- Namecheap is the most commonly used registrar for malicious domains, followed by Namesilo, Realtime, GoDaddy.com, Dynadot, and Gname.com.
- Cloudflare and Amazon are popular choices for domain parking, DNS resolution, and content delivery, highlighting the leveraging of legitimate cloud services for illicit activities.
The digital realm has become an integral part of modern life, facilitating communication, commerce, and information access.
However, this interconnectedness also presents significant challenges in the form of cybersecurity threats. A report by DomainTools highlights the persistent and growing issue of malicious domains, underscoring the need for constant vigilance and sophisticated detection strategies.
The report reveals that hackers are generating over a thousand new malicious websites daily, designed for a variety of nefarious purposes, including spam distribution, phishing attacks, malware hosting, and other cybercrimes.
A daunting task
The sheer scale of domain registration is staggering. In 2024 alone, over 106 million new domains were observed, averaging approximately 289,000 websites created daily. While only a small percentage is malicious, the sheer volume makes rapid identification a daunting task for security teams.
The report identifies approximately 380,000 new domains flagged as “threat indicator domains,” suggesting likely malicious activity. Furthermore, the firm tracks approximately five million top-level domains deemed high risk for harboring malware, phishing lures, or facilitating spam campaigns.
The analysis reveals a concerning upward trend in both the total number of new domains and the proportion considered malicious. This infrastructure is employed by diverse actors, ranging from nation-state-sponsored Advanced Persistent Threat (APT) groups to cybercrime operations.
The utilisation of these domains is multifaceted, encompassing hosting websites designed for credential harvesting and malware delivery, serving as command-and-control servers for compromised systems, functioning as relay networks to obscure malicious activities, operating as botnets for large-scale attacks, and orchestrating phishing campaigns designed to deceive unsuspecting users.
Challenges faced by registrars
Interestingly, the report identifies patterns in the infrastructure choices of malicious actors. They exhibit preferences for specific registrars, internet service providers, name servers, and SSL issuers. Namecheap is the most commonly used registrar for malicious domains, followed by Namesilo, Realtime, GoDaddy.com, Dynadot, and Gname.com.
This disproportionate use may indicate ease of account setup, user preferences, or even vulnerabilities within the platforms’ fraudulent account and abuse mitigation systems, allowing malicious actors to operate with relative impunity.
Similarly, Cloudflare and Amazon are popular choices for domain parking, DNS resolution, and content delivery, highlighting the leveraging of legitimate cloud services for illicit activities.
The report underscores the challenges faced by registrars in mitigating malicious domain registrations. While legally responsible for the services they provide, the sheer volume of registrations makes proactive enforcement exceedingly difficult.
This complexity is further compounded by the intricate nature of internet infrastructure, which often obscures clear lines of responsibility.
Furthermore, malicious websites often employ specific keywords in their domain names to appear legitimate. Domains designed for credential harvesting frequently incorporate terms like “login,” “signin,” “account,” and “verify.” Similarly, malware delivery domains often use terms like “update,” “download,” “install,” and “file.”
Domains intended for scams, fraud, and financial theft typically include keywords such as “phishing,” “fraud,” “scam,” “crypto,” and “investment.”