Why is there’s so much spam coming from .xyz and other new top-level domains?


Reading time: 5 min
  • Blog post
  • 2019
  • Sandra Proske
  • Detect and respond to attacks
Sandra Proske



Spam never went away. And it continues to be on the rise for an obvious reason: spam still works. And the abundance of spam coming from .xyz and other new TLDs (top-level domains) helps explain why this dirty trick remains so effective.

Why hackers love .xyz and other new top-level domains

“The reason hackers like this [method] is you can register a domain under any top-level domain over and over again,” said Janne Kauhanen, host of our Cyber Sauna podcast. “So, for example, if Microsoft.com is already taken, Microsoft.xyz might not be.”

Laura Kankaala, Security Consultant at WithSecure and host of the We need to talk about InfoSec podcast, said, “So when you’re buying, for example, .xyz or when you’re buying .pharmacy, .family or .club, they’re typically a lot cheaper than .com, .fi or any of those kinds of top-level domains.”

Hackers can purchase these some of these new domain names for less than $1 each. For that low-low price, criminals are purchasing something invaluable: believability.

Online criminals are experts in using your brain against you

Based on the latest academic research, the experts at WithSecure’s Phishd created a model to describe the art of fooling people who should know better. This is more commonly known as “social engineering.”

The use of .xyz and other new top-level domains falls right in this model’s Believability section right next to “Similarity.”

If you believe it, you’ll click on it

If you see an email that’s coming from Microsoft, you may never check the actual domain it’s coming from.

“Believability is an area in which today’s threat actors excel,” Phishd noted. “An email which closely resembles one you would expect to receive will be an easy win for a hacker.”

Add a real-looking domain to that real-looking piece of spam and the effectiveness only rises, especially on mobile devices where portions of a URL often are obscured to fit the screen.

Scare, Gain and Believability make phishing profitable

You’ll see that there are other elements that go into effective social engineering, described as Scare, Gain and Believability.

“In the ‘Scare’ zone, you’ll find authority and urgency. From our research and live project work, we have seen countless phishing campaigns which appear to come from a senior colleague,” Phisd noted. “They are hugely effective.”

When targeting personal accounts, “Scare” includes emails that resemble collection notices related to your bills or taxes.

Gain, meanwhile, activates our eagerness to get a free lunch.

“Offer a reward – whether it be a freebie, discount or piece of information – and many of us have our finger on the mouse, ready to click, before we’ve drawn breath,” Phishd noted.

Beware emails bearing gifts

“Failed delivery” phishing emails seem to combine both Scare and Gain. There’s the fear you won’t get something you’ve ordered, because many if not most of us are probably expecting something we’ve purchased online to be delivered right now. And there’s also Gain because someone may be sending us something. Yay!

But without Believability—from the combination of “Similarity” and “Distraction”—we’re far less likely to be fooled. We’ll do the right thing and go directly to the correct url of the retailer or institution we’re dealing with instead of clicking on a link in an email. Or, if we’re feeling even smarter, we’ll call them directly.

Online crooks have to be master psychologists. .xyz and other new top-level domains offer them another trick that increases believability. And that’s another trick that will make them money.

And as long as it works, they’ll keep doing it.

Related posts

April 16, 2024

5 phases of a cyber attack: The attacker’s view

Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.

Read more
April 16, 2024

Of Cameras & Compromise: How IoT Could Dull Your Competitive Edge

The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.

Read more
April 16, 2024

How to decompile any Python binary

At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.

Read more
April 16, 2024

The Chilling Reality of Cold Boot Attacks

What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?

Read more