The Most Malicious Domain Registrars & TLDs

https://www.spamhaus.org/statistics/registrars/

As part of my current role, I am responsible for proactively identifying any malicious domain registrations which could be used for phishing campaigns or other activity targeting our employees or customers.

As in often the case in multi-national corporations, the domain registration process can be convoluted and documentation or assistance on the matter difficult to access. This results in a minority of employees registering domains themselves using unapproved methods and domain registrars; especially if they are needed quickly for projects, presentations or product releases.

This quick registration using unapproved methods causes difficulty differentiating between what is a legitimately malicious domain registration and what is just an employee not following the process.

The below is a quick collection of resources which identify the most malicious domain registrars and Top Level Domains (TLDs). These will help determine whether a malicious threat actor is targeting your company or business. From my personal experience , if an employee has not followed the correct process for registering a domain, they are most likely to use a local domain registrar or popular options such as GoDaddy or NameCheap. That’s not to say that threat actors wont use these registrars.

Malicious Registrars

The Spamhaus Project - The Top 10 Abused Domain Registrars

http://web.archive.org/web/20140630082208/http://www.knujon.com:80/registrars/registrar_ratings.pdf

https://www.domaintools.com/content/The_DomainTools_Report_Distribution_Malicious_Domain.pdf

The Top Ten Spam Top Level Domains

Malicious TLDs

In 2015, the Anti-Phishing Working Group (APWG) conducted a global survey of phishing activity on the internet for more than a decade. It was estimated that approximately 75 percent of malicious domain registrations were located within five TLDs. These were two generic TLDs, .com and .net, and three country code top level domains (ccTLDs): .tk (Tokelau), .pw (Palau), and .cf (Central African Republic).

Its important to note that both .tk and .cf offer free domain registration to individuals and businesses. In addition, due to their business model, .tk domains never get deleted. Of interest is that the report also concluded that Chinese phishers registered most of the malicious domains. Source: https://www.aic.gov.au/sites/default/files/2020-05/research_report_03.pdf

The Spamhaus Project - The Top 10 Most Abused TLDs

The Baddest Top Level Domains - Top 10

I will be posting more helpful articles about OSINT, cyber security, threat intelligence and investigating, so make sure you follow me on here and on my twitter @CassiusXIII