March 13, 2017 By Ralf Iffert 5 min read

Among the key findings from the 2017 IBM X-Force Threat Intelligence Index, is the ongoing use of spam as an entry vector for attackers. While targeted attacks make headlines, the prevalence of spam traffic means that a variety of attackers are still finding success in this scattershot method to gain access to protected data.

IBM X-Force observed spam volume growing dramatically throughout 2016. The composition of spam fluctuates over time. In 2014, we saw a resurgence in image-based spam. In 2016, our global team tracked an increase in spam with malicious attachments harboring banking Trojans and ransomware.

Attackers are not limited to a single set of tools, however. The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks.

Top-Level Domain Usage in Spam

Figure 1: Top 20 TLDs in Spam emails containing a URL (Source: IBM X-Force)

More than 35 percent of the URLs found in spam sent in 2016 (Figure 1) used traditional, generic top-level domains (gTLD) .com and .info. Surprisingly, over 20 percent of the URLs used the .ru country code top-level domain (ccTLD), helped mainly by the large number of spam emails containing the .ru ccTLD.

Even the lesser known domains are already well-established in spammers’ business model. Of the top 20 TLDs used in spam emails, X-Force observed seven new gTLDs in the top 10 ranks of the overall list: .click, .top, .xyz, .link, .club, .space and .site.

These new, generic top-level domains provide two advantages to spammers:

  1. They allow spammers to vary their domain URLs and thus bypass spam filters.
  2. Some new gTLDs can cost as little as $1 to register, making them more lucrative to spammers who can automate the registration of hundreds of domains a day.

When we zoom into the numbers for only the new gTLDs, we get the following picture. Note that older most common gTLDs .com, .info, .net, .org and .biz have been intentionally excluded from this chart.

Figure 2: Top 20 gTLDs in spam emails containing URLs — 2016 (Source: IBM X-Force)

Monthly gTLD Usage in Spam

By regarding only the new gTLDs used in spam campaigns in 2016, .click rose as the most used new gTLD, occurring in 5.4 percent of the spam emails observed. It was followed by .top (4.6 percent) and .xyz (3.9 percent). The domains .link, .club and .space accounted for 3.4 percent, 1.8 percent and 1.1 percent, respectively, of the URLs used in email spam in 2016.

The top 20 new gTLDs combined for more than 22 percent of TLD usage in spam emails in 2016. The following chart shows the monthly usage of the top 20 new gTLDs, compared to the TLDs .com and .ru, which were the two most commonly used TLD spam emails in 2016.

Figure 3: Top 20 gTLDs usage in spam email compared to .com and .ru — 2016 (Source: IBM X-Force)

While only every 10th URL used in spam was a .com URL in the first quarter of 2016, the domain became a lot more popular during the rest of the year, accounting for more than 20 percent of spam domains and sometimes rising to over 40 percent of all URLs used within spam emails.

As for .ru, this TLD saw an opposite trend. While we detected .ru URLs in up to 60 percent of all spam in March 2016, it accounted for a mere 20 percent of spam for the rest of the year. All the top 20 gTLDs put together reached similar values and were used in 10 to 38 percent of all spam URLs.

Overall, we did see quite a bit of variation in the monthly usage of these top 20 new gTLDs in spam emails, where each month in the year featured a different popular gTLD preferred by spammers.

New gTLD Distribution Over the Year

The figure below shows the distribution of the top new gTLDs over the year in 2016. The first half of 2016 was dominated by the .click and .link gTLDs. In April, .top took a dramatic jump, accounting for 67 percent of the new gTLD usage that month, and made strong subsequent appearances through the remainder of the year.

The .xyz gTLD started slowly but increased steadily throughout the year. Its popularity is presumably based on the low purchase price — .xyz is one of the cheapest gTLD domains available, with an average purchase price of just $0.59. The .space gTLD made a dramatic appearance in July, accounting for 73 percent of the new gTLD usage in that month.

Figure 4: Top 20 new gTLDs seen in spam emails — 2016 (Source: IBM X-Force)

Thirty-six new gTLDs were introduced in 2016. This is down from the 117 new gTLDs created in 2016 and the 302 introduced in 2014. Judging by the utilization percentages observed, spammers appeared to be relatively reluctant to make use of new gTLDs in 2016.

Of the 36 new gTLDs added in 2016, we only observed one, .stream, that was frequently used in spam campaigns, occurring in nearly 0.01 percent of the spam emails. The other new gTLDs were almost entirely absent.

The slow pickup of new gTLDs by spammers can be attributed to the cost of buying a new domain with a specific gTLD. For example, spammy-sounding gTLDs such as .shopping or .insurance are more expensive to register. According to NameStat, a .shopping domain costs $18.28 to register on average. An .insurance domain costs $1,200.

On the other hand, a .stream domain registers for an average of $1.48 and can be bought for as little as $0.69, making this gTLD more attractive to spammers who care little about the actual domain name they buy.

The Future of TLDs in Spam

We have some predictions about the use of specific gTLDs in 2017 and expect the previous gTLD usage trend to continue this year. For 2017, the use of the .xyz gTLD in spam emails appears set to continue on the same track. Over 6 million domains have already been registered using this gTLD, almost half of which provide only private/proxy WhoIs information on their registrants, an indicator of potentially dubious use of the domain.

In June of 2016, we saw a dramatic increase in .xyz domain registration due to a price blitz on that particular gTLD that made domains available for 1 or 2 cents. In fact, some domains were simply given away for free. In June and July, we did not see a corresponding rise in .xyz usage in spam emails, which could be an indicator of those domains being registered by spammers in advance to be used in the following months.

In December 2016, the .xyz gTLD achieved Chinese Ministry of Industry and Information Technology (MIIT) accreditation, meaning that the .xyz domain can now be legally used in China. So far, we have not seen any Chinese-language spam using the .xyz domain, but this will definitely be something to look out for in 2017.

Download the complete 2017 IBM X-Force Threat Intelligence Index

More from Threat Intelligence

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today