Security Report Large Number of TLD ".ci" URLs Found in Digital Arts Analysis of Phishing Domains in the First Half of 2022
— — Phishing URL numbers more than tripled between January and June — —

Information security solutions provider Digital Arts Inc. (headquarters: Chiyoda-ku, Tokyo, Japan; CEO: Toshio Dogu; hereinafter referred to as “Digital Arts”; Code 2326) is pleased to announce the release of a report on domestic and international phishing domains collected in the first half of 2022.

In a Ranking of TLD Phishing Websites, ".cn" URLs Shot to Number One and ".ci" Suddenly Appeared in Third Place

Digital Arts researches and collects information on various sites on a daily basis. For this report, Digital Arts compiled a list of domestic and international phishing domains discovered in the first half of 2022 (January to June) (excluding IP address format URLs). The domains covered in this report are defined as in [Figure 1]. Through an in-house survey, we found that the total number of phishing URLs in the first half of 2022 increased by approximately 1.5 times over the same period in 2021. Looking at top level domains (TLDs) of phishing website URLs in the first half of 2022 (calculated by setting the total number of phishing URLs in 2022 to 100%), ".cn" was the most common, accounting for nearly 23%. In 2021, ".cn" was in fourth place, with approximately 4%. Numbers increased suddenly and it has remained in constant use through the entire first half of the year. ".com," which was first in 2021, dropped from nearly 48% to 21%. Despite not even ranking in 2021, ".ci" unexpectedly appeared in third place.

The number of phishing URLs increased approximately 3.2 times when comparing January and June

Taking the total number of phishing URLs in the first half of 2022 as 100%, we examined how many TLDs were observed each month. The bottom line represents the monthly total of Phishing URLs.

Comparing the number of phishing URLs in January (approx. 8%) to June (approx. 27%), we can see that they multiplied by 3.2 times, much of which occurred during the last months of the period. Specifically, despite the TLD ".ci" having a total share of about 14%, there were only three proprietary domains; presse[.]ci, asso[.]ci, and md[.]ci. The numbers shown in Figure 3 are because there were attackers who created and distributed a large number of subdomains.

Use of the uncommon TLD ".ci" and its relation to the Public Suffix List

".ci" is a ccTLD (country code top-level domain) assigned to the Republic of Côte d'Ivoire in Africa. The "Public Suffix List" is a list of domain names that cannot be easily registered or obtained by ordinary internet users. The Public Suffix List is divided into two main categories: ICANN DOMAINS and PRIVATE DOMAINS, with the former requiring more rigorous checking. For example, "ICANN DOMAINS" includes domains such as ".jp" and ".co.jp." "PRIVATE DOMAINS" includes unique domains leased to users by cloud service providers, etc.

"ICANN DOMAINS" in the "Public Suffix List" is used by many services, and the domains listed are special. However, there are three unique "ICANN DOMAINS" listed on the "Public Suffix List"; presse[.]ci, asso[.]ci, and md[.]ci. To put it simply, they are treated the same as ".co.jp.

The Network Information Center (NIC) in Côte d'Ivoire managed these three domains in 2008 and their addition to the list of "ICANN DOMAINS" at the time was seen as appropriate. The three domains were subsequently acquired by an Asian organization in 2020, and their current listing in the "Public Suffix List" of "ICANN DOMAINS" is seen to be inappropriate. It is not certain whether the three domains were targeted and acquired for phishing purposes, but the attacker may have had the intention of evading the likes of security software.

Attackers use a variety of methods to direct users to phishing websites. Phishing websites with domains and URLs that are easily disposed, are difficult to blacklist, and even if they are blacklisted, provide little to no useful data.

▶ Digital Arts' i-FILTER blocks phishing URLs .

Digital Arts collects data on a daily basis from a variety of sources. In i-FILTER Ver. 10, phishing URLs are quickly sent to the filter database and swiftly blocked under the categories of "Phishing fraud," "Spam email links," and "Illegal software and anti-social activities." For URLs that are not in the filter database, Whitelisting can be used to block unknown phishing sites and malicious URLs by allowing access only to URLs that have been confirmed as safe by Digital Arts. In addition, the "Credential Protection" feature can block phishing sites that are set up on sites tampered sites that are difficult to distinguish from legitimate sites when users go to submit their login and password information.

■The new standard for security measures: Whitelisting
i-FILTER Credential Protection
　
▶ Click here for the report on the aggregation of phishing domains for the first half of 2022.
The following is available on our site.
■Security report