Threat actors are increasingly leveraging a variety of top-level domains (TLDs) to carry out phishing campaigns, with the .li extension emerging as the most malicious. A recent analysis reveals that 57.22% of all observed .li domains are flagged as harmful, making it the highest-risk TLD currently in circulation.

According to cybersecurity firm ANY.RUN, domains like .es, .sbs, .dev, .cfd, and .ru frequently appear in phishing attacks, often mimicking login portals or delivering fake documents to steal user credentials. These domains are central to evolving phishing methods that bypass traditional detection systems, prompting a renewed call for tighter domain monitoring within Security Operations Centers (SOCs).

.li Domains Act as Redirectors, Not Just Payload Hosts
While .li domains rank highest in terms of malicious activity, researchers emphasize that many don’t host malware directly. Instead, they serve as redirectors—guiding victims through multi-step attack chains to final phishing or malware destinations. Techniques such as PHP header() calls, JavaScript’s location.replace(), and HTML meta-refresh tags are commonly used to execute seamless redirections while masking the threat.

Cheap Domains Fuel Mass-Scale Phishing
Low-cost TLDs like .sbs, .cfd, and .icu are driving large-scale phishing operations. With domain registration costs as low as $1.54, attackers can easily purchase vast numbers of throwaway domains. Historical data from the Cybercrime Information Center shows 11,224 phishing domains registered under .sbs and 5,558 under .cfd. The .icu extension, promoted as “I see you,” also remains a preferred vector, linked to 3,171 malicious sites.

Cloudflare Services Targeted by Sophisticated Phishing Kits
Legitimate hosting services, including Cloudflare’s Pages.dev and Workers.dev, are being misused to host phishing pages that exploit the provider’s trusted reputation. Phishing incidents on Pages.dev surged by 198% between 2023 and 2024, jumping from 460 to 1,370 reported cases.

Among the most notable threats is the Tycoon 2FA phishing kit. This tool uses advanced evasion methods such as browser fingerprinting, CAPTCHA hurdles, and control server domain triangulation across TLDs like .ru, .es, .su, .com, .net, and .org. Many attacks begin with hijacked Amazon SES accounts and evolve through intricate redirect chains before capturing user credentials.

Call for Enhanced Monitoring and Sandbox Analysis
Experts stress the importance of real-time domain analysis using interactive sandbox environments to uncover indicators of compromise (IOCs). Implementing robust TLD monitoring protocols will help organizations strengthen their defenses and stay ahead of these increasingly sophisticated phishing operations.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: CybersecurityNews.com