Why is there’s so much spam coming from .xyz and other new top-level domains?

Spam never went away. And it continues to be on the rise for an obvious reason: spam still works. And the abundance of spam coming from .xyz and other new TLDs (top-level domains) helps explain why this dirty trick remains so effective.

Why hackers love .xyz and other new top-level domains

“The reason hackers like this [method] is you can register a domain under any top-level domain over and over again,” said Janne Kauhanen, host of our Cyber Sauna podcast. “So, for example, if Microsoft.com is already taken, Microsoft.xyz might not be.”

Laura Kankaala, Security Consultant at F-Secure and host of the We need to talk about InfoSec podcast, said, “So when you’re buying, for example, .xyz or when you’re buying .pharmacy, .family or .club, they’re typically a lot cheaper than .com, .fi or any of those kinds of top-level domains.”

Hackers can purchase these some of these new domain names for less than $1 each. For that low-low price, criminals are purchasing something invaluable: believability.

Online criminals are experts in using your brain against you

Based on the latest academic research, the experts at F-Secure’s Phishd created a model to describe the art of fooling people who should know better. This is more commonly known as “social engineering.”

The use of .xyz and other new top-level domains falls right in this model’s Believability section right next to “Similarity.”

If you believe it, you’ll click on it

If you see an email that’s coming from Microsoft, you may never check the actual domain it’s coming from.

“Believability is an area in which today’s threat actors excel,” Phishd noted. “An email which closely resembles one you would expect to receive will be an easy win for a hacker.”

Add a real-looking domain to that real-looking piece of spam and the effectiveness only rises, especially on mobile devices where portions of a URL often are obscured to fit the screen.

Scare, Gain and Believability make phishing profitable

You’ll see that there are other elements that go into effective social engineering, described as Scare, Gain and Believability.

“In the ‘Scare’ zone, you’ll find authority and urgency. From our research and live project work, we have seen countless phishing campaigns which appear to come from a senior colleague,” Phisd noted. “They are hugely effective.”

When targeting personal accounts, “Scare” includes emails that resemble collection notices related to your bills or taxes.

Gain, meanwhile, activates our eagerness to get a free lunch.

“Offer a reward – whether it be a freebie, discount or piece of information – and many of us have our finger on the mouse, ready to click, before we’ve drawn breath,” Phishd noted.

Beware emails bearing gifts

“Failed delivery” phishing emails seem to combine both Scare and Gain. There’s the fear you won’t get something you’ve ordered, because many if not most of us are probably expecting something we’ve purchased online to be delivered right now. And there’s also Gain because someone may be sending us something. Yay!

But without Believability—from the combination of “Similarity” and “Distraction”—we’re far less likely to be fooled. We’ll do the right thing and go directly to the correct url of the retailer or institution we’re dealing with instead of clicking on a link in an email. Or, if we’re feeling even smarter, we’ll call them directly.

Online crooks have to be master psychologists. .xyz and other new top-level domains offer them another trick that increases believability. And that’s another trick that will make them money.

And as long as it works, they’ll keep doing it.