Phishing Activity in Top-level Domains (TLDs)
May 1, 2020 - July 31, 2020
We analyzed the phishing domains to see how they were distributed across the top-level domains. For our analysis, we extract the Top-level Domain (e.g., com, xyz, uk) from the hostnames we found in phishing reports. We then rank TLD operators based on the number of reported phishing domains and a metric, phishing score.
Most phishing continues to be concentrated in just a few TLDs: for the August-October 2020 period, we identified 112 TLDs with a minimum of 30,000 delegated domains and at least 25 reported phishing domains.
In the table below, we show the twenty TLDs that had the highest number of reported phishing domains. Four TLDs in the August to October 2020 ranking (by reported phishing domains)are legacy TLDs (com, net, info, org). Nine are country ccTLDs (tk, ga, ml, cf, gq, ru, cn, br, in). Seven are new TLDs (xyz, top, buzz, icu, wang, online, live).
Ranking of TLDs by Phishing Domains (May to July 2020)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains ▼ | Phishing Domain Score |
| 1 | com | 151,931,301 | 44,011 | 2.9 |
| 2 | xyz | 3,136,553 | 4,065 | 13.0 |
| 3 | tk | 25,644,936 | 3,808 | 1.5 |
| 4 | top | 3,748,802 | 3,004 | 8.0 |
| 5 | buzz | 604,706 | 2,705 | 44.7 |
| 6 | ga | 5,057,226 | 2,578 | 5.1 |
| 7 | ml | 4,162,031 | 2,559 | 6.2 |
| 8 | net | 13,705,756 | 2,324 | 1.7 |
| 9 | info | 4,787,440 | 2,320 | 4.9 |
| 10 | cf | 4,453,018 | 1,919 | 4.3 |
| 11 | gq | 3,692,011 | 1,743 | 4.7 |
| 12 | org | 10,648,071 | 1,649 | 1.6 |
| 13 | icu | 6,611,658 | 1,595 | 2.4 |
| 14 | wang | 1,392,249 | 1,385 | 10.0 |
| 15 | ru | 4,867,074 | 1,286 | 2.6 |
| 16 | cn | 15,961,895 | 1,216 | 0.8 |
| 17 | online | 1,586,898 | 1,175 | 7.4 |
| 18 | live | 719,372 | 1,116 | 15.5 |
| 19 | br | 4,442,239 | 1,114 | 2.5 |
| 20 | in | 2,284,123 | 929 | 4.1 |
To allow comparison of large and small Top-level Domains, we also rank TLDs based on a metric, phishing domain score, which is calculated by dividing the number of domain names reported for phishing in a TLD by the number of domains delegated from that TLD.
TLD Phishing Score = (number of phishing domains/domains delegated from TLD) * 10,000
This score can highlight where high-volume phishers place multiple phish on one domain.
In the table below, we show the twenty TLDs that had the highest phishing domain score.
Ranking of TLDs by Phishing Domain Score (May to July 2020)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains | Phishing Domain Score ▼ |
| 1 | host | 97,718 | 667 | 68.3 |
| 2 | buzz | 604,706 | 2,705 | 44.7 |
| 3 | best | 113,614 | 433 | 38.1 |
| 4 | casa | 30,000 | 84 | 28.0 |
| 5 | services | 53,454 | 149 | 27.9 |
| 6 | ph | 107,421 | 185 | 17.2 |
| 7 | monster | 104,126 | 177 | 17.0 |
| 8 | live | 719,372 | 1,116 | 15.5 |
| 9 | xyz | 3,136,553 | 4,065 | 13.0 |
| 10 | ve | 31,788 | 37 | 11.6 |
| 11 | pk | 89,707 | 103 | 11.5 |
| 12 | id | 344,198 | 396 | 11.5 |
| 13 | business | 41,500 | 44 | 10.6 |
| 14 | wang | 1,392,249 | 1,385 | 10.0 |
| 15 | ke | 80,960 | 80 | 9.9 |
| 16 | pe | 109,174 | 93 | 8.5 |
| 17 | top | 3,748,802 | 3,004 | 8.0 |
| 18 | center | 41,437 | 31 | 7.5 |
| 19 | digital | 58,002 | 43 | 7.4 |
| 20 | online | 1,586,898 | 1,175 | 7.4 |