Table of Contents
- What Is Cyber Threat Intelligence (CTI)?
- What Are Cyberthreat Intelligence Tools?
- What is the Threat Intelligence Lifecycle?
- What is an Exploit Kit?
-
What is a Threat Intelligence Platform (TIP)?
- The Value of a Threat Intelligence Platform
- How Threat Intelligence Works
- Types and Examples of Threat Intelligence
- Why Do Organizations Need a Threat Intelligence Platform (TIP)?
- Key Characteristics of a Threat Intelligence Platform
- Types of Threat Intelligence Data
- Implementation of a Threat Intelligence Platform
- Threat Intelligence Platforms FAQs
- What is a Payload-Based Signature?
-
What Is a Fast Flux Network?
- What Are Unknown Cyberthreats?
- What are the Types of Cyberthreat Intelligence (CTI)?
- Threat Intelligence Use Cases and Examples
- What is Digital Forensics and Incident Response (DFIR)?
-
What is URL Filtering?
- What Is Remote Browser Isolation (RBI)?
-
What Is Dynamic DNS?
-
What Is a Cybersecurity Risk Assessment?
- Cybersecurity Risk Assessment Explained
- Why Is Cyber Risk Assessment Important?
- Common Cybersecurity Risks and Threats
- Different Approaches to Cyber Risk
- How to Perform a Cybersecurity Risk Assessment
- Determine the Scope of the Assessment
- Cybersecurity Risk Assessment Benefits
- Cyber Risk Assessment FAQs
-
What Is DNS?
- What is an Intrusion Prevention System?
- What is an Intrusion Detection System?
- What Is Spear Phishing?
- What Is a Circuit Level Gateway?
- Firewall | Antivirus — What Is the Difference?
What Are Malicious Newly Registered Domains?
3 min. read
Table of Contents
The COVID-19 pandemic gave few industries an opportunity to thrive, and even fewer more so than cybercrime. Credential theft and data extraction are all too common these days, and one of the easiest ways to carry them out is through malicious newly registered domains.
Domain names are the signposts of the internet, and users depend on them to access goods and services online. For companies and enterprises, domain names are valuable brand assets.
Thousands of newly registered domains (NRDs) appear each day, and many serve valid purposes, such as launching a new product, hosting a new site or creating a new brand. The vast majority, however, are suspicious – and many are malicious.
A domain is considered newly registered if it has been registered or had a change in ownership within the last 32 days. The actors behind malicious NRDs often create slight variations of legitimate brand domains, hoping to fool users into visiting them. Many of these domains stay active only for short periods, which makes them hard to detect. The domain soroog[.]xyz, first registered on May 29, 2019, is one such example. Although it ceased to exist less than a month later, on June 27, 2019, this malicious domain was used in countless attacks.
How Common Are Malicious NRDs?
Malicious NRDs are not new in the arsenal of cybercrime tools. During the beginning months of the COVID-19 pandemic, however, with more people staying home, we observed an increase in the number of COVID-related malicious NRDs. It’s easy to understand why: Registering a new domain name is fast and easy, and no special skill is necessary. Beyond that, inserting malicious code is not too complicated if you have the time.
Most enterprise security systems will not flag new domains, and thus cybercriminals are free to carry out their attacks while these domains remain active. This is why fast detection and preventive security measures are critical.
Uses of Malicious NRDs
Malicious NRDs can be used to exfiltrate sensitive data, including wallet and credit card information. They are primarily used in:
- Phishing attacks: Usually sent over email, domains that resemble familiar and popular domains entice unsuspecting users to click on their links. The domain canada-neflxt[.]com, for example, was an active phishing site that tried to steal Netflix credentials and billing info.
- Command and control (C2): The domain soroog[.]xyz used malware for C2 the day it was created. The malware typically “phones home” to get commands or perform data exfiltration.
- Malware distribution: This includes viruses, worms and Trojans. The initial distribution is usually through a phishing attack or a compromised website.
The Importance of Quick Detection
Malicious NRDs are hard to spot. To stay secure, an enterprise network needs fast, reliable detection. Ideally, you want a security system that will flag NRDs and is intelligent enough to make predictions about their malicious intent. From there, the security system may block the malicious NRDs and create alerts for your security personnel, who can investigate further and determine how to proceed based on your company’s policies.
Learn how Palo Alto Networks DNS Security protects against malicious NRDs.
For a deep dive on malicious NRDs, read Newly Registered Domains: Malicious Abuse by Bad Actors by Unit 42®.
