Domain names ending in “.US” have become a hotbed for phishing scams, according to new research. The .US domain is the top-level domain for the United States and is overseen by the U.S. government. However, despite efforts to restrict access to .US domains to U.S. citizens and those with a physical presence in the United States, phishing domains ending in .US continue to proliferate.
The Interisle Consulting Group, a research firm that analyzes phishing data, conducted a study that examined six million phishing reports between May 2022 and April 2023. The study found an alarming 30,000 .US phishing domains, making it one of the most prevalent domains for phishing scams.
The .US domain is managed by GoDaddy, the world’s largest domain registrar, under a contract with the National Telecommunications and Information Administration (NTIA), an agency of the U.S. Department of Commerce. The NTIA requires the administrator of the .US registry to verify that their customers have a connection to the United States. However, Interisle’s research suggests that GoDaddy’s management of this vetting process is inadequate.
Dean Marks, the emeritus executive director for a group called the Coalition for Online Accountability, has been critical of the NTIA’s stewardship of .US. Marks points out that other country code top-level domains (ccTLDs) that enforce similar restrictions have significantly lower levels of abuse, including phishing and malware. For example, ccTLDs like .DE for Germany and .HU for Hungary have implemented measures to validate domain registrants, resulting in lower levels of abuse.
The issue with .US domains is not new. In 2018, Interisle identified .US domains as being the worst in the world for spam, botnet activity, and illicit or harmful content. At that time, the .US domain was operated by a different contractor.
When questioned about the issue, GoDaddy stated that all .US registrants must certify that they meet the NTIA’s requirements. However, this certification process appears to be a mere formality, as the registration page on GoDaddy auto-populates the required fields with pre-selected answers indicating U.S. citizenship or residency. It currently costs just $4.99 to obtain a .US domain through GoDaddy.
GoDaddy claims to conduct scans and spot checks on registration information to ensure compliance with the registration requirements. The company also states its commitment to addressing DNS abuse and working with registrars, cybersecurity firms, and other stakeholders.
Interisle’s research uncovered that a significant number of .US domains were used in attacks against prominent U.S. companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Additionally, .US domains were used to target government entities, such as the United States Postal Service and foreign government services.
The NTIA recently proposed allowing GoDaddy to redact registrant data from WHOIS registration records. However, Interisle argues that without stricter verification processes for .US domain registrants, this proposal could hinder efforts to identify phishers and verify the identities of registrants.
The NTIA has not yet responded to requests for comment on the issue.
Interisle sources its phishing data from various industry sources, including the Anti-Phishing Working Group, OpenPhish, PhishTank, and Spamhaus. For more information on phishing trends and statistics, refer to Interisle’s 2023 Phishing Landscape report.