ICANN Domain Expansion Could Increase Phishing

Orome1 writes "The ICANN board gave final approval to what some are calling 'the most dramatic change to the Internet in four decades,' allowing the expansion of new TLDs. Some argue this ICANN initiative could force a land grab of domains by businesses to protect their company reputation. However, they aren't the only ones who are likely to try to snag these new top level domains. There's a very legitimate concern that cybercriminals could also seek these new domains to create legitimate looking websites using well-known brand names. These can then be used for phishing attacks or delivery of Trojan malware to unsuspecting visitors."

First TLD to go?

[Flyerman]

.bank .banking .finance .lending .mortgage .ach

Re:

[archer, the]

Nope. Trojans on .trojan!

Re:

[sarysa]

Close, but my predictions for frontrunners (on the same line of thought): .viagra .cialis ...

Re:

[archer, the]

Unfortunately, I actually meant computer trojans, not the prophylactic.

Re:

[robot256]

I'm sure somebody would appreciate a TLD for condoms...

Re:

[kpoole55]

it would be more like .rbc, .td, .scotia, .cibc, that sort of thing in Canada and maybe .citibank, .usbank, or some such in the US.

Re:First TLD to go?

[Anonymous Coward]

Obviously phishing sites should be using the .con TLD: citibank.con, barclays.con etc. Truth in advertising and cunning typo-squatting at the same time!

Re:

[houstonbofh]

Better would be .c0m as with caps (which are disregarded ) it is almost unnoticeable. .C0M

Re:

[makubesu]

Personally I think the real citibank should get the .con tld.

.corn

[Anonymous Coward]

Just toss an "R" into there:

citibank.corn

Re:

[jperl]

I would guess .shop

.here TLD

[TheLink]

More than 10 years ago I proposed that a TLD be officially reserved for _standard_ local private use. Basically something similar to RFC1918 but for TLDs.

I proposed it to the ICANN (emailed to icann@icann.org, Esther Dyson and Vint Cerf) and later the IETF: http://tools.ietf.org/html/draft-yeoh-tldhere-01 [ietf.org]

No luck, and I'm not rich enough to buy it (and give it to the world). Maybe Google can?

Re:

[TheLink]

Already exists: use .local

Read my post again, .local is not officially reserved.

There's a difference between using some random IPv4 address range for your private use and using an RFC1918 IP address range.

Re:

[flimflammer]

It was said earlier that each gTLD to be sold will be manually handled and the registrant needs to prove that they have legitimate claim to the name, not to mention there is like a $200k price tag. So I have my doubts that many phishing sites will be getting them.

Re:

[mjwalshe]

actually it is nearly $200k to apply not counting the cost of the application and the cost to run a robust infrastructure - from experience with .coop they will mandate multiple redundant servers in 4 continents probably.

Re:

[joebok]

I've already got a lock on .TrustMe

Re:

[digitig]

And the first turf wars will probably be over .cola

Re:

[maxwell demon]

To piss off AVM, get "box" :-)

Explanation: Every FritzBox can be accessed locally using the domain name "fritz.box" - which of course implies that this would clash with a public TLD named "box". And since AVM almost certainly doesn't have a trade mark on "box", they couldn't even sue you for it (them might be willing to buy it, though).

Re:

[Flyerman]

that's a bit like someone buying local, which i hope is protected, good god.

As stated in the original story:

[Luniz]

"It will cost $185,000 to apply, and individuals or organizations will have to show a legitimate claim to the name they are buying." I do not think that Peggy will be able to set up .discovercard :p

Re:

[Anonymous Coward]

I agree: this article is the epitome of FUD. Fear and uncertainty in title: "could increase phishing [emphasis mine]." Doubt from a lack of information from the proponents of the change. TFA was written with a very one-sided point of view, giving no indication that anyone had any thoughts about the potential problems. Does the article writer really think that the 13-1 vote was made by people who hadn't thought about all the potential problems and solutions to said problems?

Re:

[localman57]

Why?

Re:

[N0Man74]

Indeed, I came here to say the same thing. First of all, it has an absurdly high cost of $185,000. That is a price that is going to discourage even many large legitimate corporations, let alone cybercriminals that could be just throwing the money away once their TLD becomes blacklisted.

Secondly, this application *does* have a vetting process to ensure that you have the right to the domain name you are requesting.

Complete FUD.

Re:As stated in the original story:

[Rary]

The article may be FUD, but the whole idea is pointless. What value would a new TLD add to the Internet anyway? For that matter, what value do the existing TLDs add to the Internet? If they were actually used properly, and therefore had any meaning, then they would add value. But they aren't used properly, and hence have absolutely no meaning. They should be abolished completely. Why do I need to type "slashdot.org" (or "slashdot.com", or "slashdot.net", which all take me to the same place). Why not just type "slashdot"? What value does having ".org" (and ".com" and ".net") introduce, other than generating more revenue for the domain registrar?

This was introduced for one reason: to put $185,000 per TLD into ICANN's pocket, and generate additional revenue for domain registrars.

Re:

[jfengel]

The original TLDs are a quaint historical artifact, from a gentler time on teh intarwebz. It established a few spheres of control, but it wasn't particularly well thought out, but they weren't expecting the kind of land rush in domain names. This was back when they thought that 4 billion IP addresses was an absurdly large number, orders of magnitude more than would ever be needed.

It got famous all at once, and it quickly became apparent that it was mostly absurd. "dot-com" became synonymous with the web,

Re:

[Konsalik]

Agree, also it will cost $25,000 per annum on top of that. I think people jumping on the "this is bad" idea before reading all the facts. Go read this [mashable.com]. Spending $200,000 and waiting 9-20 months just to get it taken down a week later isn't worth it, even for high rolling criminals.

Re:

[HuckleCom]

Does everyone seriously think the cost will remain the same?
What happens when a company/brand goes belly up and the TLD is auctioned off?
Most of us don't trust ICANN as far as we can throw, this move is just point in case, the restrictions will loosen .

Re:

[Qzukk]

The money isn't in using the TLD yourself, the money is in buying the TLD then reselling it to spammers and phishers.

That's what I'd do if I registered .c0m, anyway. Why dirty my own hands if someone else is willing to pay me to let them dirty theirs?

Re:

[tlhIngan]

Exactly. Think of all the misspellings you could buy - .comm, .coom, .cm, etc.

Not to mention if your bank buys .bankofamerica it's just as likely some phisher may buy a regular domain as well - .bankofamerica looks the same to most people as .bankofamerica.pl or other thing soon enough.

Or hell... buy .html and .htm. Then you can have www.bankofamerica.com.index.html and people won't notice the '/' was replaced with '.'.

There's a lot of potential in this, really.

Re:As stated in the original story:

[Xest]

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found millions?

Re:As stated in the original story:

[Inda]

Coke and hookers, my friend. Coke and hookers.

Re:

[kvezach]

And blackjack.

Rock and roller cola wars, I can't take it anymore

[tepples]

Coke and hookers.

Not if PepsiCo gets to .cola first.

Re:

[UnknowingFool]

Hookers and blow?

Re:

[Lumpy]

Putting the final parts in place at the base on skull island for the earth core bomb?

What? Its easy to assume that ICANN is evil, just look at their past.

Re:

[bigredradio]

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found millions?

Out of interest, does anyone know at $185k a pop what exactly ICANN will be doing with it's new found billions?
Fixed that for you.

Re:

[TrueSatan]

$185,000 is the initial charge they quoted but also with an ongoing predicted charge of a further $100,000 p.a. which, if anything, will increase over time.

Re:

[Relayman]

For a scammer, $185k is pocket change. I can justify spending that on any number of TLDs. At $35 per year per name, you only need to sell 5,300 domain names to recoup your investment. At an ongoing cost of $25,000, you would have money in the bank.

Re:

[kmoser]

By that logic, the owner of couchsurfing.org has a legit claim to the ".localhost" TLD.

Re:

[shpoffo]

The real question is whether the Slashdot crew will finally have the dot.dot domain?

Why so silent? ;>

Trademarked Domains

[Marc Madness]

Seems to me that the threat of phishing can be mitigated my requiring the entity registering the domain name to show proof that the name in the *.brand is in fact a registered trademark. Of course, I could just be taking an over simplified look at the problem.

Re:

[Marc Madness]

I should also add, that they have to also prove that they own said trademark (just in case that wasn't clear). My bad for omitting that detail.

Re:

[gstoddart]

Seems to me that the threat of phishing can be mitigated my requiring the entity registering the domain name to show proof that the name in the *.brand is in fact a registered trademark.

I plan on mitigating this by treating every single one of these new TLDs as if they're likely be to scams, and not visiting them. No more than I will click on a link ending in .ly -- I have no idea of what it is, and I have no trust in the domain.

I have no interest in vetting a crapload of new domain extensions, and I will

Re:

[_0xd0ad]

Exactly - the people who know will treat the new TLD with suspicion, and the people who don't know will frankly just be oblivious anyway unless/until their browser displays a big scary warning instead of the web site they tried to click on.

Re:

[bigredradio]

I plan on mitigating this by treating every single one of these new TLDs as if they're likely be to scams

Really?

Right now it costs very little to register a domain name. Names can be altered to attempt to fool people such as mybank.com.cn?id=123451235123451234&asdfasd=sadfasd. But if it takes over 100K to register a name and show proof you have legitimate rights to the name, it would almost seem safer. Especially when it comes to banking applications. For banking, shopping, etc, it would seem the future is not about going to a web page anyway, but using your 'app' to conduct business. This could be hardcod

Re:

[VJ42]

No more than I will click on a link ending in .ly -- I have no idea of what it is, and I have no trust in the domain.

.ly is just the ccTLD for Libya, nothing particularly sinister about it any more than .us, .uk, .au, .ie, .nl, .de, .it, .in, .cn, and so on.

Oooh, phear the phishing

[s.d.]

Yes, any change to how the internet works could increase phishing. But at $185,000 per application for a new TLD, as well as having each application reviewed by a human or committee, this isn't going to be like automating the registration of .com addresses so that in an afternoon, you can register every misspelling of bankofamerica. By no means do I have blind faith in them, but I feel like ICANN will be pretty sure to not allow some random dude in eastern Europe to register .bank.

Yes, yes, everything can increase the risk of cancer in lab rats, and everything increases the risk of phishing, but the barrier for entry is set relatively high here.

Re:

[140Mandak262Jamuna]

By no means do I have blind faith in them, but I feel like ICANN will be pretty sure to not allow some random dude in eastern Europe to register .bank.

No not a random dude from eastern Europe. But a random analyst from Goldman Sachs consolidating a bunch of random dudes from anywhere in the world to create a portfolio of high risk/high reward venture exploiting the emerging opportunities due to the relaxed regulatory environment in the highspeed data networks, (note to secratary: Bradley, sprinkle some synergy, paradigm and out-of-the-box in there, will you)? Definitely.

Re:

[wren337]

But once someone DOES register .bank, will I be able to buy chase.bank from godaddy?
It's not the people registering the new TLD you have to worry about, so much as the people that they sell domain names to in the new TLD. Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

Re:

[archen]

My impression was that they were reserving a lot of generic words so this wouldn't happen, and that only brands could be registered this way.

Re:

[Lunix Nutcase]

Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

What scammer is going to pay $185,000 and wait several months for a manual screening process to own a fraudulent vanity TLD?

Re:

[wren337]

Scammers don't need to own a whole TLD, they just need a close-enough domain in some new TLD.

What scammer is going to pay $185,000 and wait several months for a manual screening process to own a fraudulent vanity TLD?

Wow, did you even read the comment you included in your reply? I am saying they will NOT buy an entire TLD. Scammers don't own the whole .com TLD - they buy _individual domains_ under existing TLDs.

Once someone registers a new .llc TLD what do you think they are going to do with it? They are going to sell domain names for $10 a year - to anyone with $10. And sooner or later someone with $10 will buy chase.llc and use it in a scam.

Again, buying an individual domain in a new TLD will not cost $185k; it wi

Re:

[Lunix Nutcase]

Wow do you even understand how these new TLDs work? Clearly not when you post this nonsense.

Re:

[wren337]

FTFA - "GTLDs such as .nyc, .london or .food could provide opportunities for many smaller businesses to grab names no longer available at the .com level -- like bicycles.london or indian.food.

What part of this is confusing you?

Re:

[Adam_ST170]

What part of this is confusing you?

The next paragraph FTFA:

The new domains will also change how ICANN works, as it will have a role in policing how gTLDs are operated, bought and sold. Until now, it has overseen names and performed some other tasks but has been little involved in the Internet's thornier issues.

So to take your example, '.llc', the owner of .llc will probably reserve and offer chase.llc to Chase. (and probably for more than $10)

Re:

[wren337]

Probably? They will PROBABLY offer chase.llc to Chase? That's your whole argument, that the new owners of each and every new TLD will probably do the right thing, so we have nothing to worry about?

You realize we're going to have full character sets available, so you'll have a dozen different characters that look like the letter "a"? There will be hundreds of domain names that look like "chase" in each TLD.

And you've seen how the registrars behave right now with the existing domains? And you're still op

Re:

[Serious Lemur]

the barrier for entry is set relatively high here.

I for one will rest easy knowing that only the most enterprising and wealthy cybercriminals will be making a fortune in illicit bullshit from this. That's what a free market's all about, after all.

Re:

[digitalsushi]

If the phishers figure out some way of gaining 185000 dollars, they might be able to afford a vanity tld. Maybe they could steal 185000 using deceptive luring techniques.

I bet icann will use part of that 185000 dollars to improve the title of "random dude in eastern europe" to "sir".

Re:

[gstoddart]

If the phishers figure out some way of gaining 185000 dollars

Ummm ... from what I've read about how lucrative that can be, the $185K might actually be chump change.

Re:

[Kokkie]

And who will do the dns resolving for the new TLDs? Will this be done securely, otherwise it will cost the scammer $0, with little risk for as long as it lasts.

Extortion

[Anonymous Coward]

"Thats a mighty fine brand ya got there, company. Be a shame if someone came and - bought it as a TLD. For about 200 grand, we can help protect you."

Money, Money, Money

[JoeTalbott]

It's gonna cost a lot of money to get a vanity top-level domain. In order to prevent domain squatting. But won't this just allow those with deep-pocketbooks to call the shots? How well did .biz do? I don't think that in my vast Internet surfing I've ever intentionally visited a .biz address. I'm sure big businesses will snatch up their brand names out of fear and a misguided sense of getting on the bandwagon as soon as possible.

Re:

[localman57]

It'll happen over time. .biz and others will be accepted. People used to think of 1-888 as less good than 1-800 phone numbers. But that feeling has just about gone away over the last 20 years.

So who gets .apple?

[billrp]

Inc. or Corps Ltd. (computer or music)

Re:

[webbiedave]

The highest bidder. Literally.

Re:

[andydread]

Apple Growers Association. [usapple.org]

Cash grab

[Tridus]

This scheme is nothing more then a cash grab. It does nothing useful for domain names. The cost of one of these is sky high ($185,000). There's no need being filled. It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it.

This stuff should not be run on a "how do we extort more money out of DNS" methadology.

Re:

[Lunix Nutcase]

It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it./quote?

Except that someone else won't be able to register one of these TLDs with someone else's trademark. That's the whole point of the manual screening process they are doing before handing out these vanity domains.

Re:

[PPH]

ICANN get your money.

Re:

[demonbug]

This scheme is nothing more then a cash grab. It does nothing useful for domain names. The cost of one of these is sky high ($185,000). There's no need being filled. It's just ICANN trying to get people who already have big websites to pay for another domain for the same site to keep someone else from registering it.

This stuff should not be run on a "how do we extort more money out of DNS" methadology.

This. I also want to know what they plan on doing with the additional millions of pure profit they will be making from their government imposed monopoly. Aren't they supposed to be non-profit? They're going to have to massively increase salaries to remain so.

Also, whatever happened to the egalitarian, level playing field of the internet? This move pisses me off coming and going. If you want to open up all these new TLDs, fine; do it. Let anyone and everyone register their own TLD for the price of a traditi

Big deal over nothing

[_0xd0ad]

Realistically, someone who gets tricked by a fraudulent "mybank.bank" [example given in TFA] is equally likely to be tricked by "mybank.us", or "mybank.com". And we already have made browsers as nearly-idiot-proof as possible so it should display a big scary warning when they try to visit that URL anyway. I don't see this as being that much of a problem.

Stop the fearmongering.

[LavouraArcaica]

It's not the possibilities of phishing that create phishing, but the will and greed of people. Even if phishers can't use a domain name, they'll use just a IP address. And people who believe that 'mybank.ru' is really they bank will equally believe that 'xxx.xxx.xxx.xxx' is their bank.

Come on Slashdot editors!

[wcrowe]

Whoever wrote this either cannot read, or is too lazy to read. It is not going to be easy to get these TLDs. For starters, each TLD will cost $185,000. The applications will also be investigated before the TLDs will be created.

Slashdot used to be a top-notch website, but lately the editors seem to be content to post any old bullshit as a legitimate story. This story should never have been accepted for submission.

Re:

[fruey]

Old bullshit as a legitimate story has precedents as old as slashdot. It only seems like it got better because you filter the crap from your retrospective memory.

Re:

[PPH]

each TLD will cost $185,000. The applications will also be investigated before the TLDs will be created.

You got $185,000? You just passed our investigation.

Hopefully there will be some sanity enforced

[Bloodwine77]

If ICANN allows people to obtain TLDs such as .comm, .ccom, .nett, .orrg, and so forth then we're in for a lot more scams and phishing attempts.

I wonder how well the vanity domains will work in the wild, though. They only work as well as software supports them. In theory it shouldn't be too much of a problem, but in reality I would not be surprised if a lot of software chokes on them.

Re:

[unrtst]

I foresee a lot of software breaking, but not the obvious website url stuff. http://citibank/ [citibank] will probably work just fine in all browsers... though if it doesn't exist, the browser will automatically try citibank.com, citibank.net, or default to a search for it these days.

I'm betting the bigger problem will be in all the ad-hoc validation code out there. For example, email validation... it often requires two parts to the domain portion (user@domain.something), so "user@citibank.com" works, "user@mail.citib

bleh... the good ones are...

[elPetak]

.pr0n .porn .sex

intranet or localhost?

[PanIc RidE]

How long will it take for someone to grease the right hands and get a hold of .intranet or .localhost?

This whole scenario seems to only benefit the pockets of ICANN execs. So why wouldn't they start allowing domains that could seriously break stuff if the price was right?

Re:

[icebraining]

According to the Application Guidebook, LOCALHOST is a reserved name.

Don't Overlook The Spam Potential

[damn_registrars]

The mechanism they just approved for selling gTLDs also has a built-in mechanism that basically excludes spammers from any responsibility, ever, if they are associated with a new gTLD in any way, shape, or form.

For example, say your favorite spammer registers ".pillz". Of course, you'll blacklist that in your email program but that doesn't matter because they'll spoof the email headers so it looks like it came from your own domain, or google, or anywhere else they want. You can try to filter your emai

Troll? I'd love to know why.

[damn_registrars]

I have no idea how that comment is trolling. I pointed out how selling gTLDs creates a new bonanza of opportunity for spammers, and puts a little money into the pockets of the profiteering bastards who run ICANN. Did someone with a strong pro-ICANN slant (I didn't know any such people - outside of ICANN employees - existed) see the comment and moderate it down in retaliation?

It seems like crappy moderation to me. Bad moderator, bad bad bad.

Dear uninformed AC troll

[damn_registrars]

Your google-fu is no good. When you want to search a domain for a string on google, you need "site:" to be followed immediately by that domain. You errantly inserted a space after the colon, which then caused google to do a massive or search between the strings "your-least-favorite-slashdot-name", "site:", and "trolltalk.com".

If you drop that extra space, and rerun the search, you will find that neither my slashdot name, nor that of countertrolling, occur on trolltalk.com.

But thanks for playing!

Are you the same AC troll as before?

[damn_registrars]

I earlier had an encounter with an AC troll, who would ignore reality and likely to try to respond with links to irrelevant AC posts.

Nonetheless, I showed that your google link was wrong. You can go ahead and do the right search, and you'll find I have nothing to do with tomhudson's trolltalk.com. I have nothing else to say in response.

Necessary?

[black soap]

What was wrong with each of these superbrands being a .com? Besides the "we already hit diminishing returns on major corporations trying to lock in all the domains they might want" problem ICANN had? Maybe this is so companies can be their own registrar, once they have a .tld, so newflavor.coke can be held until newflavor's announcement date, without people seeing that it has been registered (or speculators buying them up before coke even decides on the newflavor's name?) - this is a marginal problem at m

anyone gotten .sucks yet?

[Sprouticus]

becausr THAT will be a money maker.

Re:

[oodaloop]

becausr THAT will be a money maker.

Why don't you apply for it? I'm sure you can make a legitimate claim for it.

Re:

[PPH]

It may cost you $185,000. But how much will people pay you to keep apple.sucks, microsoft.sucks, cowboyneal.sucks, etc. off your domain?

This is only one new top level domain

[cforciea]

From the end user perspective, this has the same net effect as opening up exactly one more top level domain: the blank TLD. It just happens to be a way more expensive TLD than any of the other ones, and has a higher chance of coercing companies into registering it. It does not add any new functionality that I can think of (NPR interviewed some asshat this morning talking about how Canon would hypothetically be able to open .canon domains and have cameras automatically upload pictures as they are taken, as i

$185K? Psh...

[pongo000]

...OpenNIC [opennicproject.org] charges $0 for TLD applications, and since it's a transparent democratic approval process, you get to actively participate in the approval process. We need to show ICANN there are alternatives to their extortion attempts.

For the naysayers...

[Lumpy]

Organized crime group forms a corperation called.... Continental Options Network.... and buys the .con TLD.

Now the price is nothing to organized crime, if the payout potential is big.

Hire some killer IT and networking black-hats. Give them $350,000US a year to live in china, south america, Russia, etc.. so they can life like rockstars and do epic coding for their data centers.

First sit low and record the number of typos for sites to .con instead of .com you can data mine where it comes from and target

Cybercriminials

[Pf0tzenpfritz]

cybercriminals could also seek these new domains [...] These can then be used for phishing attacks

Terrorists could also seek these new domains These can then be used for terrorist attacks. Chinese hackers could also seek these new domains These can then be used for chinese hacking attacks. Software pirates could also seek these new domains These can then be used for software pirating attacks. Malicious attackers could also seek these new domains These can then be used for malicious attacking attacks,..

Just post the general case already

[Sloppy]

The more power people have, the more they'll use it and sometimes they'll use it for bad things.

The more expression people have, the more they'll express and sometimes they'll say fraudulent things.

There. Can we now stop treating it as big news every damn time it happens with every damn trivial variation, have the debates one last time, and then agree that we need to kill humanity in order to save it?

'create your own' TLDs?

[lostmongoose]

I propose '.hascheezburger' reserved for ICANN.

This is going to cause serious tech issues

[funky_vibes]

On our network we have things like:
printserver
ntpserver
fontserver
authserver
intranet
mail
etc.

A very practical way of moving your laptop between home and work, and always automatically seeing all relevant printers. (just set your cups server to printserver:631)

We have always assumed that internet things end in a limited amount of TLDs. With this change that assumption goes out the window.
I'm pretty sure this will lead to an immense amount of DNS filtering at all parties who didn't already implement it.

In prote