Thousands of new domains are registered (opens in new tab) everyday so that businesses and individuals can build websites (opens in new tab) but new research from Palo Alto Networks has revealed that cybercriminals often register malicious domains (opens in new tab) years before they intend to actually use them.
The cybersecurity firm's Unit 42 (opens in new tab) first began its research into dormant malicious domains after it was revealed that the threat actors behind 2019's SolarWinds hack (opens in new tab) used them in their attack. To identify strategically aged domains and monitor their activity, Palo Alto Networks launched a cloud-based detector in September of 2021.
According to the findings of the firm's researchers, 22.3 percent of strategically aged domains pose some form of danger with a small portion being straight-out malicious (3.8%), a majority being suspicious (19%) and some being unsafe for work environments (2%).
The reason cybercriminals and other threat actors let a domain is age is to create a “clean record” so that their domain will be less likely to be blocked. Newly registered domains (NRDs) on the other hand are more likely to be malicious and for this reason, security systems often flag them as suspicious. However, according to Palo Alto Networks, strategically aged domains are three times more likely to be malicious than NRDs.
Detecting malicious domains lying dormant
When a sudden spike in traffic is detected, it's often the case that a strategically aged domain is actually malicious. This is because normal websites typically see their traffic grow gradually from when they're created as more people visit a site after learning about it through word of mouth or advertising.
At the same time, domains that aren't intended for legitimate purposes often have incomplete, cloned or questionable content and usually lack WHOIS (opens in new tab) registrant details as well. Another sign that a domain was registered and intended to be used at a later time in malicious campaigns is DGA subdomain generation.
For those unfamiliar, DGA or domain generation algorithm (opens in new tab) is a method used to generate domain names and IP addresses that will serve as command and control (C2) communication points used to evade detection and block lists. Just by examining sites using DGA, Palo Alto Networks' cloud-based detector was able to identify two suspicious domains each day.
During its investigation, the cybersecurity firm discovered a Pegasus spying campaign (opens in new tab) that used two C2 domains registered in 2019 that finally became active two years later in July of 2021. Palo Alto Networks' researchers also found phishing campaigns that used DGA subdomains as well as wildcard DNS (opens in new tab) abuse.
We've also highlighted the best web hosting (opens in new tab), best endpoint protection software (opens in new tab) and best malware removal software (opens in new tab)
Via Bleeping Computer (opens in new tab)