The shadiest characters in the world of top-level domains

Research shows that a number of top-level domains are almost exclusively used for malicious purposes.


A number of top-level domains are used almost entirely to support botnets, spam campaigns and phishing, researchers have revealed.

On Wednesday, a team from enterprise security firm Blue Coat unveiled the result of months of research into today's top-level domains (TLDs). Domains are no longer limited to .com, .org and country of origin; instead, website operators can choose from a wide selection including .link, .edu, .mil, .review and .work, among others.

However, the use of many TLDs is far from legitimate; instead, the researchers say over 95 percent of websites in ten different TLD "neighborhoods" are considered suspicious -- and in two domains, .zip and .review, every link analyzed related to malicious use.

Blue Coat analyzed hundreds of millions of Web requests from over 15,000 businesses and 75 million users to test the legitimacy of ten different TLDs. Within the report, the Blue Coat security team says a domain was considered "suspicious" if it contained spam, scams, malware, a botnet link, potentially unwanted software (PUS) or were related to phishing campaigns.

If a domain was clean, the domain was awarded the accolade of being "non-shady."

According to the team, the dodgiest top-level domains harboring suspicious activity as of August 15, 2015 are below:


"Due to the explosion of TLDs in recent years, we have seen a staggering number of almost entirely shady Web neighborhoods crop up at an alarming rate," said Dr. Hugh Thompson, CTO for Blue Coat Systems.

"The increase in Shady TLDs as revealed by Blue Coat's analysis is in turn providing increased opportunity for the bad guys to partake in malicious activity. In order to build a better security posture, knowledge about which sites are the most suspicious, and how to avoid them, is essential for consumers and businesses alike."

In order to safeguard themselves against unwanted, suspicious traffic, Blue Coat recommends that the enterprise consider blocking traffic which leads to the riskiest top-level domains, and users should take caution against linking on links based on these TLDs if received over email or social networks.

Read on: Top picks

In pictures: