New top-level domains help fraudsters scam World Cup fans

Blog > Domain Names > Domain Extensions

The 2018 FIFA World Cup kicked off with fraudsters tricking fans into divulging personal details online. Their weapon of choice? New top-level domains that imitate the domain names used by official event partners and sponsors. But, as two recent reports indicate, this sort of malicious use of new TLDs is far from rare.

World Cup a breeding ground for cybercriminal activity

Scammers looking to profit from World Cup fever have been targeting fans using World Cup-themed spam emails, promising everything from cash winnings to memorabilia, even travel packages. Innocuous-looking files in these emails contain malware or viruses. Familiar-looking links redirect users to phishing sites or websites hosting malware.

Well-designed website interfaces featuring stolen logos are created to dupe users into sharing personal and financial information. To seem more credible, cybercriminals are registering domain names with keywords like “world”, “worldcup”, “Russia”, and “FIFA”.



Group-IB reports that thousands of malicious domains associated with the FIFA World Cup have been registered in the last year. Though plenty of phoney .COM and country code domains have been used, a sizeable number of newer generic top-level domains (gTLDs) have been registered to create these fake websites and email addresses. Examples include .STREAM, .BIZ (use to create phoney Visa payment sites), the above shown .SITE and .INFO, and .LIVE, shown below.


New top-level domains often used to spam and scam

Security experts have long known that new top-level domains are a regular go-to for spammers and scammers. In fact, two recent reports indicate which TLDs are most commonly used for malicious purposes. While these reports don’t specifically link findings with World Cup-related scams, they do provide insight into how big a problem the malicious use of new TLDs is and which ones to look out for.

Symantec’s Top 20 Shady TLDs List

Symantec’s annual Top 20 Shady TLDs includes TLDs that have been flagged in its own database and placed into a “shady” category: Spam, Malware, Scam, Botnet, Suspicious, Phishing, or Potentially Unwanted Software (PUS). Percentages are based on “the ratio of domains and subdomains ending in this TLD which are rated in [their] database with a 'shady' category, divided by the total number of database entries ending in this TLD".


Spamhaus’ Top 10 Most Abused TLDs List

Spamhaus uses different methodology to create its report, The Top 10 Most Abused Top Level Domains. Spamhaus considers a TLD to be “bad” in one of two ways:

  • “The ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. Or, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.”
  • "The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains."


Protect yourself from malicious use of new TLDs

Massive sporting events like the World Cup are often magnets for cybercriminals looking to target unsuspecting fans. So, unfortunately, it may not come as a big surprise that football fans around the world got scammed. But there are a few basic protections that consumers should be aware of to stay protected:

  • Only buy events tickets from official sources and always double check the site address and the links you want to follow.
  • Don't click on links in emails sent by people or organisation you're unfamiliar with, or if you see they're using a suspicious-looking, unusual address.
  • Using a separate bank account with limited funds just for online purchases will help you avoid serious financial losses if your bank details are stolen.
  • Install a reliable security solution with up-to-date databases of malicious and phishing sites. DNS filtering and security tools will enable you to block domains on a specific TLD.

And there are a couple of important steps domain registrants can take to protect their brands.

  • Register your trademark. If you think a domain name has been registered with the obvious intent of confusing users, luring them away from your site to theirs', as a trademark owner you have the right, via the Uniform Domain-Name Dispute Resolution-Policy (UDRP), to launch a Uniform Rapid Suspension (URS) complaint with the World Intellectual Property Organisation and have the site taken down. But remember: in order to do that, you'll need to first register your brand with the Trademark Clearinghouse (TMCH), ICANN’s database of protected trademarks.
  • If you have the financial means to create a gTLD portfolio, consider defensive registration. Registering multiple variations of your domain name, even if you have no intention of actually using them, will keep them out of the hands of third parties who may register them for fraudulent purposes. But since you have them why not use these domains to direct traffic to live content or redirect back to your main site? No point in wasting the traffic going to these gTLDs. Increasing website traffic to your main site could mean higher conversion rates.

Of course, new TLDs are not inherently bad. They were created to provide registrants with more choice and opportunity. And many experience no more abuse than legacy TLDs like .COM and .ORG. Nevertheless, their malicious use is on the rise, and consumers and registrants alike need to take steps to protect themselves from scammers.

photo image

Next article:
Domain industry's latest policies will ensure GDPR compliance

Previous article:
WHOIS database under GDPR: temporary measures in place

Related articles: