What To Do With An Influx of Newly Created Domains
This would not be a proper summary of a cybersecurity report if we did not include the phrase, “in the ever-evolving cybersecurity landscape…”
We know, we know, but please, bear with us, we’re doing something.
We could not be any more aware that the cyber landscape is evolving, but it turns out, however, that there are a few constants that rarely change: Domains and DNS are on top of that list. The purpose of this report is to illuminate Domain patterns and DNS infrastructure created by cybercriminals in order to collectively improve the community’s defenses.
In 2024, DomainTools observed over 106 million new domains, averaging approximately 289,000 daily. That’s a massive influx that could leave even the most seasoned cybersecurity teams feeling daunted.
But, in the spirit of teamwork and togetherness, DomainTools Investigations wants to equip you. We want you to feel proactive instead of reactive. We want you to feel like Kevin in Home Alone making that plan of attack against the robbers plotting to break into his home. After all, your org is your house; you have to defend it!
The full report you should absolutely download provides actionable insights by examining a large sampling of worldwide publicly reported malicious domains and the global scale of all newly observed domains in 2024. What analytics techniques are included?
| Domain Attribute Analysis | Registration and resolution details to identify patterns and correlations between these attributes and malicious activity and reveal common hosting and registration practices used by threat actors |
| Website Title Analysis | Identify content themes and keywords indicative of malicious intent, such as those related to phishing, scams, or malware distribution. |
| Risk Scoring Assessments | Quantify the likelihood of a newly registered domain being malicious; enabling prioritization of domains for further investigation and threat mitigation. |
| DGA Detection (Entropy, Length, Standard Deviations) | Uncover domains generated by automated systems used by malware to evade detection, revealing communication channels used by botnets and other threats. |
| Keyword Likeness Assessment | Identify domains related to specific malicious activities (malware delivery, credential harvesting, scams) and emerging threat trends. |
| New Top-Level Domain (TLD) Analysis | Identify emerging threat vectors and understand how threat actors utilize new TLDs in their campaigns. |
| IDN Homoglyphs / Topic Likeness Distance Analysis | Identify domains used for typosquatting, phishing, and other deceptive tactics that exploit public interest in current events. |
Why does it matter? We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.
A NOD to the Findings
Without giving too much away, here is a brief summary of some of the findings from the report.
The Sheer Volume of Newly Observed Domains
It can’t be said enough, just the massive number of newly created domains in 2024 posed challenges for security teams – take a look at it in chart form:
DomainTools Risk Scoring Enhancements
What does this mean? The “equal category consists of domains that scored “equally badly” on four subscores (including Malware vs. Phishing and “Spam vs. Proximity”) shown in the diagram below:
What About Commonalities in Malicious Domain Attributes?
Our analysis revealed recurring patterns in preferred registrars, Internet Service Providers (ISPs), nameservers, and SSL issuers used by malicious domains, which aided in proximity risk associations and identifying high-risk providers.
Can We See Keyword Analysis for Threat Detection?
Yes! We saw patterns of domain names used for scams, fraud and financial theft in 2024 which included keywords such as:
- Phishing
- Fraud
- Scam
- Bitcoin
- Fake
- And more
As a matter of fact, DomainTools Investigations reported on a notable surge of domains containing the keyword ‘AirDrop,’demonstrating the direct link between domain registration patterns and potential fraudulent activities.
High Publicity Event Exploitation
If you follow the DomainTools @SecuritySnacks account on X and Mastodon, you’re likely familiar when the team posts about domain registration surrounding big events. Threat actors are opportunists and like to act quickly when a popular event resonates with the public. What did we look for in 2024? While it’s not an exhaustive list, we saw lookalike domains created around event categories including:
- Political and Elections
- Technological Advancements (hello, AI)
- Natural Disasters
- Social Movements
- Popular Culture
- Global Conflicts
How Domain Intelligence Fights Cybercrime
To effectively fight cybercrime, we have to take a leaf from Sun Tzu’s book and “know thy enemy.” We need to understand the enemy and their infrastructure. We have to look at known malicious domains to see the patterns emerging.
This report is not just about identifying bad actors in 2024. We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.
For full details on the analysis, download the report here:
