Protection for TLDs against Phishing and Malware

Netcraft offers a suite of services for registries allowing them to confidently protect their TLDs against phishing and malware. Taking a pro-active stance against these attacks is vital, demonstrating to fraudsters that they are unwelcome, and thus ensuring that the reputation of the TLD is not tarnished.

Our detection and countermeasures service provides continual real-time alerts of newly identified phishing & malware threats, immediate countermeasures, ongoing monitoring, and statistical reporting of the health of the TLD. In addition, our Deceptive Domain Score service can be integrated into the domain issuance process to identify and flag domains that are likely to be used for fraud.

Phishing & Malware Detection and Countermeasures

Netcraft’s professionally validated phishing feed is used throughout the internet infrastructure industry. In addition to internet registries, all of the main web browsers, along with major anti-virus companies, firewall vendors, SSL certificate authorities, large hosting companies and domain registrars use Netcraft’s feed to protect their user communities. To date, Netcraft has detected and blocked over 68 million unique phishing sites [October 2019].

As soon as a new phishing or malware attack is detected, Netcraft automatically contacts relevant parties in order to have the malicious site shut down as quickly as possible. This will include the registrar in order to have a purely fraudulent domain name suspended; however we also identify and contact other parties who might have control or influence over the website, such as the webmaster, the hosting provider, and upstream providers.

Availability monitoring of a phishing site throughout the takedown process. Availability monitoring of a phishing site throughout the takedown process.

Key elements of the Netcraft approach include:

  • Extensive automation throughout the takedown process.
  • Large database of contact details for Internet Service Providers, registrars, hosting companies and law enforcement.
  • Geo-distributed site content monitoring system, tracking a fraudulent site’s availability.
  • Local language translations for every country that has hosted more than 6 fraudulent sites in the last 6 months.
  • Automatic restart of takedowns if the attack reappears within 7 days of going offline.

Reporting and Intelligence

The customer portal allows comprehensive tracking of ongoing incidents, including notifications of significant events during the takedown process. In addition, the interface enables analysis of the volume of attacks and malicious site availability by attack type, registrar, hosting company, country, language and phishing target to help identify threat trends within the TLD.


Deceptive Domain Score

Deceptive Domain Score is a tool for domain registries to analyse the likelihood that new domains will be used for fraudulent activities. The service identifies domains which are deceptively similar to legitimate websites run by banks and other institutions commonly targeted by phishing attacks. This gives TLDs the opportunity to prevent the registration, flag for human inspection, or immediately suspend fraudulent domains, before malicious content can be uploaded.

The following table lists some examples of deceptive domains that have been used to conduct phishing attacks, along with their Deceptive Domain Service score:

Hostname Phishing Target Risk Score Halifax 10.0 Amazon 9.6 Santander 8.97 Paypal 9.6 Apple 8.20

Next Steps

To arrange a trial, or to discuss your requirements, please contact us, +44 (0) 1225 447500.