More than 70% of newly registered domains (NRDs) are “malicious”, “suspicious” or “not safe for work” according to a recently published analysis by Palo Alto Networks’ Unit 42, their global threat intelligence team. According to the research, this ratio is almost 10 times higher than the ratio observed in Alexa’s top 10,000 domains. PAN recommends best security practice calls for blocking and/or closely monitoring NRDs in enterprise traffic.
The research also found most NRDs used for malicious purposes are very short-lived. They can be alive only for a few hours or a couple of days, sometimes even before any security vendor can detect it. This is why, according to PAN, that blocking NRDs is a necessary, preventive security measure for enterprises.
NRDs as defined as any domain name registered or had a change in ownership within the last 32 days. PAN’s analysis has indicated that the first 32 days is the optimal time frame when NRDs are detected as malicious.
In the research PAN notes that NRDs are known to be favoured by threat actors to launch malicious campaigns. Their own analysis of academic and industry research reports found statistical proof that NRDs are risky, revealing malicious usage of NRDs including phishing, malware, and scam.
However, despite the evidence there hasn’t yet been a comprehensive case study on the malicious usages and threats associated with NRDs using real world examples which PAN sought to correct with this case study they’ve reported on analysing 1,530 top-level domains.
The research found .com is still the most popular TLD and it accounts for 33% of all recent NRDs. The second position changes over time, but mainly among a few ccTLDs including .tk (Tokelau), .cn (China), and .uk (United Kingdom). For example, .cn remained in second place from November to December 2018. However, from March to May 2019, .tk was consistently in second place. There are large numbers of NRDs in a number of TLDs that offer free domain registrations (including .tk, .ml (Mali), .ga (Gabon), .cf (Central African Republic) and .gq (Equatorial Guinea)).
But the TLDs with the highest rates of malicious NRDs are a quite different list with .to (Tonga) the highest with around 95% of all domains registered considered malicious and .am (Armenia) with around 45%, being the only 2 with more than 25%. Others with around 10% or more were in descending order .pw (Palau), .la (Lao), .in (India), .ws (Samoa), .best and .me (Montenegro). Some reasons, the report notes, for a TLD to have a high malicious rate include inexpensive or free registration, a less strict registration policy, and obscuring WHOIS registrant data from public view.
Some of the activities maliciously registered domains are registered for include “C2 Domain” where malware typically needs to “phone home” in order to get commands, download further payloads, or perform data exfiltration; malware distribution; phishing; typosquatting; domain generation algorithm which is a common approach used by malware to periodically generate a large amount of domains which can serve malicious purposes like C2 and data exfiltration and PUP or “potentially unwanted program,” which is adware in most cases, scams and email spam.
It's not that all NRDs are are abused by bad actors for nefarious purposes, including but not limited to C2, malware distribution, phishing, typosquatting, PUP/Adware and spam. There are also benign uses such as launching a new product, creating a new brand or campaign, hosting a new conference or building a new personal site.
In their conclusion, Palo Alto Networks recommends blocking access to NRDs with URL Filtering. They note this may be deemed a bit aggressive by some due to potential false positives, but their experience is the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then they recommend alerts should be set up for additional visibility.
PAN would even go as far as to recommend blocking complete TLDs that are mainly utilised by bad actors. Of course, they note each organisation must understand what their tolerance is for potential false positives when blocking whole TLDs.