{"id":11866,"date":"2022-12-16T10:19:22","date_gmt":"2022-12-16T15:19:22","guid":{"rendered":"https:\/\/www.cscdbs.com\/blog\/?p=11866"},"modified":"2026-05-05T06:52:22","modified_gmt":"2026-05-05T10:52:22","slug":"the-highest-threat-tlds-part-2","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/the-highest-threat-tlds-part-2\/","title":{"rendered":"The Highest Threat TLDs \u2013 Part 2"},"content":{"rendered":"\n

In the first article[1]<\/a><\/sup> of this two-part blog series, we looked at how frequently domains were used by bad actors for phishing activity<\/a> across individual top-level domains (TLDs) or domain extensions, using data from CSC\u2019s Fraud Protection services, powered by our DomainSecSM<\/sup> platform<\/a>. In this second article, we analyze multiple datasets to determine the highest-threat TLDs, based on the frequency with which the domains are used egregiously for a range of cybercrimes.<\/p>\n\n\n\n

In this deeper dive, we look at the following datasets:<\/p>\n\n\n\n

\n
    \n
  1. Spamhaus\u2019 10 most abused TLDs[2]<\/sup><\/a>, reflecting information in its domain blocking list and containing domains with poor reputations (generally those found to be associated with spam or malware).<\/li>\n\n\n\n
  2. Netcraft\u2019s 50 TLDs[3]<\/a> <\/sup>with the highest ratios of cybercrime incidents to active sites, generally reflecting phishing and malware incidences.<\/li>\n\n\n\n
  3. Palo Alto Networks\u2019 10 TLDs[4]<\/sup><\/a> with the highest rates of malicious domains, reflecting four categories of malicious content (malware, phishing, command and control (C2), and grayware), and expressed as the median of the absolute deviation from the median (MAD).<\/li>\n\n\n\n
  4. Data from CSC\u2019s Fraud Protection services, as discussed in part one<\/a> of this series.<\/li>\n<\/ol>\n<\/div><\/div>\n\n\n\n

    Each dataset measures the proportion of domains across each TLD deemed to be associated with threatening content[5]<\/sup><\/a>. For datasets 1, 2 and 3 as outlined above, proportions are expressed as the total number of domains analyzed for the TLD in question.<\/p>\n\n\n\n

    \n\n\n\n

    Methodology: For ease of comparison, the threat frequency for each TLD within each dataset is again normalized, so that in each case the value for the highest-threat TLD is 1. The overall threat frequency for a TLD is then calculated as the average of the normalized scores across the datasets in which it appears. We excluded any TLDs from the results that were only present in CSC\u2019s dataset and where fewer than 50 phishing cases were recorded.<\/em><\/strong><\/p>\n\n\n\n

    \n\n\n\n
    <\/div>\n\n\n\n

    Analysis and discussion<\/strong><\/h2>\n\n\n\n

    The above methodology yields the following list in Table 1 for the top 30 highest-threat TLDs, ranked by overall normalized threat frequency.<\/p>\n\n\n\n

    TLD<\/strong><\/td>Threat frequency<\/strong><\/td>Registry<\/strong><\/td>Operator[6]<\/sup><\/strong><\/a><\/strong><\/td>Region (country) or type<\/strong><\/td><\/tr>
    .CI<\/td>1.000<\/td>Autorit\u00e9 de R\u00e9gulation des T\u00e9l\u00e9communications; TIC de C\u00f4te d\u2019lvoire (ARTCI)<\/td>Autorit\u00e9 de R\u00e9gulation des T\u00e9l\u00e9communications; TIC de C\u00f4te d\u2019lvoire (ARTCI)<\/td>Africa (Ivory Coast)<\/td><\/tr>
    .ZW<\/td>1.000<\/td>Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)<\/td>TelOne Pvt Ltd<\/td>Africa (Zimbabwe)<\/td><\/tr>
    .SX<\/td>0.945<\/td>SX Registry SA B.V.<\/td>Canadian Internet Registration Authority (CIRA)<\/td>Caribbean (Sint Maarten)<\/td><\/tr>
    .MW<\/td>0.862<\/td>Malawi Sustainable Development Network Programme<\/td>Malawi Sustainable Development Network Programme<\/td>Africa (Malawi)<\/td><\/tr>
    .AM<\/td>0.608<\/td>\u201cInternet Society\u201d Non-Governmental Organization<\/td>\u201cInternet Society\u201d Non-Governmental Organization<\/td>Asia (Armenia)<\/td><\/tr>
    .DATE*<\/td>0.506<\/td>.DATE Limited<\/td>GoDaddy\u00ae<\/sup> Registry<\/td>New gTLD<\/td><\/tr>
    .CD<\/td>0.391<\/td>Office Congolais des Postes et T\u00e9l\u00e9communications (OCPT)<\/td>Office Congolais des Postes et T\u00e9l\u00e9communications (OCPT)<\/td>Africa (Democratic Rep. of the Congo)<\/td><\/tr>
    .KE<\/td>0.381<\/td>Kenya Network Information Center (KeNIC)<\/td>Kenya Network Information Center (KeNIC)<\/td>Africa (Kenya)<\/td><\/tr>
    .APP*<\/td>0.377<\/td>Charleston Road Registry Inc.<\/td>Google\u00ae<\/sup> Inc.<\/td>New gTLD<\/td><\/tr>
    .BID*<\/td>0.361<\/td>.BID Limited<\/td>GoDaddy Registry<\/td>New gTLD<\/td><\/tr>
    .LY<\/td>0.356<\/td>General Post and Telecommunication Company<\/td>Libya Telecom and Technology<\/td>Africa (Libya)<\/td><\/tr>
    .BD<\/td>0.351<\/td>Posts and Telecommunications Division<\/td>Bangladesh Telecommunications Company Limited (BTCL)<\/td>Asia (Bangladesh)<\/td><\/tr>
    .SURF*<\/td>0.325<\/td>Registry Services, LLC<\/td>GoDaddy Registry<\/td>New gTLD<\/td><\/tr>
    .SBS*<\/td>0.250<\/td>ShortDot<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .PW<\/td>0.240<\/td>Micronesia Investment and Development Corporation<\/td>Radix FZC<\/td>Asia (Palau)<\/td><\/tr>
    .DEV*<\/td>0.222<\/td>Charleston Road Registry Inc.<\/td>Google Inc.<\/td>New gTLD<\/td><\/tr>
    .QUEST*<\/td>0.209<\/td>XYZ.COM LLC<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .TOP*<\/td>0.196<\/td>Jiangsu Bangning Science and Technology Co., Ltd.<\/td>Jiangsu Bangning Science and Technology Co., Ltd.<\/td>New gTLD<\/td><\/tr>
    .PAGE*<\/td>0.195<\/td>Charleston Road Registry Inc.<\/td>Google Inc.<\/td>New gTLD<\/td><\/tr>
    .GQ<\/td>0.192<\/td>GETESA<\/td>Equatorial Guinea Domains B.V. (Freenom)<\/td>Africa (Equatorial Guinea)<\/td><\/tr>
    .CF<\/td>0.168<\/td>Societe Centrafricaine de Telecommunications (SOCATEL)<\/td>Centrafrique TLD B.V. (Freenom)<\/td>Africa (Central African Republic)<\/td><\/tr>
    .GA<\/td>0.164<\/td>Agence Nationale des Infrastructures Num\u00e9riques et des Fr\u00e9quences (ANINF)<\/td>Agence Nationale des Infrastructures Num\u00e9riques et des Fr\u00e9quences (ANINF) (Freenom)<\/td>Africa (Gabon)<\/td><\/tr>
    .ML<\/td>0.157<\/td>Agence des Technologies de l\u2019Information et de la Communication<\/td>Mali Dili B.V. (Freenom)<\/td>Africa (Mali)<\/td><\/tr>
    .BUZZ*<\/td>0.149<\/td>DOTSTRATEGY CO.<\/td>GoDaddy Registry<\/td>New gTLD<\/td><\/tr>
    .CYOU*<\/td>0.141<\/td>ShortDot<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .CN<\/td>0.130<\/td>CNNIC<\/td>CNNIC<\/td>Asia (China)<\/td><\/tr>
    .MONSTER*<\/td>0.106<\/td>XYZ.COM LLC<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .BAR*<\/td>0.104<\/td>Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .HOST*<\/td>0.101<\/td>Radix FZC<\/td>CentralNic<\/td>New gTLD<\/td><\/tr>
    .IO<\/td>0.085<\/td>Internet Computer Bureau Limited<\/td>Internet Computer Bureau Limited<\/td>Asia (British Indian Ocean Territory)<\/td><\/tr><\/tbody><\/table>
    Table 1: <\/strong>The top 30 TLDs with the highest overall normalized threat frequencies.
    *Extensions where there are currently no customer domains under CSC\u2019s management.<\/figcaption><\/figure>\n\n\n\n
    <\/div>\n\n\n\n

    Table 2 shows the datasets in which each of the top 30 TLDs appear.<\/p>\n\n\n\n

    TLD<\/strong><\/td>Spamhaus<\/strong><\/td>Netcraft<\/strong><\/td>Palo Alto Networks<\/strong><\/td>CSC<\/strong><\/td><\/tr>
    .CI<\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/td> <\/td><\/tr>
    .ZW<\/td><\/td> <\/td>\u2713<\/strong><\/td> <\/td><\/tr>
    .SX<\/td>\u2713<\/strong><\/td> <\/td> <\/td> <\/td><\/tr>
    .MW<\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td> <\/td> <\/td><\/tr>
    .AM<\/td> <\/td> <\/td>\u2713<\/strong><\/td> <\/td><\/tr>
    .DATE<\/td> <\/td> <\/td>\u2713<\/strong><\/td> <\/td><\/tr>
    .CD<\/td> <\/td> <\/td>\u2713<\/strong><\/td> <\/td><\/tr>
    .KE<\/td> <\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/tr>
    .APP<\/td> <\/td> <\/td><\/td>\u2713<\/strong><\/td><\/tr>
    .BID<\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/td><\/tr>
    .LY<\/td> <\/td> <\/td><\/td>\u2713<\/strong><\/td><\/tr>
    .BD<\/td> <\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/tr>
    .SURF<\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td> <\/td> <\/td><\/tr>
    .SBS<\/td> <\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/tr>
    .PW<\/td> <\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/td><\/tr>
    .DEV<\/td> <\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .QUEST<\/td><\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td><\/td><\/tr>
    .TOP<\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .PAGE<\/td><\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .GQ<\/td>\u2713<\/strong><\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .CF<\/td>\u2713<\/strong><\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .GA<\/td>\u2713<\/strong><\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .ML<\/td>\u2713<\/strong><\/td> <\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .BUZZ<\/td> <\/td>\u2713<\/strong><\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .CYOU<\/td> <\/td>\u2713<\/strong><\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .CN<\/td>\u2713<\/strong><\/td>\u2713<\/strong><\/td> <\/td>\u2713<\/strong><\/td><\/tr>
    .MONSTER<\/td> <\/td>\u2713<\/strong><\/td> <\/td> <\/td><\/tr>
    .BAR<\/td> <\/td>\u2713<\/strong><\/td> <\/td> <\/td><\/tr>
    .HOST<\/td> <\/td>\u2713<\/strong><\/td> <\/td> <\/td><\/tr>
    .IO<\/td> <\/td><\/td> <\/td>\u2713<\/strong><\/td><\/tr><\/tbody><\/table>
    Table 2:<\/strong> Datasets in which each of the top 30 TLDs by overall threat frequency appear.<\/figcaption><\/figure>\n\n\n\n
    <\/div>\n\n\n\n

    It\u2019s significant that this list is dominated by extensions from Africa, Asia, and the Caribbean, as well as several new gTLDs. The latter is consistent with the observation that new gTLDs tend to be disproportionately more abused than legacy TLDs, although they tend to have better processes for tackling infringements[7]<\/sup><\/a>. Nearly half of the TLDs in this list are operated by just three organizations, namely CentralNic (six TLDs), Freenom (four), and GoDaddy Registry (four)\u2014all consumer-grade registrars.<\/p>\n\n\n\n

    The Anti-Phishing Working Group\u2019s (APWG\u2019s) comprehensive Global Phishing Survey[8]<\/sup><\/a> of 2017, which analyzed the TLDs most frequently associated with phishing domains, also showed some similar trends (although the landscape may have changed somewhat since 2017). Its top 10 TLDs by frequency of phishing domains was dominated by African and Asian country-code TLDs (ccTLDs), with three of the top five (.ML, .BD and .KE) featuring in our top 30 list.<\/p>\n\n\n\n

    The below observations from the analysis are also notable:<\/p>\n\n\n\n