Why is the .US domain -- the country code top-level domain (ccTLD) for the United States -- consistently among the most prevalent in phishing domains?
And why is this okay, when other ccTLDs that also restrict registration to residents/citizens don't seem to have this problem? And when a fair number of .US domains are used to attack US government agencies? Today's story explores these questions:
Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.
@briankrebs not to defend GoDaddy as the .us registry... yes the .us TLD is a cesspool no doubt...but your article brushes over the registrars.. i'm sure you didn't mean to imply that the only place one could register a .us domain is on GoDaddy (which yes, the drop down choices are indeed nuts)...but it reads that way... fwiw, we spend a lot of time detecting bad domains and a lot of them are in .us TLD... and most of them are not registered via GoDaddy. (again not to defend their role as a registry)... indeed, probably Name Silo from a registrar perspective of .us domains is the biggest point of abuse. actors will always go to the point of cheapest return. and yes it is crazy and bad. i do love the registrant disclosure personally. :) but there a lot more players in the phishing mix than GoDaddy. what role should the registrars play in checking credentials? 🤷
@knitcode I understand your point. I think it's also important to mention that while indeed the entire industry is a cesspool, GoDaddy is the one that sets the practice on .US; the rest just follow their lead.
@briankrebs do they? 🤷 idk. but to your point, one of the most prolific actors we track in .us has a ukranian personal email, a registrant country of Poland, a very fake name, and hosting "in" Estonia... GoDaddy's fault? yeah as the oversight. But I hold NameSilo just as accountable.
@briankrebs In the late 80’s my first ISP picked up a block of .<state>.us names and I had that Domain for abt 25 yrs before I had to drop that isp because they wouldn’t do dkim or spf and a fair bit of email bounced. Not only huge uptick in spam but everyone shying away from .us so I was getting blocked at a lot of web sites.
@briankrebs what really makes me boil is that .gov, .mil & .edu is U.S. centric, as if there is no Government, military and espechally no education outside of the USA.
@hackbyte@briankrebs
Like it's not even a "please click our #CAPTCHA meant to prevent false reports by bots (which isn't a thing btw!) but literally Registrars like #GoDaddy saying in corporate legalese:
'We don't give a f**k about spamming and we won't do jack shite about that!'
There's a reason .de domains are one of the best regarded, and it's not because #DeNIC demands a legal resident with a fax number as contact, but because regulators like @BNetzA are rightfully short-fused re: #SPAM.
Perhaps making a bingo card for helping clean up some .us domains would be effective at the ccTLD level as a visual reference? Some ppl are more visual learners so. ¯_(ツ)_/¯
@briankrebs As someone who would like to have their last name as a domain in .us (think firstname@lastname.us for email address), but I can’t because it’s registered to a company in Italy, I am happy to report that the nexus requirement is an absolute joke.
Namecheap, the registrar for the domain, has allowed an Italian company with no presence in the US, and the Italy country code as their nexus required “state of residence”, to register the domain name.
But for me to contest the validity of the current registration, it appears that I would need to spend hundreds or thousands of dollars with no guarantee that the outcome would allow me to register the domain. Even though I’m a US citizen, and the current registrant has no US presence.
An interesting exercise is to take a block of registered .us domains and then track the actual hosting entity... lots of .ru and related hosters in there...
@briankrebs So, they contracted out the management of a TLD that is fairly attractive to phishers to a company that probably has a financial incentive to sell as many registrations as possible. What could possibly go wrong?
@briankrebs .UK domains have the same registration requirements and are also widely used for abuse here. I suspect the same is true in many other countries.
@briankrebs this is sad, and bad news. I have owned a .us almost ever since it became available, and it is my main presence almost everywhere (it is where I have my main email address as well). There should be a better control, and management, of it.
@briankrebs Since it's so common for US-based entities to use .com rather than .us, I wonder if .us domains are relatively cheap due to lower demand. That would be another factor making them appealing to actors looking to phish US victims on the cheap.
@briankrebs How odd considering what it takes to get a dot-us domain. I thought having my site be KoHoSo.us made it and its email a little more trustworthy. I guess not.
@trbarrettjr GoDaddy manages it now. Here's what their page looks like on attestation. You can see the option that you're an American citizen is already populated.
@briankrebs@trbarrettjr Big surprise - outsource this to a for-profit entity and they try to maximize their profit. Great reporting that draws attention to an embarrassing issue for the US
Add comment