Blue Coat Labs
Shady TLD Smackdown: .Accountant vs .Realtor
Shady TLD Smackdown: .Accountant vs .Realtor
After a short hiatus, it's time to dive back into the world of shady Top-level Domains (TLDs). This time, I thought it would be interesting to contrast the approach taken by two "vanity TLD" registries: .Accountant and .Realtor, and see which one looks shadier, and why.
But first, since the first quarter of 2016 has just passed, it's time to update our "Top Ten" list of the shadiest TLDs, even though that's going to give away the answer:
|Rank||TLD||Percentage of Shadies|
* Percentage of the rated sites in our database that end in the given TLD which have "shady" category ratings. (The shady categories are Malware, Botnet, Spam, Scam, Phishing, PUS, and Suspicious.)
Yes, .accountant is shadier than .realtor. A lot shadier.
The percentage of .realtor sites in our DB that are rated with one of the shady categories is only 8.19%, which looks a lot less shady than 98.93%...
But those are the all-time historical ratings. What about recent traffic?
Well, it's not a pretty picture for .accountant...
Accounting for Recent Traffic
Normally, I look at the Top 100 sites (ranked by request traffic) in our world-wide data logs for a recent 7-day period. This time, since I noticed some interesting naming patterns among the .accountant sites, I actually ended up surveying the Top 500. [Note to Bosses: Don't expect this same level of effort every time...]
For the Top 500 .accountant sites, the category breakdown looks like this:
|Entertainment + Adult||2|
In other words, 97.4% (487 / 500) of the top .accountant sites were shady, by our classic definition, and if we add in the "borderline shady" categories of Porn and Placeholder, that climbs to 99.6% (498/500).
Furthermore, if you were to ask yourself, as I did, "Why would anyone in China want to have an erotic fiction site with a .accountant TLD?" then the two Adult+Entertainment sites would also join the shady ranks, and .accountant would score a perfect 100% on the shadiness scale. But maybe accountancy in China is a sexier profession than it is elsewhere in the world, and this is a perfectly normal name for such a site...
And a Quick "Realty" Check
For .realtor, the picture is a lot prettier. I only found a single request, in the same seven days of web traffic, to a site that had a shady rating: a request to a subdomain on a hijacked .realtor site that had been hosting the Angler exploit kit. Every site with significant traffic that I checked (all of the Top 50, and several others at random), are simply categorized as Real Estate, as one might expect.
The reason for the much nicer neighborhood here isn't hard to find. Here's an important excerpt from the page discussing registration for .realtor domains:
In other words, the good folks behind .realtor actually do an effective background check before they allow someone to register a .realtor domain: they've actually got to be a member of the club to get into the clubhouse.
In contrast, .accountant appears to be doing no effective registrant checking whatsoever.
Drilling for Details
Most of the Suspicious sites, by far, were junk/random subdomains on junk-name domains. These sites were going to great lengths to hide their true nature, but a little sleuthing in the traffic turned up evidence that they're part of a large spam network. Since we advise customers to block both Spam and Suspicious categories, I didn't think it was worth changing all of the ratings, but it's probable that most of the Suspicious sites were involved in spam campaigns.
Next up in the shady traffic nets was a large network of academic plagiarism sites (which we include in our Scam/Questionable category). The domains had names like these:
And they generally look something like this:
It's been a while since I was in school, and we didn't have the Internet back then, but I knew a kid who would write papers for other kids, and I think he charged $5 a page. That was in high school, so getting a 7-page dissertation chapter written for just $62.85 sounds like a pretty good deal after allowing for inflation. And it's also nice to note that a site dedicated to academic cheating has an anti-fraud policy...
Another batch of scammy sites fell into the wonderful world of "forex" (foreign exchange, or making vast fortunes -- so they say -- in trading various foreign currencies) and related trading in various types of "options". These domains tended to have names like this:
And look something like this, although there were many different types represented in the traffic I checked:
And yes, a less trusting soul might ask why a "forex-vietnam.accountant" site would have a sign-up page in a mix of Russian and English, but maybe there are a lot of currency and option traders in Vietnam who use those two languages...
Let's see, what else did we have...
- At least two different porn networks.
- Two different Russian "shady download" networks (and one English one).
- And a bunch of Russian (and other languages) "search bait" shady-content networks.
The search bait networks are worth a closer look, as we run into them in a lot of different contexts. In general terms, these are built (in relatively large numbers) by gray- and black-hat SEO (search engine optimization) groups. They tend to use junk content, ripped more or less randomly from other sites, and try to entice search engines into thinking they are wonderful sites to index. (We've written a lot of blog posts about SEO and SEP -- search engine poisoning -- over the years.)
Here's a fun example, from hitredbut.accountant:
Notice that although the page content (about "Sevastopol train schedules") is in Russian, the site template they're using leaves a lot of artifacts in English, which is a bit sloppy, although no more sloppy that choosing a nonsense name like hitredbut.accountant, I suppose...
The bottom of the page is also interesting:
At the conclusion of the text (supposedly about train schedules, remember?) there are three links to other pages (this is part of building up the search reputation and ranking for the site). However, the links refer to such unrelated topics as a "driver for an HP Laserjet 3055 scanner", and guitar chords for a couple of different songs.
This is followed by two "comments", from users appropriately named "Guest" and "Anonymous", who actually have nothing to say about train schedules, or even Sevastopol. Instead, they are commenting about music videos and audiobooks, respectively. In fact, you can find the same two comments, from the same two people, all over this network. Apparently, this is the sort of thing that makes a search engine really think it's found an important page to index...
As with many of the other TLDs we've profiled in this series -- see links below -- we recommend that people who care about security, and who want to keep their networks as junk-free as possible, consider blocking traffic to .accountant domains. We see little, if any, valuable content lurking in that neighborhood. In contrast, .realtor sites tend to be a much more upscale neighborhood -- generally safer than the weird wild web as a whole.
P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series: