"The only real benefit of choosing one TLD over another is trust," he said. "Do users trust some TLDs more than others? If so, then there could be advantages to attackers choosing that TLD."
Botezatu believes that .eu domains meet both the reputation and economic expectations of cybercriminals.
"Since EU domains have become popular relatively recently, they are not associated in people's minds with abuse," he said. "Victims wouldn't expect to get harmed by visiting an European domain, plus the fact that they would expect its contents to be in English, unlike Russian TLDs for instance, which are known to be a safe harbor for cybercrime and also deliver localized, illegible content for outsiders."
"The fact that .eu domains are priced the same as .com and .info domains and can be purchased yearly is also an advantage for cyber-crooks, who want the cheapest domains for the shortest period of time," he said.
According to Howard, EURid, the nonprofit organization that manages the .eu TLD under contract with the European Commission, has historically taken decisive action to protect the reputation of the TLD.
EURid told Sophos researchers that it had resolved the issue after being notified about this recent Blackhole attack, Howard said. However, it's not clear if that simply means the domains were suspended or if the organization made any changes to prevent the attackers from registering new ones, he said.
The number of complaints received by EURid remains very low, EURid General Manager Marc Van Wesemael said Friday via email. "We have always received some complaints and will most likely continue to do so. However, I would like to stress that we have internal procedures in place to fight abuses against .eu."
EURid puts a lot of effort into countering abusive .eu domain registrations and has automated tools to identify abuse as early as possible, Van Wesemael said. "We also work closely with several security organisations who give us early warnings about abuses concerning .eu websites/domain names."
However, over 95 percent of abuse cases seen by EURid involve legitimate .eu websites that have been hacked and had malware inserted into them, Van Wesemael said. In those cases taking down the infected websites is not an option because they might be used by their owners for their business, he said. "EURid informs the responsible registrar and/or the registrant about any known incident and then we follow up closely until the problem has been resolved."