Among the key findings from the 2017 IBM X-Force Threat Intelligence Index, is the ongoing use of spam as an entry vector for attackers. While targeted attacks make headlines, the prevalence of spam traffic means that a variety of attackers are still finding success in this scattershot method to gain access to protected data.

IBM X-Force observed spam volume growing dramatically throughout 2016. The composition of spam fluctuates over time. In 2014, we saw a resurgence in image-based spam. In 2016, our global team tracked an increase in spam with malicious attachments harboring banking Trojans and ransomware.

Attackers are not limited to a single set of tools, however. The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks.

Top-Level Domain Usage in Spam

Figure 1: Top 20 TLDs in Spam emails containing a URL (Source: IBM X-Force)

More than 35 percent of the URLs found in spam sent in 2016 (Figure 1) used traditional, generic top-level domains (gTLD) .com and .info. Surprisingly, over 20 percent of the URLs used the .ru country code top-level domain (ccTLD), helped mainly by the large number of spam emails containing the .ru ccTLD.

Even the lesser known domains are already well-established in spammers’ business model. Of the top 20 TLDs used in spam emails, X-Force observed seven new gTLDs in the top 10 ranks of the overall list: .click, .top, .xyz, .link, .club, .space and .site.

These new, generic top-level domains provide two advantages to spammers:

  1. They allow spammers to vary their domain URLs and thus bypass spam filters.
  2. Some new gTLDs can cost as little as $1 to register, making them more lucrative to spammers who can automate the registration of hundreds of domains a day.

When we zoom into the numbers for only the new gTLDs, we get the following picture. Note that older most common gTLDs .com, .info, .net, .org and .biz have been intentionally excluded from this chart.

Figure 2: Top 20 gTLDs in spam emails containing URLs — 2016 (Source: IBM X-Force)

Monthly gTLD Usage in Spam

By regarding only the new gTLDs used in spam campaigns in 2016, .click rose as the most used new gTLD, occurring in 5.4 percent of the spam emails observed. It was followed by .top (4.6 percent) and .xyz (3.9 percent). The domains .link, .club and .space accounted for 3.4 percent, 1.8 percent and 1.1 percent, respectively, of the URLs used in email spam in 2016.

The top 20 new gTLDs combined for more than 22 percent of TLD usage in spam emails in 2016. The following chart shows the monthly usage of the top 20 new gTLDs, compared to the TLDs .com and .ru, which were the two most commonly used TLD spam emails in 2016.

Figure 3: Top 20 gTLDs usage in spam email compared to .com and .ru — 2016 (Source: IBM X-Force)

While only every 10th URL used in spam was a .com URL in the first quarter of 2016, the domain became a lot more popular during the rest of the year, accounting for more than 20 percent of spam domains and sometimes rising to over 40 percent of all URLs used within spam emails.

As for .ru, this TLD saw an opposite trend. While we detected .ru URLs in up to 60 percent of all spam in March 2016, it accounted for a mere 20 percent of spam for the rest of the year. All the top 20 gTLDs put together reached similar values and were used in 10 to 38 percent of all spam URLs.

Overall, we did see quite a bit of variation in the monthly usage of these top 20 new gTLDs in spam emails, where each month in the year featured a different popular gTLD preferred by spammers.

New gTLD Distribution Over the Year

The figure below shows the distribution of the top new gTLDs over the year in 2016. The first half of 2016 was dominated by the .click and .link gTLDs. In April, .top took a dramatic jump, accounting for 67 percent of the new gTLD usage that month, and made strong subsequent appearances through the remainder of the year.

The .xyz gTLD started slowly but increased steadily throughout the year. Its popularity is presumably based on the low purchase price — .xyz is one of the cheapest gTLD domains available, with an average purchase price of just $0.59. The .space gTLD made a dramatic appearance in July, accounting for 73 percent of the new gTLD usage in that month.

Figure 4: Top 20 new gTLDs seen in spam emails — 2016 (Source: IBM X-Force)

Thirty-six new gTLDs were introduced in 2016. This is down from the 117 new gTLDs created in 2016 and the 302 introduced in 2014. Judging by the utilization percentages observed, spammers appeared to be relatively reluctant to make use of new gTLDs in 2016.

Of the 36 new gTLDs added in 2016, we only observed one, .stream, that was frequently used in spam campaigns, occurring in nearly 0.01 percent of the spam emails. The other new gTLDs were almost entirely absent.

The slow pickup of new gTLDs by spammers can be attributed to the cost of buying a new domain with a specific gTLD. For example, spammy-sounding gTLDs such as .shopping or .insurance are more expensive to register. According to NameStat, a .shopping domain costs $18.28 to register on average. An .insurance domain costs $1,200.

On the other hand, a .stream domain registers for an average of $1.48 and can be bought for as little as $0.69, making this gTLD more attractive to spammers who care little about the actual domain name they buy.

The Future of TLDs in Spam

We have some predictions about the use of specific gTLDs in 2017 and expect the previous gTLD usage trend to continue this year. For 2017, the use of the .xyz gTLD in spam emails appears set to continue on the same track. Over 6 million domains have already been registered using this gTLD, almost half of which provide only private/proxy WhoIs information on their registrants, an indicator of potentially dubious use of the domain.

In June of 2016, we saw a dramatic increase in .xyz domain registration due to a price blitz on that particular gTLD that made domains available for 1 or 2 cents. In fact, some domains were simply given away for free. In June and July, we did not see a corresponding rise in .xyz usage in spam emails, which could be an indicator of those domains being registered by spammers in advance to be used in the following months.

In December 2016, the .xyz gTLD achieved Chinese Ministry of Industry and Information Technology (MIIT) accreditation, meaning that the .xyz domain can now be legally used in China. So far, we have not seen any Chinese-language spam using the .xyz domain, but this will definitely be something to look out for in 2017.

Download the complete 2017 IBM X-Force Threat Intelligence Index

More from Threat Intelligence

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…