Yowza – 70% of newly registered domains are considered “not safe for work”

Well here’s an interesting one – Unit 42, the security division of Palo Alto Networks recently analyzed a boatload of newly registered domains and look what they found… (note: they use the acronym NRD to stand for newly registered domain)

Our analysis shows that more than 70% of NRDs are “malicious” or “suspicious” or “not safe for work.” This ratio is almost 10 times higher than the ratio observed in Alexa’s top 10,000 domains. Also, most NRDs used for malicious purposes are very short-lived. They can be alive only for a few hours or a couple of days, sometimes even before any security vendor can detect it. This is why blocking NRDs is a necessary, preventive security measure for enterprises.

(Source – Palo Alto Networks)

When you think about it, this isn’t wildly surprising. Buying a brand new domain and getting a site on it usually takes some time. If you’re doing it quickly, there’s a good chance you’re used to quickly launching thin sites, and who likes to do that – spammers and scammers.

Of course, like most things in the domain world, all things are not equal when it comes to domain name extensions. The same is true for newly registered domains, here’s a breakdown of the top ten domain extensions when it comes to newly registered domains:

Most registered domain extensions
(Source – Palo Alto Networks)

I’m not surprised to see .TK in second place, this domain extension has been a favorite of spammers and scammers for longer than I can remember. Honestly, have you ever been to a legitimate .TK site?

What was surprising to me was .ICU, a relatively new domain extension making the top ten actually beating out .TOP. Of course, just having a lot of new registrations doesn’t mean the domain is used by scammers. Here’s a more interesting chart (IMO) that shows malicious use by domain extension:

Malicious Domain Extensions
(Source – Palo Alto Networks)

As you can see in the chart above, some of the extensions shown in the previous chart don’t even make the cut like .COM, .TK or .ICU. In fact, .TO, .KI, and .NF are the top offenders and to be perfectly honest, until reading this article I didn’t even know .KI or .NF existed!

The whole article is a really interesting read and I have to say Unit 42 did a great job doing a deep dive here. Have you ever been to a scam site on a .TO, .KI or .NF? What do you think about the data Unit 42 put together here? I want to hear from you, comment and let your voice be heard!

{ 3 comments… add one }

  • John McCormac August 21, 2019, 6:40 pm

    This is the sentence that sticks out in that article: ” For suspicious URLs, we use categories Parked, Questionable, Insufficient Content, and High Risk.”.

    The problem with grouping such sites as parked/insufficient content sites in that category is that for bluechip TLDs like .COM, only 30% of domain names are actively developed. A holding page is technically thin content as is a custom “for sale” page. There is also a development curve from when a domain name is registered to there being a fully developed website on that domain name. Many registrars also park undeveloped domain names on PPC via the registrar PPC parking programmes from Sedo and Parkingcrew. Some of the new gTLDs do have a higher level of Chinese gambling and adult affiliate landers than the legacy gTLDs. The .ICU has been using discounting to drive registrations and it is common to see gambling and adult affiliate landers rather than developed content in heavily discounted new gTLDs. It is an interesting article though.

  • Lukas Rathswohl August 22, 2019, 5:33 am

    Thanks Morgan for providing great information as always for the domaining community. I wasn’t even aware that there were so many TLDs 2 months ago when I started on my domaining journey. And now I know more about which TLDs to stay away from.

  • Boluji Olatunji August 23, 2019, 11:50 pm

    If it is so for NRDs don’t you think it is one of the reasons one can encounter when buying a newly dropped or about to drop domains?
    I think what could affect NRDs could affect drop domains.
    Then, where is safe haven?


Leave a Comment