It has become a known fact that many newly registered domains (NRDs) figure in cyber attacks. And so some cybercriminals and threat actors have been seemingly changing tactics, as the recent SolarWinds hack showed. The perpetrators used mostly aged domains instead of NRDs to spread compromised versions of the Orion business software.
Have all the bad guys truly abandoned the use of NRDs? This post sought to find out.
Data Set
We looked at all the .com NRDs that made their way into the Domain Name System (DNS) between 1 and 3 December 2020 using daily NRD data feeds from https://newly-registered-domains.whoisxmlapi.com/. We chose the .com top-level domain (TLD) because it remains the most used as of October 2020 and, unfortunately, also the most abused.
Source: Statista
The following table shows how many NRDs were registered per day during the chosen period.
| Date | Number of .com NRDs Registered |
| 1 December 2020 | 132,254 |
| 2 December 2020 | 167,122 |
| 3 December 2020 | 188,454 |
Methodology and Findings
After downloading the comma-separated values (CSV) files for each day, we subjected the NRDs to checks on VirusTotal, a popular open-source threat intelligence web service. We randomized the 1–3 December data feeds then subjected as many of them as necessary until we identified a malicious domain.
Here are the findings per date:
- 1 December 2020: We found a malicious NRD (i.e., barclaystreet-office365[.]com) after subjecting 52 NRDs to VirusTotal checks.
- 2 December 2020: This time around, we found a malicious NRD (i.e., andeanpineapple[.]com) after only 46 tries.
- 3 December 2020: We scoured even fewer domains this time (i.e., 41) before we found one (i.e., 1148yxbet[.]com) dubbed “malicious.”
For the three days studied, we were able to find a domain flagged “malicious” every 46.33 queries or 2.15% of the time. Though a much bigger sample is necessary for these results to be statistically significant, it still means that thousands of suspicious or even malicious domains likely enter the DNS every day.
The reasons for getting tagged as “malicious” were:
- barclaystreet-office365[.]com: Phishing. Note the use of the brand “Office 365.” This malicious domain could be used to phish the information of any of the business office software’s users.
- andeanpineapple[.]com: Malware. A check via a screenshot API showed that this domain hosts a website that lets users create their own sites. The tagline on the top of the homepage seems confusing, though, as it touts to be a site for learning Spanish.
- 1148yxbet[.]com: Malicious. Interestingly, this domain is for sale, as the screenshot below shows. It could, however, be redirecting visitors to a malware host or performing some other malicious activity, such as downloading a malicious software in the background.
—
Note that the results are just estimates using randomized NRD data feeds but you can see that many malicious NRDs can still cause your organization harm. Some of these include:
- Getting redirected to phishing websites and having your login credentials and other personally identifiable information (PII) stolen
- Letting the attackers know what your position in your company is, which they can abuse in business email compromise (BEC) attacks; if you’re an executive, they can hijack your identity to trick one of your subordinates into forking money over into their accounts; if you’re an employee with access to your organization’s finances, the attackers can fool you into, again, sending them money for a forged bill or invoice
These two scenarios are just some of the numerous payloads of falling for ruses that use NRDs. It is thus still best to be wary of them by constantly monitoring daily NRD feeds so you can stay protected against threats that can cause your company to lose public trust and destroy your reputation.