95% of websites in 10 new TLDs are suspicious

Much has changed since the early days of the Internet when the Web had only six common top level domains (TLDs). Back then, what most consumers and businesses encountered were a small number of standard TLDs. However, since 2013, the number of new TLDs has skyrocketed.

There has been an explosion of new neighborhoods on the Web, many of which may be considered for web security purposes as neither safe nor friendly. By June 2015, the count of validly issued TLDs stood at over one thousand. As the number of TLDs has increased, so have the opportunities for attackers. These TLDs, with high numbers of shady sites dubbed Shady TLDs can provide fertile ground for malicious activity including spam, phishing, and distribution of Potentially Unwanted Software (PUS).

Blue Coat analyzed hundreds of millions of Web requests from more than 15,000 businesses and 75 million users and revealed new research that shows the TLDs, or “neighborhoods,” most associated with suspicious websites. More than 95 percent of websites in 10 different TLDs are rated as suspicious, with that percentage increasing to 100 percent for the top two highest ranking TLDs, .zip and .review.

The web’s top 10 TLDs with shady sites:

  • .zip – 100.00%
  • .review – 100.00%
  • .country – 99.97%
  • .kim – 99.74%
  • .cricket – 99.57%
  • .science – 99.35%
  • .work – 98.20%
  • .party – 98.07%
  • .gq – 97.68%
  • .link – 96.98%

“Due to the explosion of TLDs in recent years, we have seen a staggering number of almost entirely shady Web neighborhoods crop up at an alarming rate,” said Dr. Hugh Thompson, CTO for Blue Coat Systems. “The increase in Shady TLDs is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike.”


As organizations and consumers look to safeguard themselves against these shady TLDs, they can draw key lessons from the report to inform and strengthen their security posture, including:

  • Businesses should consider blocking traffic that leads to the riskiest TLDs. For example, Blue Coat has previously recommended that businesses consider blocking traffic to .work, .gq, .science, .kim and .country.
  • Users should use caution to click on any links that contain these TLDs if they encounter them in search results, e-mail, or social network environments.
  • If unsure of the source, hover the mouse over a link to help verify that it leads to the address displayed in the text of the link.
  • “Press and Hold” links on a mobile device (not just click) to verify it leads where it says it does.



Share this