Light Dark
March 13, 2017 By Ralf Iffert 5 min read
Threat Intelligence
X-Force

Among the key findings from the 2017 IBM X-Force Threat Intelligence Index, is the ongoing use of spam as an entry vector for attackers. While targeted attacks make headlines, the prevalence of spam traffic means that a variety of attackers are still finding success in this scattershot method to gain access to protected data.

IBM X-Force observed spam volume growing dramatically throughout 2016. The composition of spam fluctuates over time. In 2014, we saw a resurgence in image-based spam. In 2016, our global team tracked an increase in spam with malicious attachments harboring banking Trojans and ransomware.

Attackers are not limited to a single set of tools, however. The ongoing expansion of domain name choices has added another instrument to the spammer’s toolbox: enticing recipients to click through to malicious sites, ultimately allowing attackers to infiltrate their networks.

Top-Level Domain Usage in Spam

Figure 1: Top 20 TLDs in Spam emails containing a URL (Source: IBM X-Force)

More than 35 percent of the URLs found in spam sent in 2016 (Figure 1) used traditional, generic top-level domains (gTLD) .com and .info. Surprisingly, over 20 percent of the URLs used the .ru country code top-level domain (ccTLD), helped mainly by the large number of spam emails containing the .ru ccTLD.

Even the lesser known domains are already well-established in spammers’ business model. Of the top 20 TLDs used in spam emails, X-Force observed seven new gTLDs in the top 10 ranks of the overall list: .click, .top, .xyz, .link, .club, .space and .site.

These new, generic top-level domains provide two advantages to spammers:

  1. They allow spammers to vary their domain URLs and thus bypass spam filters.
  2. Some new gTLDs can cost as little as $1 to register, making them more lucrative to spammers who can automate the registration of hundreds of domains a day.

When we zoom into the numbers for only the new gTLDs, we get the following picture. Note that older most common gTLDs .com, .info, .net, .org and .biz have been intentionally excluded from this chart.

Figure 2: Top 20 gTLDs in spam emails containing URLs — 2016 (Source: IBM X-Force)

Monthly gTLD Usage in Spam

By regarding only the new gTLDs used in spam campaigns in 2016, .click rose as the most used new gTLD, occurring in 5.4 percent of the spam emails observed. It was followed by .top (4.6 percent) and .xyz (3.9 percent). The domains .link, .club and .space accounted for 3.4 percent, 1.8 percent and 1.1 percent, respectively, of the URLs used in email spam in 2016.

The top 20 new gTLDs combined for more than 22 percent of TLD usage in spam emails in 2016. The following chart shows the monthly usage of the top 20 new gTLDs, compared to the TLDs .com and .ru, which were the two most commonly used TLD spam emails in 2016.

Figure 3: Top 20 gTLDs usage in spam email compared to .com and .ru — 2016 (Source: IBM X-Force)

While only every 10th URL used in spam was a .com URL in the first quarter of 2016, the domain became a lot more popular during the rest of the year, accounting for more than 20 percent of spam domains and sometimes rising to over 40 percent of all URLs used within spam emails.

As for .ru, this TLD saw an opposite trend. While we detected .ru URLs in up to 60 percent of all spam in March 2016, it accounted for a mere 20 percent of spam for the rest of the year. All the top 20 gTLDs put together reached similar values and were used in 10 to 38 percent of all spam URLs.

Overall, we did see quite a bit of variation in the monthly usage of these top 20 new gTLDs in spam emails, where each month in the year featured a different popular gTLD preferred by spammers.

New gTLD Distribution Over the Year

The figure below shows the distribution of the top new gTLDs over the year in 2016. The first half of 2016 was dominated by the .click and .link gTLDs. In April, .top took a dramatic jump, accounting for 67 percent of the new gTLD usage that month, and made strong subsequent appearances through the remainder of the year.

The .xyz gTLD started slowly but increased steadily throughout the year. Its popularity is presumably based on the low purchase price — .xyz is one of the cheapest gTLD domains available, with an average purchase price of just $0.59. The .space gTLD made a dramatic appearance in July, accounting for 73 percent of the new gTLD usage in that month.

Figure 4: Top 20 new gTLDs seen in spam emails — 2016 (Source: IBM X-Force)

Thirty-six new gTLDs were introduced in 2016. This is down from the 117 new gTLDs created in 2016 and the 302 introduced in 2014. Judging by the utilization percentages observed, spammers appeared to be relatively reluctant to make use of new gTLDs in 2016.

Of the 36 new gTLDs added in 2016, we only observed one, .stream, that was frequently used in spam campaigns, occurring in nearly 0.01 percent of the spam emails. The other new gTLDs were almost entirely absent.

The slow pickup of new gTLDs by spammers can be attributed to the cost of buying a new domain with a specific gTLD. For example, spammy-sounding gTLDs such as .shopping or .insurance are more expensive to register. According to NameStat, a .shopping domain costs $18.28 to register on average. An .insurance domain costs $1,200.

On the other hand, a .stream domain registers for an average of $1.48 and can be bought for as little as $0.69, making this gTLD more attractive to spammers who care little about the actual domain name they buy.

The Future of TLDs in Spam

We have some predictions about the use of specific gTLDs in 2017 and expect the previous gTLD usage trend to continue this year. For 2017, the use of the .xyz gTLD in spam emails appears set to continue on the same track. Over 6 million domains have already been registered using this gTLD, almost half of which provide only private/proxy WhoIs information on their registrants, an indicator of potentially dubious use of the domain.

In June of 2016, we saw a dramatic increase in .xyz domain registration due to a price blitz on that particular gTLD that made domains available for 1 or 2 cents. In fact, some domains were simply given away for free. In June and July, we did not see a corresponding rise in .xyz usage in spam emails, which could be an indicator of those domains being registered by spammers in advance to be used in the following months.

In December 2016, the .xyz gTLD achieved Chinese Ministry of Industry and Information Technology (MIIT) accreditation, meaning that the .xyz domain can now be legally used in China. So far, we have not seen any Chinese-language spam using the .xyz domain, but this will definitely be something to look out for in 2017.

Download the complete 2017 IBM X-Force Threat Intelligence Index

 |  |  |  |  | 
Ralf Iffert
Manager, X-Force Content Security

More from Threat Intelligence
July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature