McAfee, one of the leading manufacturers of anti-virus and security software, recently released a report titled “Mapping the Mal Web” that analyzes the relative risk of top-level domains (TLDs). The TLD for Cameroon, .CM, ranked at the top of the world’s riskiest TLDs. Alarmingly, .COM took second place on McAfee’s overall list. According to the report, 32.2% of all .COM Web sites contain browser exploits like drive-by downloads of spyware, adware or malicious content; lead to phishing scams; or bombard users with excessive pop-ups. Since .COM is the most popular TLD, 32.2% amounts to a total of 918,873 risky domains.
In addition to overall risk, McAfee ranked TLDs by specific threat. Romania’s TLD, .RO, had the highest portion of malicious downloads, while .INFO was ranked worst for spam, with 17.2% of its sites generating junk email. On the other end of the scale, the governmental TLD .GOV is the safest generic TLD, while Japan’s .JP is the safest ccTLD.
The popularity of .COM makes it an ideal target for bad actors because so many Internet users intuitively type in .COM at the end of domain names. Since .CM is such a common typo of .COM, it is not surprising that it is the top choice among cybercriminals. (We’ve written about threats posed by .CM before) [link to a past post]. According to the BBC, Hong Kong’s .HK ccTLD topped last year’s list of riskiest domains, but since has taken measures to become safer. Specifically, the Hong Kong Internet Registration Corporation Ltd, which supervises domain registration for .hk Web sites, said that asking for proof of identity was one tactic that has led to a decline in suspicious applications.
It is no surprise that brand owners have registered countless domain names that they don’t need. Over the past few years, ICANN approved and released TLDs such as .EU, .INFO, and others. Since there was a lack of real data, brand owners did the only thing they could, which was to register names defensively because of the threat of what might happen. When .ASIA was released, we saw the number of registrations from brand owners begin to drop – likely a result of being fed up with registrar/registry profit driven domain policies.
The problem is that these prior new TLDs have rightly caused brand owners to be suspect of new launches. After so many sunrise periods that hyped the need for defensive domain name registrations, now it's like the boy who cried wolf- many launches are largely ignored. However, every now and again an important TLD change occurs that does necessitate action by brand owners. One example of that is .CM.
This landscape of the .CM TLD was just recently formed. When FairWinds published a “Perspectives” on .CM cybersquatting back in 2006, the Cameroonian government was running the .CM registry. At that time, there were only 200 domain names registered to .CM and all other names ending in .CM resolved to a PPC site. NETCOM.cm Sari took over control of the registry in 2009 and opened registration of domains in .CM. Trademark owners were allowed to apply for their corresponding domains during a one-month sunrise period between June 14 and July 15 of 2009. Sunrise periods allow those with valid trademarks to register their domain name for a hefty sum before all domains become available to the general public. As of August 1, 2009, .CM domains can be registered on a first come, first serve basis regardless of trademark rights.
Because .CM, the ccTLD for Cameroon, is a very common typo error of .COM, its recent launch of unrestricted domain names opened up a new front on the war against cybersquatters. As with typosquatting of domain name roots (as in “comcasft.com” for “comcast.com”), this form of typosquatting also involves third parties registering domains containing brand names with the intent of profiting off of users’ typing errors.
In light of this change, we conducted a study to examine the actual response to .CM’s change. We drew on the data used for a forthcoming study on general typosquatting to examine this phenomenon. We began with Quantcast’s list of the most highly trafficked domain names, and from that list, we selected the top 250 that ended in .COM and whose root contained more than six characters. That initial number expanded to 255 in order to include possible hyphenated versions (i.e., wal-mart.com and walmart.com). Along with these 255, we included typo variations that receive high volumes of traffic and then checked to see whether each of these domains had been registered in the .CM extension. A total of 183 had been registered in .CM; 121 domains contained the target root and the remaining 62 were typo variations of those targets.
Out of the 183 domains, an astounding 97 percent are owned by a third party—only 6 domain names are owned by the target company.
Of those owned by the target company, only 4 resolve to the target site, while one displays search results and the last does not resolve. In total, 97 of the domains owned by a third party lead to pay-per-click sites, meaning cybersquatters are directly profiting off 55% of those domains.
Another interesting tidbit was found in four domains that led to sites for competing brands. Staples.cm resolves to OfficeDepot.com, Travelocity.cm resolves to Expedia.com, Walgreens.cm resolves to DrugStore.com and Walmart.cm resolves to eBay.com. None of these four domains are owned by the competitor, but rather by third parties. While cybersquatters are not profiting directly from these sites, they are still causing damage to the brands in question and potentially depriving them of sales.
When ICANN approved new TLDs in the past and registries held sunrise periods for brand owners, many brands rushed out to buy domain names in TLDs like .PRO and .INFO only to realize later that they held very little value for their business. Although .CM has opened to the public, the registration rates among brand owners remain low. This may be a result of brand owners being skeptical of the value of a .CM domain name. Some may be failing to realize how different this new TLD is—after all, it is common for Internet users to accidentally type .CM in place of .COM. Others may be distrustful of a new registry sunrise period given that ICANN’s policy of allowing registries to operate however they want has essentially resulted in brand domain names being held for ransom by the registry in the form of sunrise periods. In the case of .CM though, brand owners must learn that even if they have no intention of doing business in Cameroon, owning key names in that extension is critical because users are typing them into the browser bar accidently.
What I take from this situation is that while we are all growing incredibly frustrated with the name space and ICANN policies, we need to be diligent in our review of each change. It is usually best to be conservative with launches, but there are cases – like .CM – where a more aggressive and targeted strategy is warranted.