The Weaponization of the Domain Space
The expansion of the internet’s namespace was intended to democratize the web, offering brands, communities, and creators dedicated virtual real estate. When the Internet Corporation for Assigned Names and Numbers (ICANN) introduced new generic Top-Level Domains (gTLDs) like .shop, .top, .xyz, and .zip, it was celebrated as a milestone for digital branding and innovation.
However, in the cybersecurity landscape, every new feature represents a fresh attack surface. Today, these newer extensions have been heavily co-opted by threat actors. From highly targeted phishing campaigns to command-and-control (C2) botnet operations, malicious gTLDs have quickly become a critical element in the cybercriminal toolkit.
(Low-cost gTLDs like .top, .xyz)"] --> B["Automated Setup
(Phishing kits & SSL certs)"] B --> C["Campaign Launch
(Spam, Smishing, Malvertising)"] C --> D["Evasion & Dwell Time
(Fast-Flux DNS, Cloaking)"] D --> E["Takedown / Blocklisting
(Security feed detection)"] E --> F["Domain Rotation
(Abandon & rotate)"] F --> A class A danger; class B warning; class C warning; class D warning; class E safe; class F danger;
Why New gTLDs Attract Cybercriminals
Industry reports paint a stark picture: while new gTLDs make up only a fraction of overall domain registrations, they are disproportionately represented in reported cybercrime activities. According to threat intelligence studies, new gTLDs account for roughly 11% of registrations but make up over 37% of reported malicious domains.
This disparity is driven by deliberate economic and operational advantages:
1. Rock-Bottom Registration Costs
Cybercrime is a volume-based business. When launching automated phishing campaigns or deploying ephemeral malware landing pages, threat actors expect their domains to be flagged and blocklisted within 24 to 72 hours. Paying $12 per domain for a standard .com quickly cuts into their profit margins.
Registry promotions frequently discount gTLDs like .xyz, .top, or .work to under $1. At this price point, an attacker can register 1,000 domains for the cost of less than 100 traditional ones, making domain revocation efforts financially negligible to the threat actor.
2. Frictionless Registration and Lack of Verification
While ICANN mandates registrant verification, compliance is highly fragmented. Many budget-focused registrars offer fully automated, bulk registration APIs with minimal validation controls. Threat actors use stolen credit cards, anonymous cryptocurrencies, and fake identity information to register domains en masse. Without robust “Know Your Customer” (KYC) processes at the registrar level, anonymous abuse remains trivial to execute.
3. Evading Legacy Security Filters
Security solutions evaluate traffic using domain reputation. A newly registered domain starts with a neutral or “unclassified” status. Many security appliances and corporate firewalls are configured to allow traffic from unclassified domains to prevent disrupting legitimate business operations. Cybercriminals exploit this “golden window”—the time gap between domain registration and its categorization as malicious—to bypass traditional boundary defenses.
4. Typosquatting and Pretexting Availability
With traditional namespaces highly saturated, attackers turn to new gTLDs to build convincing pretexts. For example, instead of trying to register a spoofed .com domain, an attacker can easily register brandname-support.shop, brandname-security.xyz, or brandname-update.top. Users, unfamiliar with the sheer volume of new extensions, often focus solely on the brand name and fail to notice the suspicious TLD.
[!WARNING]
Case Study: The Release of
.zipand.movDomains (2023)In May 2023, Google Registry released several new gTLDs, including
.zipand.mov. This move sparked immediate concern among security researchers due to the potential for file-extension confusion.
- The Attack Vector: An attacker could craft a link like
https://github.com∕kubernetes∕archive∕refs∕tags@v1.27.2.zip. Everything before the@is treated as URL user-info and ignored by the browser, so the victim is actually connected to the hostv1.27.2.zip— an attacker-controlled domain — even though the link appears to point at GitHub. Unicode look-alike slashes (∕, U+2215) replace the real/characters to make the fake path convincing.- File Handler Abuse: In some operating systems, typing local file paths ending in
.zipinto search bars or file managers could prompt the OS to perform a DNS query and attempt to open the remote website, providing a vector for drive-by downloads.- Defensive Response: In response to these concerns, many corporate security teams elected to block the
.zipand.movTLDs entirely at their secure web gateways.
Subdomains: The Shared Reputation Threat
In addition to gTLDs, cybercriminals heavily abuse free subdomain providers like blogspot.com, weebly.com, and Cloudflare Pages (pages.dev). This tactic presents unique challenges for security teams:
- Reputation Hijacking: Root domains like
pages.devhave exceptionally high reputation scores. If an email security gateway blocks the root domain, it risks blocking thousands of legitimate business sites. Cybercriminals exploit this by hosting malicious landing pages on free subdomains, forcing security systems to perform granular URL inspection rather than simple domain blocklisting. - Subdomain Takeover: When an organization deletes a cloud resource (such as an AWS S3 bucket, Azure App Service, or GitHub Pages repository) but neglects to remove the corresponding CNAME record from their DNS zone file, they leave a “dangling DNS” record. Attackers scan for these dangling records, register the matching resource name on the host platform, and immediately gain control of a legitimate corporate subdomain.
The Regulatory Dilemma: ICANN and the Industry
The Internet Corporation for Assigned Names and Numbers (ICANN) oversees the global domain ecosystem, but critics argue its policies are too permissive. Despite ongoing evidence of systemic abuse, ICANN continues planning rounds for introducing even more gTLDs. Critics point out that registries and registrars generate revenue from volume, creating a conflict of interest where security mitigation is often reactive rather than proactive.
John Levine, a prominent internet governance and email security expert, summarized the issue: “ICANN needs to decide whether it’s a neutral regulator or just a domain speculator trade association.” Until ICANN mandates strict KYC regulations and faster registrar response times, the security community will remain on the defensive.
Defensive Playbook: Enterprise Mitigation Strategies
Securing an enterprise network against gTLD and subdomain abuse requires a defense-in-depth approach combining DNS controls, network policies, and modern authentication:
1. Implement Newly Registered Domain (NRD) Restrictions
Configure your Secure Web Gateway (SWG) or DNS firewall to block resolution for any domain registered within the last 15 to 30 days. Because the vast majority of malicious domains are used immediately and abandoned within a week, blocking NRDs neutralizes a massive percentage of zero-hour phishing and malware campaigns.
2. Block High-Abuse gTLDs
Analyze your organization’s outbound traffic. If there is no legitimate business reason to communicate with domains ending in .top, .work, .click, or .zip, block those TLDs entirely at the DNS resolver level.
3. Transition to FIDO2/WebAuthn Authentication
Traditional MFA (SMS, push notifications, or TOTP codes) can be intercepted using reverse-proxy phishing frameworks like Evilginx. FIDO2 security keys (like YubiKeys) cryptographically bind the authentication session to the origin domain name. If a user is tricked into visiting a spoofed microsoft-login.xyz page, the browser will refuse to send the credentials because the cryptographic domain binding does not match login.microsoftonline.com.
4. Continuous DNS Auditing
Utilize automated scanning tools to discover dangling CNAME records and immediately prune them from your public DNS zones. This simple step completely eliminates the threat of subdomain takeover.
Final Thoughts
The expansion of top-level domains highlights the constant tension between digital accessibility and enterprise security. While gTLDs offer brand flexibility, their susceptibility to exploitation requires security teams to treat them with heightened scrutiny. By implementing NRD blocking, utilizing DNS firewalls, and enforcing origin-bound authentication, organizations can significantly reduce their risk exposure.
For more insights into threat mitigation and network security, visit rokibulroni.com.
