In recent years, cybercriminals have increasingly exploited various top-level domains (TLDs) to conduct phishing campaigns and distribute malware. Notably, the .li domain extension has emerged as a significant vector for such malicious activities.
The Rise of .li Domains in Cyber Attacks
Recent analyses indicate that approximately 57.22% of observed .li domains have been flagged as malicious, positioning it as the highest-risk TLD currently exploited by cybercriminals. These domains often function as sophisticated redirectors, guiding victims through multi-stage attack chains toward malicious landing pages or malware downloads. This redirection technique allows attackers to evade traditional detection mechanisms that primarily focus on final payload hosting.
Budget-Friendly TLDs Facilitate Mass Phishing
Economical TLDs such as .sbs, .cfd, and .icu have become preferred choices for large-scale phishing operations due to their low registration costs. For instance, .sbs domains can be registered for as little as $1.54 for the first year, enabling threat actors to register numerous disposable domains for coordinated attacks. Historical data reveals that .sbs domains had 11,224 phishing registrations, while .cfd domains recorded 5,558 malicious registrations. The .icu TLD has also gained popularity among cybercriminals, with 3,171 phishing domains identified in recent quarters.
Abuse of Legitimate Hosting Platforms
Cybercriminals have also been exploiting legitimate hosting platforms, particularly Cloudflare’s pages.dev and workers.dev services, to create convincing phishing sites. These platforms leverage Cloudflare’s trusted reputation and global infrastructure, making the phishing sites appear legitimate to unsuspecting users. Studies indicate that phishing incidents on Pages.dev increased by 198% between 2023 and 2024, rising from 460 reported cases to 1,370 incidents.
Sophisticated Phishing Kits and Evasion Mechanisms
The Tycoon 2FA phishing kit has been particularly active on these platforms, implementing advanced evasion mechanisms such as browser fingerprinting, CAPTCHA challenges, and command-and-control (C2) domain triangulation using TLDs from the .ru, .es, .su, .com, .net, and .org pool. These attacks often begin with compromised Amazon Simple Email Service accounts and progress through complex redirect chains before presenting victims with credential theft pages.
Exploitation of Government Domains
Cybercriminals are increasingly targeting government websites, particularly those with .gov TLDs, to conduct phishing campaigns and distribute malware. These trusted domains are exploited to host credential phishing pages, serve as C2 servers, or redirect victims to malicious sites. One common method involves exploiting open redirect vulnerabilities, where web applications improperly forward users to external sites based on user-controlled inputs. For example, nearly 60% of abused .gov domains contained the “noSuchEntryRedirect” path, linked to CVE-2024-25608, a vulnerability found in the Liferay digital platform widely used by government agencies.
DNS Tunneling for Covert Communication
Hackers are also employing Domain Name System (DNS) tunneling to monitor phishing email interactions, scan networks for vulnerabilities, and bypass security measures. DNS tunneling involves encoding data within DNS queries, allowing covert communication channels that exploit fundamental network protocols. Campaigns such as TrkCdn track phishing email engagement through encoded DNS queries to attacker-controlled subdomains, while SecShow uses DNS tunneling to map network infrastructures, embedding IP addresses and timestamps in DNS queries to identify exploitable network flaws.
Combosquatting and Typosquatting Techniques
Cybercriminals employ techniques like combosquatting and typosquatting to deceive users. Combosquatting involves registering domains that combine a popular trademark with additional words (e.g., betterfacebook.com), while typosquatting exploits common typing errors in URLs to create deceptive domains. These methods are used to perform a spectrum of abuses, including phishing, social engineering, affiliate abuse, trademark abuse, and advanced persistent threats.
Recommendations for Organizations
To mitigate these threats, organizations should implement comprehensive TLD monitoring strategies and leverage interactive sandbox environments to analyze suspicious domains in real-time. Extracting indicators of compromise (IOCs) from these analyses can enhance detection capabilities and improve response times to emerging threats. Additionally, regular audits of DNS configurations, robust ownership verification processes, and the adoption of advanced security tools are essential to detect and mitigate domain hijacking threats.
Conclusion
The exploitation of various TLDs by cybercriminals underscores the evolving landscape of cyber threats. By understanding the tactics employed by threat actors and implementing proactive security measures, organizations can better protect themselves and their users from these sophisticated attacks.
