This story is over 5 years old.

Study: 100% of Websites in These Two Top-Level Domains Are 'Shady'

All those .zip and .review links are probably spam or malware, according to security firm Blue Coat.
September 1, 2015, 7:00pm

The recent expansion of top-level domains (TLDs) has created fertile ground for cyber scammers, according to a study published on Tuesday by security company Blue Coat.

Blue Coat analyzed tens of millions of websites and found that 95 percent of websites in 10 major TLDs [that it surveyed], including .party, .link, and .kim are rife with spam and malware and are considered "shady" by its standards. That percentage rises to 100 for the two least safe TLDs on its list, .zip and .review.


In the past, TLDs were limited to a handful of approved addresses, including the standard .com, .gov, .net, and .org, as well as country codes like .fr and .au. The number has increased exponentially following a move in 2011 from ICANN, the organization that manages the world's web addresses, to expand the options and add more than a thousand new endings, including .music, .blog, and .city.

Blue Coat said ICANN's lax laws surrounding TLD purchases is allowing "bad guys" to shop in markets with less regulation, allowing more spam.

"Ideally, TLDs would all be run by security-conscious operators who diligently review new domain name applications, and reject those that don't meet a stringent set of criteria," Blue Coat wrote in its study. "The reality for many of these new neighborhoods is that this is not happening."

The most common malicious activity associated with these TLDs? Spam and prompts to download malware. Blue Coat said most often users are prompted to like a page or participate in a survey that then prompts them to download malware. The security company has recommended companies block traffic to some of the most shady TLDs.

Clarification: This article has been updated to clarify the TLDs in the study are not the top domains overall, but just those surveyed by Blue Coat.

Update: On Tuesday, Kevin Murphy at domain industry news site Domain Incite raised some issues with Blue Coat's methodology, calling its report "laughable" and its numbers "bollocks." As Murphy noted, the statistics offered by Blue Coat are misleading because they only take into account a seemingly random handful of TLDs surveyed by the company, many of which only have a few websites actually registered to them.


For example, the .zip domain, which Blue Coat called 100 percent shady, has only one registration:, which reroutes to Google Registry. "As far as I can tell, Google Registry is not involved in distributing malware, spam, phishing, etc.," Murphy wrote.

Blue Coat declined Motherboard's requests for comment on its methodology but responded in part to the criticisms of the report in a blog post on Thursday. In the post, called .ZIP URLs (or, Why You Should Block Domains on a TLD That Doesn't Have Any, the company said many .zip domains are showing up in its traffic logs.

It said security teams of some of its large customers have found a variety of malware families on .zip URLs, which may be mostly files rather than domains, including Cryptowall, MiniDionis, and CozyBear.

"In conclusion, none of the .zip "domains" we see in our traffic logs are requests to registered sites," the company wrote. "Nevertheless, we recommend that people block these requests, until valid .zip domains start showing up."

Blue Coat declined several requests to clarify its methodology further to Motherboard.