Phish-friendly domain registry ".top" put on notice

I have a story on using weird/fishy/phishy TLDs: Recently my colleagues and I started collecting information on all the available compression methods for 3D Gaussian Splatting (3DGS, a popular method for 3d scene representation). There were quite a few works in the area with naming conflicts already, so I thought to give it a unique short name to refer to - and came up with “3dgs.zip”.

A few days later we started putting together a web page, and I noticed that .zip actually is available as a TLD. Impulsively I bought the domain, https://3dgs.zip/, launched it and printed it on a few shirts before heading off to a conference. Felt a bit weird that there is a .zip TLD, but I was in a rush and I didn’t ponder its existence any further.

But strange things started happening: setting up the domain for a GitHub page worked, but in the process downloaded a 0 Byte file called “3dgs.zip”, when submitting content one of the GitHub.com forms. And a few days later colleagues told me they had trouble accessing the site. After some DNS sleuthing and then some back-and-forth with our IT dept, it turned out that our organization has blocked the whole TLD - for every Windows user, out of phishing concerns of people being confused.

I’m no security person, so the reasoning felt a bit weird to me, as I guess the .zip TLD can’t hurt anybody; downloading a .zip might, which you can attach to any link name? But in any case I wasn’t able to find any .zip URL with a purpose, but lots of Reddit posts of angry sysadmins who bemoaned the influx of terrible TLDs with mostly phishing use and vowed to block them all. So they probably have a point in downright blocking the whole TLD.

Now I’m sitting here with my .zip url. Had to revert the page to use github.io, so people in my organization (and similarly thinking ones) would be able to access it. Guess I’m cured for a while, won’t be using any novelty TLDs anytime soon…

A big reason why .top is used so much is because it is so cheap. Phishers can rotate through many more domains using .top compared to other domains.

IMO this isn't a particularly big problem, it's cool to let people buy cheap domains. It also doesn't really save the phishers that much money. You aren't going to solve the problem by making domains more expensive, it might impact phishers' margins but they will continue phishing.

This is encouraging. We have a big tender (procurement) scam in our country, and I receive at least 10 different emails daily about fake procurement requests (the central gov database was either leaked, or the criminals are working in tandem with its administrators).

At times I have reported the impersonating domains, and I'd say that registrars have acted on under 5% of my complaints (within reasonable time). If they use a local domain name, it's easier to complain directly with our country's registry administrator.

My problem is often with registrars that are in random countries. It's encouraging that some action is being taken, and I think in future I should also lay complaints with ICANN.

This really makes me wonder about the value of TLDs in general. Let’s say that “gmail” is a well known enough name that “gmail.com”, “gmail.org”, …, “gmail.top” should be reserved by default. If that’s the case, then the value of separate TLDs becomes interesting because two companies “abc.com” and “abc.top” would now have competing concerns. It seems like only small companies would then be open to phishing, and large ones would possibly be able to use trademark law across all TLDs. In fact large companies tend to try and reserve their name in all major TLDs.

I’m not really arguing for or against greater or fewer TLDs, but it does seem like an awkward situation.

Based on the title I thought this was about the band and was very confused.

Since when has it been the responsibility of the registry to police the content of its domains?

This feels like a slippery slope from phishing to piracy to censoring unpopular political beliefs.

Strange coincidence, moments ago I just received a phishing SMS about some bogus package that couldn't be delivered attempting to get me to visit a link on a ".top" address!

Strange that .co doesn't even show up in the list. I have a 3 letter .co similar to another .com domain and constantly receive customer id's and internal communications.

Bummer, I was hoping this had something to do with the band

Is there more info on the phishing websites hosted on IPFS? I'm curious how content is forwarded to unaugmented browsers.

To be fair, it might be beneficial if they don't block them - I have never seen a legitimate use of the .top domain, so if that helps us get rid of the spam (by blocking the whole TLD on our systems) it's probably a win-win situation (?)

Literally just received some .top spam last night, nothing new there but curiously it was addressed to the mailing list for all students in my department. Very sparse content too: Just a t.co link shortener address, which resolved to a .top domain (interestingly with an invalid https cert instead of going just with http). It was sent from an obviously compromised gmail address. Fellow students in other mailing lists got other shorteners with other domains, all resolving to the same russian ip address. Thats as far as I investigated.

Mother-in-Law just got a smishing text yesterday for a USPS scam.

Luckily, she couldn't remember her username/password (she doesn't have one there) so she didn't enter anything, but I got a call.

The link was on .top

While I don't disagree with warning .top, I notice in the report that .lol and .bond have higher "Phishing Domain Scores" than .top. Hopefully they got a nastygram, too.

I am using a .top domain for my homelab (because it was cheap). How will existing domains be handled, assuming ICAN shuts down the registrar?

An organization like ICANN should not be concerned with the specific uses people are giving to their domain names.

Their mission should be to create a system that makes it convenient for actors to identify each other across the Internet, so that they can communicate arbitrary data. ICANN should be agnostic to the contents of the communications.

Now do the same for .io .site and .cc

I've see tons of phishing from those domains. Even the ones who eventually take down sites that I report, they don't look for other sites/domains from the same scammers or that have the same content, and they don't do anything to stop the same person from getting another domain and then putting the exact same content on it.

I shouldn't be hard for a company to identify most of these scammers. They are not subtle. Very basic automated checks to see what content is being served from new domains based on previously discovered phishing sites could catch a lot of it. Company's just aren't required by law to care so they don't.

Even big companies are terrible when it comes to phishing. I found out recently that for some google sites you can't even report the phishing site to Google without first signing into a google account. Why someone should have to hand over their personal info to Google in order to report a phishing site is beyond me. It's bad enough that Google refuses to respect RFC 2142 and accept reports at an abuse@ address. Internet standards exist to prevent exactly this kind of bullshit.

They need to do exact same thing with .xyz TLD. It's gotten so bad that I had to block .xyz on our router.

Daydream: Browsers and email programs are shipped with "Default Allow" lists, which include only the older & higher-quality TLD's. While users can add whatever TLD's they want to the lists, that default behavior destroys 99% of the value of new & crap-infested TLD's.

I registered a top domain for ten years , total cost $28.

> The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

And this is why this is bullshit. Imagine them threatening to end .com over this. No? Then why bully others.

How these shady registry handle abuse is why i never use their dirt cheap tld for email. Most corporate firewall either outright reject them or blackhole into oblivion. Best case scenario is auto route to spam folder.

Might be useable as cheap domain used for hobby site, as personal dynamic dns domain but for email, nope.

I'd cough up $10 for .com .net .org and recent popular one the .me .io for best email deliverability instead of saving $5 and wondering whether my outgoing mail would arrive or not.