While the generic top-level domain (gTLD) that a company uses is not a telltale sign of maliciousness, some TLDs are more prone to abuse than others. It could be because of the sheer volume of domain registrations within a particular TLD space, the lack of security protocols in registering domains, or a combination of both, among other factors.
We looked at the list of newly registered domains that used the most abused TLDs, according to multiple sources and analyzed them using data from whoisxmlapi.com.
Three gTLDs were identified—.fit, .top, and .work. The .fit gTLD was cited as the most abused gTLD for spam operations by Spamhaus, with a badness index of 56.9% as of 4 November 2020. For botnet and phishing, the most abused gTLD was .com, mostly because it remains the most used. As such, we settled on the second most abused for two other malicious activities—.top and .work.
| Malicious Activity | Most Abused gTLD | Number of Malicious Domains Found |
| Spamming | .fit | 8,770 (Spamhaus as of 4 November 2020) |
| Botnet use | .top | 617 (Spamhaus as of 2Q 2020) |
| Phishing | .work | 65,265 (SURBL as of 4 November 2020) |
Spamhaus is an organization that tracks spammers and spam-related activities, while SURBL provides a collection of phishing sites, malware domains, and Uniform Resource Identifiers (URIs) that appear in unsolicited emails.
The Data
For the analysis, we used a list of newly registered domains from 29 October to 2 November 2020. A total of 35,779 newly registered domains across the three gTLD spaces were detected. The chart below reflects the five-day registration trend.
Where Are the Registrants Located?
A majority of newly registered domains under .fit and .work were registered in Japan, while most of the domains under .top were from China.
In particular, 77.03% of .fit and 94.21% of .work domain names were based in Japan. The rest of the domains were spread across dozens of other countries. Note, though, that these TLDs are the most abused for spam and phishing campaigns.
As for the newly registered domains under .top, two registrant countries stood out. Some 54.51% of them were registered in China, while 32.37% cited the U.S. as their registrant country. This finding is consistent with Spamhaus’s top 20 locations of botnet and command-and-control (C&C) servers, citing the U.S. as the top location, with China in eighth place.
What Are the Most Common Registrars?
GMO Internet Inc. owned 72.54% of the newly registered domains under the three gTLDs. The rest of the domains were distributed across dozens of other registrars, but the chart below shows the top 10 registrars for the five-day registration period.
What Percentage of WHOIS Records Have Been Redacted for Privacy?
One of the most glaring outcomes of our analysis of three of the most abused gTLDs is that almost all newly registered domains redacted their WHOIS records. In fact, 100% of the .fit and .work domains and 95% of the .top domains had redacted WHOIS records.
Using a newly registered domain database and WHOIS data to analyze the domains under the most abused gTLDs helped us understand the origin of thousands of potentially suspicious domains. We learned that most of the domains’ registrants were from Japan, China, and the U.S. We also found that GMO and Alibaba were the most commonly used registrars.
These findings may change as the domain registration trend shifts, so constant monitoring of the different types of newly registered domains can play a big part in maintaining utmost security.
