There were many who warned that the Internet Corporation for Assigned Names and Numbers’ (ICANN) decision to allow a host of new commercial generic top-level Internet domains was going to create a huge opportunity for Internet scammers and hackers. The approval of top-level domains (TLDs) beyond those assigned to countries and generic ones such as .com, .org, and .net created an opportunity, some in the security industry warned, for criminals to set up “look-alike” domains in the new namespace that aped legitimate sites already registered in .com or elsewhere. Well, the warnings were spot-on. Based on data just published (PDF) by the network security and deep packet inspection tool vendor Blue Coat, that’s exactly what happened: some of the new “neighborhoods” open for name registration have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content. One hundred percent of sites accessed with the .zip and .review TLD that had been scanned and added to Blue Coat’s domain database were classified by Blue Coat’s researchers as “shady.” Of course, these rankings may be distorted by the fact that there are so few records in Blue Coat’s database for these domains—.zip isn’t even officially available yet from domain registrars, so it’s not clear how there were any records for it at all. Not all of the worst domains were new TLDs. One, .gq—the top level domain assigned to Equatorial Guinea—scored a 96.68 percent score for “shady” sites out of all traffic screened. Overall, the worst ten TLDs for malicious domains, as of August of 2015, were: .zip (100.00%) .review (100.00%) .country (99.97%) .kim (99.74%) .cricket (99.57%) .science (99.35%) .work (98.20%) .party (98.07%) .gq (97.68%) .link (96.98%) Not all new TLDs were bad neigbhorhoods. The .church TLD, for example, had 0.84 percent “shady” sites. The .london TLD had 1.85 percent; the older .tel had 1.6 percent. And the safest of all the new TLD neigborhoods is apparently .jobs, in which a mere 0.36 percent of domain names had any hint of suspicious intent. Of course, these low percentages may be because of a small sample rate—if your employer is running deep packet inspection on your Web traffic, you might be less likely to be visiting a .church or .jobs site from work.
Source: Many new top-level domains have become Internet’s “bad neighborhoods” | Ars Technica