BrianKrebs

Why Phishers Love New TLDs Like .shop, .top and .xyz

Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.

https://krebsonsecurity.com/2024/12/why-phishers-love-new-tlds-like-shop-top-and-xyz/

Why Phishers Love New TLDs Like .shop, .top and .xyz – Krebs on Security

Dec 3, 2024 at 4:14pmWeb
Show threadTomDec 3, 2024
@briankrebs I wanted to share this on BlueSky and was going to reskeet your account, but it seems a poseur is using your good name, poorly. Just a heads up. (If you do join, you can domain verify: https://bsky.social/about/blog/4-28-2023-domain-handle-tutorial )
How to verify your Bluesky account - Bluesky

Here's how to verify your Bluesky account by setting your website as your username.

Bluesky
Show threadsalyavinDec 3, 2024
@tom
Some actors have around a dozen fake account. Mark Hammil posted about his. I assume this happened on twitter as well.
@briankrebs
Show threadFellowsDec 3, 2024
@tom @briankrebs What a dick move. The poser that is, not you wanting to share something :)
Show threadRobert ThauDec 4, 2024

@tom @briankrebs Domain-based verification is a bit more awkward on bsky than Mastodon -- you're supposed to add a TXT record to your DNS settings. But not hard.

Either way, though, it only goes so far. Impostors can verify domains too, and someone who doesn't already know Brian's work fairly well might not be able to tell which of two purported "personal website"s is the real McCoy -- especially since Brian's keeping his actual contact info private by registering through "Contact Privacy Inc."

Show threadTomDec 4, 2024
@rst @briankrebs well, _I_ would trust it more if the account is @krebsonsecurity.com than @briankrebssec.bsky.social
Show threadGreglyDec 3, 2024
@briankrebs @catsalad IMO, TLDs in general have outlived their usefulness. They meant something once, but once deregulated just became a scammy gold rush. I’d personally sunset the idea of TLDs entirely, and just use the domain name as-is, with the limitation that the name must be four characters or longer. Existing names+TLDs would be migrated or sunsetted. (This, of course, is totally infeasible and will never happen.)