Newly Registered Domains, Confirmed Malicious, Still Make Their Way into the DNS Daily

It has become a known fact that many newly registered domains (NRDs) figure in cyber attacks. And so some cybercriminals and threat actors have been seemingly changing tactics, as the recent SolarWinds hack showed. The perpetrators used mostly aged domains instead of NRDs to spread compromised versions of the Orion business software.

Have all the bad guys truly abandoned the use of NRDs? This post sought to find out.

Data Set

We looked at all the .com NRDs that made their way into the Domain Name System (DNS) between 1 and 3 December 2020 using daily NRD data feeds from https://newly-registered-domains.whoisxmlapi.com/. We chose the .com top-level domain (TLD) because it remains the most used as of October 2020 and, unfortunately, also the most abused.

Source: Statista

The following table shows how many NRDs were registered per day during the chosen period.

DateNumber of .com NRDs Registered
1 December 2020132,254
2 December 2020167,122
3 December 2020188,454

Methodology and Findings

After downloading the comma-separated values (CSV) files for each day, we subjected the NRDs to checks on VirusTotal, a popular open-source threat intelligence web service. We randomized the 1–3 December data feeds then subjected as many of them as necessary until we identified a malicious domain.

Here are the findings per date:

  • 1 December 2020: We found a malicious NRD (i.e., barclaystreet-office365[.]com) after subjecting 52 NRDs to VirusTotal checks.
  • 2 December 2020: This time around, we found a malicious NRD (i.e., andeanpineapple[.]com) after only 46 tries.
  • 3 December 2020: We scoured even fewer domains this time (i.e., 41) before we found one (i.e., 1148yxbet[.]com) dubbed “malicious.”

For the three days studied, we were able to find a domain flagged “malicious” every 46.33 queries or 2.15% of the time. Though a much bigger sample is necessary for these results to be statistically significant, it still means that thousands of suspicious or even malicious domains likely enter the DNS every day.

The reasons for getting tagged as “malicious” were:

  • barclaystreet-office365[.]com: Phishing. Note the use of the brand “Office 365.” This malicious domain could be used to phish the information of any of the business office software’s users.
  • andeanpineapple[.]com: Malware. A check via a screenshot API showed that this domain hosts a website that lets users create their own sites. The tagline on the top of the homepage seems confusing, though, as it touts to be a site for learning Spanish.
  • 1148yxbet[.]com: Malicious. Interestingly, this domain is for sale, as the screenshot below shows. It could, however, be redirecting visitors to a malware host or performing some other malicious activity, such as downloading a malicious software in the background.

Note that the results are just estimates using randomized NRD data feeds but you can see that many malicious NRDs can still cause your organization harm. Some of these include:

  • Getting redirected to phishing websites and having your login credentials and other personally identifiable information (PII) stolen
  • Letting the attackers know what your position in your company is, which they can abuse in business email compromise (BEC) attacks; if you’re an executive, they can hijack your identity to trick one of your subordinates into forking money over into their accounts; if you’re an employee with access to your organization’s finances, the attackers can fool you into, again, sending them money for a forged bill or invoice

These two scenarios are just some of the numerous payloads of falling for ruses that use NRDs. It is thus still best to be wary of them by constantly monitoring daily NRD feeds so you can stay protected against threats that can cause your company to lose public trust and destroy your reputation.

Comments

0 comments

James Williams
James is our Lead Content Publisher here at Feeds Portal. He has worked with many top websites over the years, including BuzzFeed.

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.