How Newly Registered Domains Database Integration Can Improve Cybersecurity
Cybercrime has proven to be a lucrative business for hackers.
12:12 22 May 2020
This has prompted them to launch an attack every 39 seconds. This leaves cybersecurity teams with no choice but to employ new means to identify threat actors and sources such as scrutinizing newly registered domains (NRDs). Why? Because as much as 70% of NRDs, or those created or updated within the past few weeks or months, are malicious.
How Newly Registered & Just Expired Domains Database Can Help Network Defenders
A concrete cybersecurity plan involves protecting a network from all possible angles, including yet-unknown threat vectors. Cybercriminals purchase new domains and use 20% of them for attacks soon after registration. This bit of information highlights the need for security experts to consider integrating a newly registered domain database into their existing solutions and systems for additional protection. For instructions on how to access the database and use it, consult this post.
You may be asking what purpose the database will serve next. NRD database integration is especially useful for:
Tracking Suspicious Domains
It is common practice for cybercriminals to act based on trending topics and events. The coronavirus outbreak is no exception. Over the past few months, we have seen the volume of COVID-19-themed NRDs rise and, later on, figure in several attacks.
Case in point: When the World Health Organization (WHO) declared COVID-19 a global pandemic on 11 March, we expected cybercriminals to begin crafting attacks. True enough, by 14 March, we discovered 835 domain name additions containing the term “covid” to the database. Over time, we saw even more new COVID-19-themed domains in our .com data feeds alone:
- 17 March: 2,405 new domain additions
- 19 March: 2,822 new domain additions
- 20 March: 3,151 new domain additions
While not all of the domains are outright malicious, some may end up used to host new sites, and others, unfortunately, may prove suspicious. Examples of those users need to avoid include factsaboutcovid19[.]com and knowyourcovid-19[.]com, which, according to Threat Intelligence Platform (TIP) queries, had malicious ties.
Prevent Brand Abuse
While not only cybersecurity teams should protect their companies’ brands, a tarnished reputation due to misuse or abuse can also be considered a point against them. Whatever negative impression a brand gets affects every employee. That said, network defenders also need to keep track of threat actors that may be mimicking their domains for attacks.
Let’s take the company Allstate Corporation (an insurance provider) as an example. We looked at new domain registrations on 18 April that contained the brand “allstate.” Apart from being a big company, we chose the brand because Allstate recently announced that it would return more than US$600 million in auto insurance premiums to customers due to the pandemic. Hackers could take this announcement as an opportunity to carry out scams.
According to our .com NRD data feed for 18 April, 14 new registrations containing the brand “allstate” were added to the database. These include domains with misspellings such as allstataidentityprotection[.]com, allstateidendityprotection[.]com, allstateidenetityprotection[.]com, allstateidenitityprotection[.]com, allstateidentitiyprotection[.]com, allstateidentityprotections[.]com, allstateidentityprotectoin[.]com, allstateldentityprotection[.]com, allstateprivacysolutions[.]com, wwwallstateprivacyandidentity[.]com, wwwallstateprivacymanager[.]com, and wwwallstateprivacysolutions[.]com.
While none of the NRDs above are in use right now nor tagged malicious, we can’t help but wonder what purpose misspelled domains would serve an organization such as Allstate. We also know that phishers and spammers often use domain names containing brand names and misspellings in their cybersquatting and other evil schemes. That said, the security teams of Allstate and its company customers would do well to monitor the domains for signs of malicious activity.
With the growing number of new domain registrations per day, it is too easy for users to get confused and thus entangled with fraudulent domains and digital traps. Integrating an NRD database, as well as a list of all registered domains, into cybersecurity and business strategies can serve as an additional layer of protection, especially amid an already-looming crisis.
About the Author
Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds. WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).