New gTLDs: A Haven for Hackers and Fraudsters?

A recent study has revealed that emerging domain zones, such as “.top” and “.shop,” have become favored tools for fraudsters and cybercriminals. The report by Interisle Consulting Group analyzed data from 16 million cyberattacks and found that these domains are disproportionately associated with illicit activities.

While new gTLDs (generic top-level domains) introduced in recent years account for only 11% of the domain market, they represent a staggering 37% of all domains used for fraudulent schemes. In comparison, classic domains like “.com,” “.net,” and “.org” dominate over 50% of the market but are implicated in cyberattacks only slightly more frequently—around 40%.

This disparity stems from the ease of access to these newer domain zones, which can be registered almost instantly and at minimal cost—sometimes as little as one or two dollars. By contrast, the cheapest price for a “.com” domain is $5.91. This affordability makes these new domains particularly attractive to malicious actors.

Such domains are frequently exploited to create fake websites, phishing pages, and other fraudulent schemes. Thanks to their low cost and the widespread use of mass email distribution, phishing campaigns are virtually costless for cybercriminals while generating significant revenues, often amounting to hundreds of thousands of dollars.

The resources employed by cybercriminals have also surged. The number of unique domains used in attacks increased by 81% from the previous year, surpassing 8.6 million. Additionally, over 2.6 million domains were registered in bulk—a 106% rise compared to the previous period.

According to Krebs on Security, phishing attacks have grown by nearly 40% in the past year, highlighting the growing popularity of such tactics among cybercriminals. The proliferation of new domain zones is likely to amplify this trend, resulting in even greater damage.

Interisle underscores the need for collective action to effectively combat these threats, involving all stakeholders, including government entities. The proposed measures include:

• Strengthening verification and certification processes for organizations registering domains in bulk;
• Limiting the number of accounts and subdomains that customers can register with providers offering free or low-cost hosting;
• Expanding the use of automated systems to analyze suspicious registrations and resource usage patterns;
• Implementing “Trusted Reporter” programs to enable the swift takedown of resources identified by reliable cybersecurity scanners;
• Penalizing service providers that facilitate cyberattacks or incentivizing them to cease such practices.

The report stresses that meaningful change is achievable only through the coordinated efforts of a broad coalition of stakeholders committed to implementing tangible solutions that reduce the accessibility of resources for criminal activities.