By Josh Bourne
Nearly 50 of the new generic Top-Level Domains (gTLDs) launched through ICANN’s New gTLD Program directly relate to the banking industry.
While certain financial services new gTLDs such as .BANK and .INSURANCE have been established by their operators as trusted safe-havens with significant vetting and barriers to entry, most financial services industry gTLDs such as .LOAN and .FUND have been launched with no such barriers and with minimal registration qualifications. As a result, many have expressed concerns like those voiced by ICANN’s Governmental Advisory Committee (GAC)[1] and think that unrestricted financial services new gTLDs pose a significant risk of confusion and abuse.
Now that several years have passed since the first new gTLD launches, FairWinds investigated whether these concerns are well founded by examining ownership and use of exact match brand domains in financial services new gTLDs. The goal was to determine if nefarious bad actors are maliciously registering and using domains such as Citibank.Loans or CapitalOne.Cash to prey on unsuspecting customers.
Methodology
FairWinds used the publicly available S&P Global Market Intelligence list[2] of the world’s 100 largest banks to create a dataset of banks and corresponding domains to test. In a majority of cases FairWinds looked at the exact same root (“bnymellon” for bnymellon.com) used by the bank for their primary website. In the case of banks that use 2-character domains as their primary website, FairWinds used the bank’s full name (“deutschebank” instead of “db”) in the analysis.
In selecting which new gTLDs to test, FairWinds selected the top 6 unrestricted financial services new gTLDs based on total number of registrations. As of September 22, 2017, the top 6 in order of total domains registered were:
- .LOAN (2,171,965 domains)
- .TRADE (145,598 domains)
- .FUND (11,396 domains)
- .CASH (10,470 domains)
- .FINANCE (6,203 domains)
- .FINANCIAL (3,923 domains)
Four of the registries (.TRADE, .FUND, .CASH, and .FINANCE) are operated by Donuts and therefore the domains could have been blocked via Donuts’ Domains Protected Marks List (DPML), and 2 of the registries (.LOAN and .FINANCIAL) are operated by Famous Four Media.
Our Findings
Across the dataset of 600 domains:
- 21.7% (130) are registered,
- 14.3% (86) are blocked for registration due to the DPML, and
- 64% (384) are available.
Of the registered domains:
- the bank brand owners own 11% (66),
- other IP owners sharing the same names own 1.2% (7), and
- unrelated third parties own 9.5% (57).
FairWinds reviewed the web content associated with the 130 registered domains and found websites that fell into 9 categories:
Only one domain resolved to official content (RTOC), BoC.Fund.
While there were some suspicious results such as the password protected website found on Sberbank.Fund (image below), no malicious content was found in this dataset.
This finding was unexpected. Both the GAC and the banking community, who have registered or blocked 159 domain names in this dataset, believed there would be heightened domain abuse where “implied trust…carry higher levels of risk associated with consumer harm.”[3]
How Did Banks Fair Amongst the Most Popular TLDs?
Curious to test the hypothesis that these same banks face an entirely different challenge in the most popular new gTLDs based strictly on volume of second-level registrations, FairWinds investigated the exact same list of bank names in the top 6 new gTLDs with the most domains registered as of September 22, 2017:
- .TOP (3,141,279 domains)
- .XYZ (2,431,795 domains)
- .CLUB (1,119,390 domains)
- .WIN (1,045,895 domains)
- .VIP (760,829 domains)
- .ONLINE (767,555 domains)
These 6 new gTLDs are owned by TOP Registry, XYZ.com, .CLUB Domains, Famous Four Media, Minds + Machines, and Radix.
In this dataset:
- 83% (221) are available, and
- 17% (379) are registered.
Of the 379 registered domains, just 8.7% (33) are registered by the expected bank or another similarly-named trademark owner and an astounding 91.29% (346) are owned by unrelated third-party registrants.
FairWinds also analyzed the web content and organized the data into 16 categories:
Just 5 domains resolved to official content (RTOC). On the other hand, while the majority of squatted domains did not resolve to content, FairWinds found 8 domains that are enrolled in the Fast Flux DNS parking platform, which frequently is used to distribute malware, phish for personal information, impose ransoms and present affiliate shopping sites or pay-per-click schemes.
In summary, banks face 6 times more infringement in popular Generic New Top-Level Domains than in unrestricted Financial Services New Top-Level Domains.
What Does Fast Flux DNS Look Like?
Fast Flux DNS presents a range of results including pay-per-click; however, it often leads with a snare trap to any first-time visitors. In this instance, BNYMelon.Top presents a false alarm about a virus that has been detected on the visitor’s computer or device. Attempts to resolve the situation (per the instructions on the page) exposes the visitor to possible identify theft and demands for payment:
At other times, the BNYMellon.Top domain leads to a website asking the visitor to install the latest version of Flash Player:
FairWinds has observed a major swing over the past 12 months from pay-per-click parking to this Fast Flux DNS parking with fake Adobe Flash malware as the most typical malicious invitation.
Earlier in 2017, PhishLabs reported that “The most common new gTLDs used to host phishing content last year were .TOP, .XYZ, .ONLINE, .CLUB, .WEBSITE, .LINK, .SPACE, .SITE, .WIN, and .SUPPORT.”[4] Five of the 6 new gTLDs FairWinds looked at in the Top 100 Bank names new gTLD study are among the domains linked most often to phishing by PhishingLabs.
Conclusion
Many brand owners that are active in securing defensive registrations are choosing to register their brands in category new gTLDs that represent their industry (.TECH), business (.CAREER) and where they operate (.PARIS). However, the Top 100 Bank names new gTLD research suggests that some of the most important places to protect brands are where the squatters are most active and not just in gTLDs that are directly linked to the brand.
Knowing where the bad actors are most active, and owning your brands in those new gTLDs is probably more important than choosing to register in new gTLDs that would seem to be the most likely to be infringed, like .FINANCE for an financial services company or .TECH for a technology company, and brand owners are not currently doing this to the degree that they should.
FairWinds recommends recapturing damaging, infringing domains in the most popular new gTLDs and registering available names ahead of bad actors in the busiest corners of the new gTLD world.
[1] https://pages.phishlabs.com/rs/130-BFB-942/images/2017%20PhishLabs%20Phishing%20and%20Threat%20Intelligence%20Report.pdf
[2] https://gacweb.icann.org/display/GACADV/2013-04-11-Safeguards-Categories-1
[3] https://gacweb.icann.org/display/GACADV/2013-04-11-Safeguards-Categories-1
[4] http://www.snl.com/web/client?auth=inherit#news/article?id=40223698&cdid=A-40223698-11568