[For those keeping score, this is the 19th in our series on Shady Top Level Domains. Links to the previous posts in the series are found at the bottom of the page.]
Before diving into a look at interesting traffic in another Shady TLD, let's wrap up 2016 with the Top 20 list of the shadiest TLDs in the fourth quarter. As usual, there were several position changes from the previous quarter...
| RANK | TLD | PERCENTAGE OF SHADY SITES * |
|---|---|---|
| 1 | .country | 99.96% |
| 2 | .stream | 99.58% |
| 3 | .gdn | 99.50% |
| 4 | .mom | 99.41% |
| 5 | .xin | 99.34% |
| 6 (tie) | .kim | 99.26% |
| 6 (tie) | .men | 99.26% |
| 8 | .loan | 99.18% |
| 9 | .download | 99.15% |
| 10 | .racing | 99.08% |
| 11 | .online | 98.96% |
| 12 | .science | 98.73% |
| 13 | .ren | 98.43% |
| 14 | .gb (new) | 98.35% |
| 15 | .win | 98.32% |
| 16 | .top | 98.22% |
| 17 | .review | 98.05% |
| 18 | .vip | 97.92% |
| 19 | .party | 97.91% |
| 20 | .tech | 97.60% |
* As of late December, 2016. Shady Percentage is a simple calculation: the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research.
Caveats
As always, we caution against reading too much into the relative positions of TLDs on this list. Rankings are very fluid from quarter to quarter.
Also, we are not advocating setting up policy to block all domains on all of these TLDs. Any such recommendation would come only after more research into a TLD. In particular, .xin is rather popular in China, as is .kim in South Korea, and it would not be wise to automatically block such domains if you do any business there. Also, several TLDs have percentages based on much lower numbers of domains than some of the other TLDs in the list.
In general, it's better to leave shady domain blocking up to the professionals...
.GooD for Nothing?
.GDN entered the Top Ten in our 2016 Q3 list. We'd been noticing it in traffic before then, but we started keeping a closer eye on it, and I marked it down as a good candidate for a future Deep Dive -- and here we are!
For the Deep Dive, I pulled a recent week of WebPulse traffic, and selected the 100 domains with the most traffic. Here is the breakdown of the categorization of these sites:
| Main Category | Count |
|---|---|
| Suspicious (incl. Susp + other cat) | 90 |
| Spam | 2 |
| Piracy Concern (always + another cat) | 2 |
| Porn | 2 |
| Society and Daily Life | 4 |
So that's 92% shady, or 96% if we include the Piracy and Porn sites.
The vast majority of sites in the Suspicious bucket were part of a big scareware campaign, targeting smartphones. There were two main patterns of naming the domains:
- read-this-message-[junk].gdn
- install-app-[junk].gdn
The [junk] part is a pseudo-random string of numbers and letters. The pattern from the beginning of the week always used three characters, mostly with a zero as the third one (8b0, ue0, bb0, etc.) By the end of the week, the patterns tended to be five characters, usually ending in three or four zeroes (f0000, 91000, 30000, e0000, etc.)
Victims of the campaign will see pages that look like these on their phones. (The first variant is the most common one I saw.)
(Abusing the Google logo and robot makes sense when targeting Android users, as above, but not so much when targeting Apple users, as below. They didn't bother to change the look-and-feel much...)
There was also a less-common variant:
Needless to say, you shouldn't click the button... But what happens if you do? For me, clicking the button either led into a WebAd network that we had already flagged as Suspicious, or dead-ended on a page saying "Currently, the requested game is not available in your region." So I didn't bother to explore much further downstream.
In looking at the upstream traffic, it looks like a malvertising attack, as most of the traffic appears to be arriving at these sites from ad networks. It also appears to be somewhat more prevalent in Asia, although we've been seeing it world-wide.
All in all, it's an interesting campaign, combining elements of other scareware/ransomware attacks, but with a little twist: wanting you to download and run their app for 7 days.
In other words, in this attack, the "ransom" is the "ware".
Versions of this attack have been around for some time -- if you've been hit by this, try searching for "battery damaged by virus" to find articles discussing how to remove the scareware from your device -- but I haven't seen anything detailing its current usage of .gdn domains to host the scareware pages.
Given the prevalence of these attacks (not to mention various SEO-type sites, and a general lack of sites with useful content), we are recommending that people who care about security consider blocking all .gdn traffic.
--C.L.
@bc_malware_guy
P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series: