It was recently reported that Google removed over 11 million websites with addresses ending in .CO.CC from its search results, as it considered their content to be primarily spam or phishing related. As a reminder, phishing is the term coined to describe how fraudsters may attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity.  

The .CC domain name extension is an official ICANN (the Internet Corporation for Assigned Names and Numbers) accredited country code Top Level Domain (ccTLD), representing the Cocos (Keeling) Islands. However, .CO.CC is an unofficial sub domain, not recognised by ICANN or any authorised authority independent of ICANN (see our article on .GB.COM above for an explanation of unofficial extensions).  

The sub domain .CO.CC is run by a commercial company based in Korea, CO.CC Inc (whose website may be seen here: The company provides third level domain name registrations hosted on its own domain name servers, such as <>.  

Domain names under .CO.CC may be registered very cheaply in bulk, and as a result are popular with bad actors who wish to use them to point to phishing websites. James Kim, the General Manager of .CO.CC, argued that Google’s decision was incorrect, and his open letter to Google was posted in the Google Webmaster Help forum. There were also posts from innocent users of the .CO.CC extension voicing their disapproval. However, many internet users disagreed with Mr Kim’s assessment and supported Google’s decision.

Google’s actions are backed up by a recent report published by the Anti-Phishing Working Group (APWG), which found that "over 40 per cent of attacks using sub domain services occurred on .CO.CC”, although the report also noted that .CO.CC was very responsive to abuse reports, no doubt hence Mr Kim’s sense of injustice. The report also notes that the use of .CO.CC domain names for the purposes of phishing has increased further since the tightening of registration policies for .CN domain names by CNNIC, the Chinese domain name Registry, which means that phishers are searching for alternative cheap and convenient sources of domain names. In relation to unofficial sub domains, the report comments:  

“We have identified nearly 700 sub domain registration providers, which offer services on more than 3,200 domain names. This is a space as rich as the current “regulated” domain space as each sub domain service is effectively its own “domain registry.” The sub domain services have many business models, and are unregulated. It is not surprising to see criminals gravitating towards this space as registries and registrars in the gTLD and ccTLD spaces implement better anti-abuse policies and procedures. We are seeing some interesting changes in this market space as well. For example, many sub domain resellers now offer WHOIS services and anti-abuse support, and we’ve even seen “failures” of such services.”

Interestingly for brand owners, the report found that only about 9% of domain names used for phishing contained a brand name or variation thereof. This may be linked to the fact that phishers are aware that brand owners are likely to take action, but is also due to the fact that the actual domain name itself used to send the malicious emails can often be masked by clever use of technology. In the case of domain names used to point to phishing websites, it is often enough to place the brand name somewhere is the string appearing in the address bar, as many internet users are not sophisticated enough to distinguish the base domain name used. The report provides a fascinating insight into the murky world of internet fraud and may be accessed at: rvey_2H2010.pdf