Thousands of new domains are registered everyday so that businesses and individuals can build websites but new research from Palo Alto Networks has revealed that cybercriminals often register malicious domains years before they intend to actually use them.
The cybersecurity firm’s Unit 42 first began its research into dormant malicious domains after it was revealed that the threat actors behind 2019’s SolarWinds hack used them in their attack. To identify strategically aged domains and monitor their activity, Palo Alto Networks launched a cloud-based detector in September of 2021.
According to the findings of the firm’s researchers, 22.3 percent of strategically aged domains pose some form of danger with a small portion being straight-out malicious (3.8%), a majority being suspicious (19%) and some being unsafe for work environments (2%).
The reason cybercriminals and other threat actors let a domain is age is to create a “clean record” so that their domain will be less likely to be blocked. Newly registered domains (NRDs) on the other hand are more likely to be malicious and for this reason, security systems often flag them as suspicious. However, according to Palo Alto Networks, strategically aged domains are three times more likely to be malicious than NRDs.
Detecting malicious domains lying dormant
When a sudden spike in traffic is detected, it’s often the case that a strategically aged domain is actually malicious. This is because normal websites typically see their traffic grow gradually from when they’re created as more people visit a site after learning about it through word of mouth or advertising.
At the same time, domains that aren’t intended for legitimate purposes often have incomplete, cloned or questionable content and usually lack WHOIS registrant details as well. Another sign that a domain was registered and intended to be used at a later time in malicious campaigns is DGA subdomain generation.
For those unfamiliar, DGA or domain generation algorithm is a method used to generate domain names and IP addresses that will serve as command and control (C2) communication points used to evade detection and block lists. Just by examining sites using DGA, Palo Alto Networks’ cloud-based detector was able to identify two suspicious domains each day.
During its investigation, the cybersecurity firm discovered a Pegasus spying campaign that used two C2 domains registered in 2019 that finally became active two years later in July of 2021. Palo Alto Networks’ researchers also found phishing campaigns that used DGA subdomains as well as wildcard DNS abuse.
We’ve also highlighted the best web hosting, best endpoint protection software and best malware removal software
Via Bleeping Computer