A roundup of TLDs that were the prime target of cyber attackers in 2024
As an unsuspecting internet user, if you come across an email from someone whose email address ends with a ‘.com’ or ‘.org,’ you might not think twice before opening it. After all, it comes from one of the widely recognized TLDs (top-level domains) out there. But in the context of cybersecurity, not everything that looks legitimate is to be trusted.
It is 2024, and cybercriminals are smarter than ever. They have devised creative ways to abuse the familiarity and trust that users place on popular TLDs. The attackers use ‘.com,’ ‘.net,’ ‘.gov,’ and recently introduced niche TLDs to masquerade as legitimate organizations and forge fairly convincing phishing emails, fraudulent websites, and links to dupe users into giving out their personal information or downloading malware.
That is why it is so important to stay vigilant as to what is going on. To help you navigate this slippery terrain, we have compiled a list of TLDs targeted by cyber attackers this year. We have also put together a list of strategies that attackers employ to target you.
Let’s get into it so we can keep you safe out there.
What are Top-Level Domains (TLDs)?
If you analyze a web address, the segment that appears at the end of the address, after the dot, is called Top-Level Domain (TLD). These TLDs are the main aspect of DNS, which groups websites together by purpose, organization type, or location. For example, .com is largely reserved for commercial websites, .org for non-profit organizations’ websites, .edu for educational institutions, and .gov for websites of government entities. Each TLD tells you about the nature or intent of the website it represents, thus making it easier for users to find and access the relevant online content.
They are broadly categorized into:
Generic TLDs (gTLDs)
- These are the most common TLDs out there and are open to registration by anyone in the public with no restriction to any particular group or area.
- Common examples include .com for businesses, .net for networks, .org for organizations, and the newer ones are .app and .xyz for creative projects.
Sponsored TLDs (sTLDs)
- These TLDs are only available to specific communities, organizations, or industries and are limited to registrants who meet special requirements.
- For example, .edu is for schools, .gov is for government, and .mil is for the military.
Country Code TLDs (ccTLDs)
- As the name suggests, Country Code TLDs (ccTLDs) are country and territory-specific domains that indicate where the domain is registered.
- For instance, .in is India, .uk is the United Kingdom, .jp is Japan, and .au is Australia.
Among the three broad categories, gTLDs take up the highest proportion of both legitimate and malicious domain activities. As of Q3 2024, .com alone accounted for 17.29% of all Indicators of Compromise (IoCs). Meanwhile, ccTLDs like .cn and .ru gained more traction compared to the previous quarter, as the registrations went up by 11.24%. As for sTLDs like .edu and .gov, they experienced minimal abuse compared to gTLDs and ccTLDs, but when they did, it was often a case of spear-phishing.
What are the most common TLDs exploited by cyber attackers in 2024?
These days, there is no dearth of TLDs and the opportunities they bring along to help your organization create a strong online presence. But with opportunities come vulnerabilities. New Top Level Domains are a prime target for cybercriminals. There are various reasons for this, such as their lenient registration processes, lower costs, and lack of stringent monitoring.
Interacting with emails from such domains or navigating their websites might seem harmless, but as soon as you engage with them, you can risk exposing yourself and your organization to serious cybersecurity threats and their grave repercussions.
Now, let’s take a look at TLDs that were a prime target of cyber attackers in 2024:
.com
You’ve seen .com everywhere—it’s the most common domain out there, used by businesses, websites, and pretty much everything online. You’d be surprised to know that 63% of all malicious emails come from “.com” domains.
Given that users hardly doubt a domain that ends with .com, cybercriminals often target it to create fake websites, phishing scams, and impersonation schemes. It’s like hiding in plain sight because they know you’re less likely to question a .com link.
.xyz
.xyz is another common TLD that tops the attackers’ potential targets list. The reason behind this is because it is cheap and easy to obtain, especially for startups and creatives. Hackers create phishing sites or spread malware using .xyz domains because people are less likely to think before clicking on those links. Even though many reliable sites use .xyz, this misuse has become a pressing issue, and you should be careful when accessing unknown websites that end with .xyz.
.cn
The .cn is the country-code TLD for China and one of the most targeted TLDs among cybercriminals. With all the users and businesses associated with it, attackers look at it as a goldmine for phishing scams targeting users from across the globe. To give you an idea of scale, out of the 7,901,525 domains registered in .cn TLD, almost 16,000 domains are associated with phishing scams.
.top
The .top domain is also extremely popular because of its cheap pricing and wide availability, which make it a preferable option among businesses and individuals. However, this low pricing has also made it very lucrative for cybercriminals to create malicious websites. Moreover, most phishing campaigns and fake e-commerce platforms have been tracked to the .top domain, which is why this TLD is earning a dubious title as a high-risk TLD in cybersecurity circles.
Moreover, according to Interisle Consulting Group, .top is used widely for phishing attacks. Between May 2023 and April 2024, more than 117,000 phishing sites were found within the 2.76 million .top domains, making it a hotspot for cyber criminals.
.zip
This TLD is a fairly new gTLD and has become one of the top choices for attackers who want to execute cybersecurity scams. The reason attackers find it easier to exploit .zip TLD is that it resembles file compression formats, such as .zip files that we are all familiar with and use almost everyday while downloading large files.
Cybercriminals abuse the .zip domains to host phishing sites, which often masquerade as legitimate file-sharing services. The goal is to trick users into downloading malware or sharing sensitive information.
.mov
Just like zip, .mov appears familiar because it is the extension for video files. Cybercriminals use this to mislead you into believing you are clicking on a safe link for video content. But in reality, a fun video is the last thing you will get. Instead, you will find yourself at a phishing site or downloading a virus that wreaks havoc on your system.
.sbs
The .sbs domain is very new and not very well-known in the online circle. Since it is not as well-established as other TLDs, hackers leverage it to set up fake sites or scams, hoping you won’t question the domain and interact with it without second guessing its authenticity.
It is safe to say that these domains are not inherently malicious, but attackers use them in dubious ways to catch users like you off guard. So, it is important to stay cautious and double-check the links before clicking on them.
What are the strategies leveraged by attackers to gain your trust?
Cyberattackers are very smart and try to leave no loopholes when crafting their scams. To go to lengths and employ various strategies to make their make their attacks look convincing and trustworthy.
Create panic or claim to solve an issue
One of the main goals of attackers is to get you to engage with their pages, one way or another. To make this happen, they often pretend to be a company announcing the release of its new product or warning users of issues with their financial or social media account. Others promise insider information about emerging technologies, such as cryptocurrency. They also feed on fear by using methods such as fake notices of tax offenses or criminal investigations, and urgency, such compelling you to update your software immediately.
Obtain SSL certificates to gain trust
One of the sneakiest ways phishing sites gain trust is through the use of SSL certificates. For years, experts have encouraged us to check for the padlock symbol in the browser or to rely only on URLs beginning with “HTTPS.” That’s no longer true. Now, most phishing websites are SSL-enabled. That is to say, a phishing website can look and feel legitimate and secure with a padlock icon, so hyper-vigilance is the way to stay safe!
Does your business also use one of the TLDs mentioned above? It’s high time you implement strategies to protect your domain from being exploited. Email authentication protocols like SPF, DKIM, and DMARC can help you enhance email security and prevent bad actors from spoofing your domain. To get started with your email authentication journey, book a demo with us today!