What Are Malicious Newly Registered Domains?
The COVID-19 pandemic gave few industries an opportunity to thrive, and even fewer more so than cybercrime. Credential theft and data extraction are all too common these days, and one of the easiest ways to carry them out is through malicious newly registered domains.
Domain names are the signposts of the internet, and users depend on them to access goods and services online. For companies and enterprises, domain names are valuable brand assets.
Thousands of newly registered domains (NRDs) appear each day, and many serve valid purposes, such as launching a new product, hosting a new site or creating a new brand. The vast majority, however, are suspicious – and many are malicious.
The Evolution of Modern Phishing Attacks
A domain is considered newly registered if it has been registered or had a change in ownership within the last 32 days. The actors behind malicious NRDs often create slight variations of legitimate brand domains, hoping to fool users into visiting them. Many of these domains stay active only for short periods, which makes them hard to detect. The domain soroog[.]xyz, first registered on May 29, 2019, is one such example. Although it ceased to exist less than a month later, on June 27, 2019, this malicious domain was used in countless attacks.
How Common Are Malicious NRDs?
Malicious NRDs are not new in the arsenal of cybercrime tools. During the beginning months of the COVID-19 pandemic, however, with more people staying home, we observed an increase in the number of COVID-related malicious NRDs. It’s easy to understand why: Registering a new domain name is fast and easy, and no special skill is necessary. Beyond that, inserting malicious code is not too complicated if you have the time.
Most enterprise security systems will not flag new domains, and thus cybercriminals are free to carry out their attacks while these domains remain active. This is why fast detection and preventive security measures are critical.
Uses of Malicious NRDs
Malicious NRDs can be used to exfiltrate sensitive data, including wallet and credit card information. They are primarily used in:
- Phishing attacks: Usually sent over email, domains that resemble familiar and popular domains entice unsuspecting users to click on their links. The domain canada-neflxt[.]com, for example, was an active phishing site that tried to steal Netflix credentials and billing info.
- Command and control (C2): The domain soroog[.]xyz used malware for C2 the day it was created. The malware typically “phones home” to get commands or perform data exfiltration.
- Malware distribution: This includes viruses, worms and Trojans. The initial distribution is usually through a phishing attack or a compromised website.
The Importance of Quick Detection
Malicious NRDs are hard to spot. To stay secure, an enterprise network needs fast, reliable detection. Ideally, you want a security system that will flag NRDs and is intelligent enough to make predictions about their malicious intent. From there, the security system may block the malicious NRDs and create alerts for your security personnel, who can investigate further and determine how to proceed based on your company’s policies.
Learn how Palo Alto Networks DNS Security protects against malicious NRDs.
For a deep dive on malicious NRDs, read Newly Registered Domains: Malicious Abuse by Bad Actors by Unit 42®.