is going to really make the phishing good for the phishers. :-(

    Thanks Leo for alerting this very PARANOID reader of yours about gTLD about to be hatched.

    I use Dr. Web Link Checker to check links in Thunderbird emails and links in Firefox before clicking on them to see if the link is safe for me to go to.

    BTW I am one of those who use a Search Engine regularly to get the CORRECT address to some web sites that I want to visit.

    But I will look for the Green McAfee StieAdvisor indicator to the right of the listing in the result list, and also look for the Green Web Of Trust (WOT) indicator.

    Both of tho above are Add On Extensions I have in Firefox and I depend on them.

    Again, Thanks for ALL You do for US!

    God Bless You And Yours!

    Reply
  5. ONE LAST IMPORTANT POINT:

    Before trusting any “announcement” that your bank has, in fact, moved to a new “*.bank” domain, your best bet is to visit its site under the old “.com” domain, and look for an announcement there to that effect.

    THAT’S the place to look. Because if, in fact, they are making any such move, they will be announcing it there, on the OLD domain site — and PROMINENTLY too, since it will soon be defunct. If you see NO such announcement, IT AIN’T HAPPENING — period.

    And if you are STILL in doubt of this, use your bank’s “secure E-Mail” function (all online banks have one) to enquire on the matter!

    Reply
  6. Another thing to keep in mind, is that your bank will never move to another top level domain. They may add a new one to have a presence there, but they would never close the old one nor require theIr customers to switch to the new one.

    Reply
  7. Phishers and other con artist are usually fly-by-night operations. Do you really think that they are going to invest the time and money to even get such a domain?

    They don’t have to. They simply play on the confusion around the existence of those domains.

    Leo
    22-Jun-2012
    Reply
  8. I am generally against the new gTLDs, but I have for long been an advocate of .BANK, not as an open TLD, but a restricted one. Banking is a highly regulated industry and it is possible to enforce that only genuine banks would be able to have a domain name in .BANK and they should not have any other TLD. If they have, it should redirect to the .BANK name. For consumers also it will be very distinctively easy to remember that anything to do with bank must land at a URL ending in .BANK.

    It cannot be misused if the concerned authorities use it restrictively like .GOV.

    Reply
  9. The biggest tip I have for banking is to find the proper link for your bank and save it into your favourites. If you ever get an email that your unsure of, instead of clicking the link because it might be coded to lead somewhere else, launch the favourite, although check the URL is still the correct one when loading. By loading and logging in from there and not the email link you are avoiding being phised

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.