Phishing epicenters: The top 5 TLD used in today’s phishing attacks

At Jamf, we evaluate and investigate every aspect of mobile threats to better understand their makeup and how to best protect against them. That’s why we decided to complete an in-depth analysis of the top-level domains cybercriminals are using the execute their intricate phishing attacks.

March 7 2018 by

Michelle Base-Bursey

A typical phishing attack is made up of only three key components:

  1. A malicious web page built upon a purchased domain
  2. A Command & Control host and server
  3. An infection method

A registered domain is an essential requirement for any hacker looking to build and execute a phishing attack. A malicious web page simply cannot be built or accessed by an end-user without the initial purchase of a domain.

Phishing in the wild

Phishing is without a doubt the number one threat affecting mobile devices today. Our data confirms that a new phishing site is created once every 15-20 seconds. That means over 4,000 new attacks go live every day.
Most phishing sites are posted and used within only a few hours before hackers introduce entirely new ones. This leads us to believe that hackers are creating and disposing of the various domains they acquire quickly and easily.

For those of you practiced and skilled in creating websites, you’ll know that each time you create a new site, it involves the acquisition of a domain. These domains usually don’t come cheap. Services like GoDaddy, Squarespace, Weebly and 1 & 1 rake in the big bucks selling official, reputable domain names to end-users. Prices can vary greatly depending on the perceived value of the ‘name’ itself, but on average a domain name costs at least $10-$15 USD per year.

A sophisticated hacker, however, can use thousands if not hundreds of thousands of domains to spread their large-scale attacks. For example, in the case of RedDrop, the zero-day malware discovered just last week, the attackers were found to be using a distribution network of 4,000+ domains. Registering 4,000 domain names at that price would amount to bills of around $50k.
You’re probably thinking there’s no way hackers are investing this much in their attacks. If so, in most cases you’re correct. In the case of phishing attacks where we see malicious domains being put up and taken down in a matter of hours, it’s unrealistic to think hackers are investing the large required funds that would normally be required.

The results of our investigation into the top 10 phishing TLDs provide some key insights into this domain dilemma. It appears, as per usual, hackers have found a way around the system.

The Top 5 TLDs

This in-depth analysis was conducted by our Data Science team. They carried out this research by reviewing the sites our mobile intelligence engine MI:RIAM had identified as ‘phishing’, accessed by Jamf's global network of corporate mobile devices. They then performed a further investigation into the nature of the sites to discover the TLDs they possessed.


As you might have guessed, ‘.com’ is the number one, most prevalent TLD the Data Science team saw when evaluating our phishing dataset. Of course, .com is one of the world’s most recognized TLDs, and ergo is one of the most trusted. It was one of the first TLDs introduced for use on the internet in 1985. Now there are over 120 million registered .com domain names, including at each and every Fortune 500 company.

These TLDs are absolutely the most expensive out there, however, they are also the most effective for social engineering purposes. When seeing a .com domain, a user immediately lowers their guard. After all, this TLD has become the global standard for doing business online. Familiarity on the part of the user means an increased chance that they’ll fall victim to the phishing attack.


You may not have guessed that, based on our data, the second most prevalent TLD, when it comes to phishing attacks, is .ga. In fact, you may not even be familiar with this domain name. Interestingly enough, .ga is the country code TLD for Gabon, a sovereign state on the west coast of Central Africa.

Gabon Telecom used to regulate the sale of these domain names until 2013 when they formed a partnership with international domain registration company Freenom. As its name suggests, Freenom offers registrations of these domains for free. Unsurprisingly, this has quickly become the second most popular TLD name offered by the company. It’s no surprise that phishing hackers swarm to places like Freenom to register their domains for free, and use them to create dense distribution networks for their attacks.


The third most prevalent TLD for phishing attacks is .tk, the country code for Tokelau, territory north of New Zealand in the South Pacific. The company that distributes the domains, BV Dot TK, allows any individual or company to register domain names. There are domains available for free, as well as paid alternatives.

In recent years, Dot TK has attempted to clean up its reputation. It has put in place content restrictions for free domains, disallowing things like sexual content, drug use and hate speech. It also requires free domains to have a regular traffic of visitors. If the domain does not oblige, it can be taken down without notice. Unfortunately, even with these regulations in place, hackers are still using these domains to fuel their malicious activities relatively inexpensively.


Another obscure TLD, .ml has made it into the top four. This is the country code TLD for Mali, a landlocked country in West Africa. It’s actually the eighth-largest country in Africa (in square kilometers) with a population of 18 million. In 2013, after their central telecommunications company was privatized, the .ml TLD was redelegated to a Malian government agency that decided it would give .ml domains away for free, again, through a partnership with Freenom.

The government of Mali claims that a "local presence" is required in order to register a domain and that the majority of these domains are used in Mali. This becomes difficult to believe with the volume of phishing attacks originating from these domains, worldwide.


Last but not least, .cf comes in at the fifth most prevalent TLD used in phishing attacks. It is the top-level domain for the Central African Republic and is administered by the Central African Society of Telecommunications. Again, this society has formed a partnership with Freenom, to make its domains available for free on the website.

Of course, the TLD’s intended use is for entities connected with the Central African Republic, but that doesn’t seem to be the case. There doesn’t appear to be any regulation around the registration of domains, nor what content is made available on these web pages. This, of course, makes these domains easy targets for hackers looking to use them for malicious attacks.

The moral of the story

Domains are clearly a pivotal factor when it comes to plotting a phishing attack.

If the hacker is willing to foot the bill, a .com, .org or .co TLD will likely drive more successful attacks thanks to their prime reputation and familiarity. If the cybercriminal is looking to drive volume however and create a robust distribution network, in all likelihood, he or she will stick to free domains. As we’ve seen, these are very popular avenues for phishing attacks.

It’s of vital importance to recognize that phishing can come from anywhere, regardless of the perceived safety of the website. A domain name can be purchased at any time and taken down just as easily. As a business, it’s essential to protect your corporate mobile devices from zero-day phishing attacks that can cause major financial and reputational damage. The only failsafe way to ensure your employees aren’t fooled by clever tactics is to monitor, detect and block malicious mobile traffic, ensuring sensitive data doesn’t fall into the hands of the attacker.

Only Jamf can prevent your data from being exploited by a bad actor in real-time, thanks to our unique cloud gateway that sits directly in the pathway of mobile data.

No other mobile security solution has the same capability to cut off phishing attacks at the source (regardless of their TLD).

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.