Security researchers in Palo Alto recently released some of the top-level domains (TLD) used by threat actors.
These top-level domains have been divided into several categories including Malware, Phishing, Command and control (c2), and Greyware. For malware distribution, most attackers use TLDs such as.ga, xyz, .cf, .tk, .org, and .ml. For phishing attacks, the threat scenarios mainly use .net, .pw, .top, .ga, and .icu.
Commonly used domains for Greyware include .org, .info, .co, .ru, .work, .net, and .club. For the C2 infrastructure, attackers mainly use .top, .gq, .ga, .ml, .cf, .info, .cn, and .tk. Unlike others, phishing offers an evenly distributed category with 99% of domains distributed over 92 different TLDs.
It seems surprising to many that the TLD domains of Tokelau, a small island in the Pacific are among the top ten of all malicious categories.
In its report, Palo Alto claims that such countries offer cheap or free domains to make money from ads, which exposes these domains to abuse by attackers.
For more information, read the original story in Bleeping Computer.