The registration of domain names for abusive purposes is a small but significant problem. Those who find variations of their domain names are used for such purposes can easily suffer loss of income and reputation.
Whilst the vast majority of domain name registration and use is benign, there are cybercriminals who misuse them. Examples include to launch large-scale phishing attacks, drive-by-downloads, and spam campaigns. Security organisations such as the Anti-Phishing Working Group (APWG) and Stop Badware collect information about these misused domain names and make it available to their customers (such as hosting providers and domain name registries) in the form of URL blacklists.
To counter such abuse a Franco-Dutch project commenced in the second half of 2018 that seeks to address the problem by automatically distinguishing between domain names registered by cybercriminals for the purpose of malicious activities, and domain names exploited through vulnerable web applications. The project, run jointly by SIDN Labs, Afnic Labs, the labs established by the Dutch and French ccTLD registries, and Grenoble Alps University, is designed to help intermediaries such as registrars and ccTLD registries further optimise their anti-abuse processes.
The research project, the “Classification of compromised versus maliciously registered domains” (COMAR) has an ultimate goal of developing a machine learning-based classifier that labels blacklisted domains as compromised or maliciously registered, then extensively evaluates their accuracy, and then implementing it for a production-level environment.
The study also plans to examine attackers’ profit-maximising behaviour and their business models. COMAR will apply their classifier to unlabelled domain names of URL blacklists, for example, to answer the following question: do attackers prefer to register malicious domains, compromise vulnerable websites, or misuse domains of legitimate services such as cloud-based file-sharing services in their criminal activities?