A top-level domain is the last element in the domain name system of the Internet. Some of the most widely used TLDs are ‘.com’ and ‘.net’. With the worldwide adaption of these domain names, cyber attackers have started misusing the generic TLD. Attackers are increasingly forging domain names by using non-Latin characters to enable phishing attacks.

The reason behind this ease to forge domain name is the use of generic Top Level Domains (TLDs) such as .online and .app. Since 2013, the number of TLDs has
Due to the unavailability of the most popular TLDs including “.com” and “.net”, TLD attacks use more broadly distributed set of TLDs than any other type of fraudulent domains. Within the period of a year, a 24% increase has been observed in the deployment of cyber-attacks. The most widely used TLDs include app (6%), .ooo (3%), .xyz (3%), .online (2%), .site (2%), .club (2%), .top (2%), .info (2%), .icu (2%) and .website (1%).
For each of these domains, attackers create customized sub-domains by using a domain generation algorithm (DGA) which is a technique that is used to prevent the domain from getting blacklisted. Most of the phishing pages are hosted on hacked websites with URLs that are often telltale signs. When registering your own site with a particular TLD that appears authentic, your odds of deceiving potential victims is rapidly higher.
Internationalized domain names (IDNs) are as problematic as generic TLDs. IDNs allow the registration of domain names with non-Latin characters using homoglyphs. These help in creating fake domain names that resemble genuine domain names with visually indistinguishable differences. An example of such forgery is substituting Cyrillic characters T, e, c, and p with the Latin T, e, c, and p. In simple words, attackers leverage the language barrier between those who can understand English and those who can.

Generic TLDs and IDN are being increasingly misused by attackers to deploy phishing attacks. One such example is Clinton campaign chairman John Podesta. In 2016, John Podesta received an email informing him that a Google user had tried accessing his account. The email consisted of a link for changing his password. Podesta clicked on the link and changed the password, thus, allowing hackers to access his entire Google account.
This increasing misuse is hugely concerning since it is challenging to differentiate a fake domain from an actual one. Notably, for organizations since attackers can target a broader base of victims and the probability of cyber-attacks increase significantly. It is, therefore, essential to employ security measures that can help in differentiating between a fake and a real domain. With DMARC record generator and analyser tools like MxToolbox and KDMARC, DMARC policies can be set as per your email domain’s requirement. This can be further strengthened by providing periodic cybersecurity and awareness training to employees to prevent attack vectors such as social engineering.