Newly Registered Domains - cybersecurity

Why Are Newly Registered Domains Important for Cybersecurity?

Newly Registered Domains (a.k.a. NRDs) refer to domain names that have been registered recently, often within the last few days or weeks. These domains are of particular interest in the field of cybersecurity for several reasons:

  1. Phishing and Scams
    Cybercriminals frequently register new domains to use in phishing attacks and scams. These domains may mimic or closely resemble the names of legitimate businesses, organizations, or government agencies to deceive individuals into providing sensitive information or downloading malware. Monitoring newly registered domains enables cybersecurity professionals to identify and respond to potential phishing threats more rapidly.
  2. Malware Distribution
    New domains are commonly used to host and distribute malware. By registering new domains, attackers can evade detection by security systems that may not yet have blacklisted these domains. Identifying such domains as soon as they are registered can help in preempting attacks by adding them to blacklists before they can be widely used.
  3. Command and Control (C2) Servers
    Attackers use command and control servers to manage compromised systems remotely. New domains can serve as agile C2 infrastructure, allowing attackers to switch domains quickly if one is taken down or blocked. Early detection of such domains can disrupt the communication channels used by malware or botnets.
  4. Data Exfiltration
    Cybercriminals might use newly registered domains to set up websites where stolen data can be uploaded or managed. Identifying these domains can help in investigating data breaches and possibly recovering stolen data.
  5. Reputation and Brand Protection
    For businesses, the registration of domains that are similar to their brand names could indicate attempts at trademark infringement, brand impersonation, or efforts to divert traffic through typosquatting. Early detection allows businesses to take legal or technical steps to protect their brand integrity.
  6. Zero-Day Exploits
    NRDs may be used in conjunction with zero-day exploits (previously unknown vulnerabilities) to launch attacks before vendors have patches available. Identifying and monitoring these domains helps in understanding emerging threats and developing countermeasures.
Newly registered domains - cybersecurity efforts
Cybersecurity efforts

Cybersecurity Implications Around Newly Registered Domains

Given these threats, monitoring newly registered domains is a crucial strategy for cybersecurity teams. It allows them to:

  • Proactively identify potential threats.
  • Implement defensive measures, such as blocking or closely monitoring traffic to and from these domains.
  • Conduct threat intelligence research to anticipate future attacks.

Tools and services that track newly registered domains provide valuable data that can be used to feed into security information and event management (SIEM) systems, threat intelligence platforms, and other security tools to enhance an organization’s defensive posture against emerging threats.

How Do You Get a List of Newly Registered Domains?

To get a list of all domain names registered on a specific day, can be quite challenging due to the sheer number of domains registered across more than 1500 top-level domains (TLDs) and domain registrars. However, there are a few approaches you might consider:

  1. Centralized WHOIS Services: Some centralized WHOIS services or databases might offer information on newly registered domains. These services often provide APIs that can query domain registration data, including registration dates. These services often require a subscription.
  2. TLD Zone Files Access: Some top-level domain registries offer access to their zone files, which contain lists of all domains registered under that TLD. Access to these files often requires applying for permission and agreeing to the registry’s terms of use. Not all TLDs provide this access, and those that do usually require the data to be used for specific purposes, like research or security.
  3. Domain Registration Data Access Services: Companies like ICANN (for gTLDs) and various ccTLD registries may offer bulk access to registration data under certain conditions. This access might be limited and governed by specific agreements.
  4. Third-party Aggregators and Data Providers: There are companies and services that specialize in tracking domain registrations, expirations, and other changes across the internet. They aggregate this data from various sources and might offer it through their platforms, often for a fee.
  5. Publicly Available Lists and Feeds: Some cybersecurity companies and researchers publish feeds or lists of newly registered domains (NRDs) for the purposes of tracking potential phishing or malware distribution campaigns. These lists might not be exhaustive and are often focused on specific types of domains.

It’s important to note that obtaining a comprehensive list of all domains registered on a given day across all TLDs and registrars is a significant challenge due to the decentralized nature of domain registration and the vast number of domains involved. Additionally, privacy concerns and regulations, such as GDPR, have made access to some of this data more restricted.

If you’re interested in a specific TLD or set of domains for a particular purpose, it might be more feasible to focus your efforts on those areas and check with the relevant registries or service providers for access to the data you need.

Stream of newly registered domains
Stream of newly registered domains – cybersecurity efforts

Malicious Use of Newly Registered Domains

Newly registered domains (NRDs) can be exploited for malicious purposes in various ways, posing significant cybersecurity threats. Here’s an overview of how NRDs are commonly used in malicious activities:

1. Phishing Attacks

Phishing remains one of the most prevalent uses of NRDs. Attackers create websites that mimic legitimate ones to deceive individuals into entering sensitive information, such as login credentials, credit card numbers, or personal identification details. Since new domains are not immediately recognized as malicious by security filters and users, they can be particularly effective for such deception.

Often these domain names are extremely similar to the victim domain name. Usually, it’s a misspelling or a typo on the same TLD or exactly same name on a different TLD then what you would expect.

2. Malware Distribution

Cybercriminals often use newly registered domains to host and distribute malware. Unsuspecting users might be directed to these domains through various means, including phishing emails, malicious advertisements, or compromised websites. Once visited, these sites can automatically download malware onto the user’s device, leading to data theft, ransomware attacks, or unauthorized access to networks.

3. Command and Control (C2) Servers

Newly registered domains are frequently employed to establish command and control (C2) servers for managing networks of compromised computers (botnets). Through these servers, attackers issue commands to infected machines, coordinating attacks, spreading malware, or stealing data. Changing domain names regularly helps attackers evade detection and maintain control over their botnets.

4. Spam Campaigns

Spam campaigns utilize newly registered domains to send out bulk unsolicited emails containing malicious links or attachments. The novelty of these domains helps bypass email filters designed to block known malicious sites, increasing the chances that recipients will click on the links or download the attachments.

Unfortunately, I saw this recently when I was investigating .men TLD. There have been instances where the .men domains were associated with spammy or low-quality content (Viagra, Cialis, Porno), casting a shadow over its reputation.

5. Credential Stuffing and Brute Force Attacks

Newly registered domains can serve as platforms for launching automated attacks against online services, such as credential stuffing (using stolen username-password pairs to gain unauthorized access) or brute force attacks (attempting to guess credentials through systematic trial and error). And let’s use this moment to remind ourselves yet again the importance of a strong password.

These domains can host tools and scripts that automate the attack process.

6. Domain Squatting and Typosquatting

Cybercriminals engage in domain squatting (registering domains similar to trademarks or brand names) and typosquatting (registering misspelled versions of popular domain names) to trick users into visiting malicious sites. These tactics can be used for phishing, spreading malware, or fraudulent schemes.

Sometimes they try to sell these domains, and it backfires on them. Just recently someone tried to sell a domain name to Binance, which they won in court. It’s just not something you want to do when flipping domain names.

7. Exfiltration and Data Harvesting

NRDs can be set up as destinations for exfiltrating stolen data. Malware on a compromised system could be programmed to send data to an NRD, where attackers can collect and exploit the information.

cybersecurity expert typing in a password
cybersecurity concept, user privacy security and encryption, secure internet access. Future technology and cybernetics, screen padlock.

Cybersecurity Measures Against Newly Registered Domains

To counter the threats posed by malicious use of NRDs, organizations and individuals can adopt several cybersecurity measures:

  • Implementing advanced email filtering solutions that can analyze and block emails containing links to newly registered domain.
  • Deploying web filtering tools that restrict access to NRDs or websites not categorized or recognized by security databases.
  • Regularly updating anti-malware and antivirus software to detect and prevent infections from malicious downloads.
  • Educating users about the risks associated with NRDs, encouraging caution when clicking on links or downloading attachments from unknown sources.

Given the agility of cybercriminals in exploiting NRDs, continuous monitoring and adaptive security measures are essential to protect against these evolving threats.

While on the subject of newly registered domains from a cybersecurity perspective, beyond the common threats and defensive measures already discussed, it would be critical to delve into the role of automated monitoring and analysis systems. These systems are invaluable for detecting and mitigating the risks associated with NRDs in real time. Here are some key points that cybersecurity experts could find valuable:

Automated Detection and Analysis

  • Machine Learning Algorithms: Machine learning algorithms are used to automatically analyze the characteristics of NRDs and assess their risk levels. These algorithms can learn from patterns associated with malicious domain registrations, such as the registration details, the similarity to known legitimate domains, and the domain’s behavior immediately after registration. In other words, creating a Domain Scoring.
  • Real-time Threat Intelligence: It is important to integrate real-time threat intelligence feeds with security systems. This integration allows organizations to dynamically update their security postures based on the latest information about malicious domains and emerging threats.

Predictive Analytics

  • Predicting Malicious Intent: Predictive analytics can be used to forecast the potential threat of a newly registered domain before it’s actively used in attacks. This could involve analyzing registration patterns, the reputation of the registrant, or the use of certain keywords or TLDs that have historically been associated with malicious activities.
  • Behavioral Analysis: Behavioral analysis in identifying suspicious activities associated with newly registered domains can include rapid changes to DNS settings, the nature of the hosted content, or unusual traffic patterns shortly after registration.

Domain Reputation Systems

  • Scoring Mechanisms: Development and use of domain reputation systems that assign risk scores to NRDs based on a range of factors, including but not limited to the domain’s age, registration details, hosting infrastructure, and associated web content.
  • Integration with Security Tools: These reputation scores can be integrated into broader cybersecurity frameworks, including email gateways, web filters, and endpoint protection platforms, to automatically block or flag interactions with high-risk domains.

Collaboration and Information Sharing

  • Cross-organizational Collaboration: It’s important to emphasize collaboration among businesses, cybersecurity firms, and governmental agencies in sharing intelligence about NRDs and associated threats. This collaborative approach can lead to the development of more comprehensive and up-to-date threat databases.
  • Public and Private Sector Partnerships: Highlight successful partnerships between the public and private sectors that have led to significant takedowns or mitigations of threats associated with NRDs.

Legal and Regulatory Considerations

  • Domain Registration Policies: There’s also the potential impact of policies and regulations governing domain registration processes, including efforts to enhance transparency and accountability of domain registrants. This might include advocating for stricter verification processes or the development of standards for flagging and reviewing potentially malicious domain names.
  • Privacy vs. Security: We also need to address the ongoing debate between ensuring privacy for legitimate registrants and the need for transparency to enable security professionals to combat cyber threats effectively. As mentioned briefly as an example with no access to .NZ whois (ccTLD for New Zealand).

By focusing on these advanced topics, the article provides a comprehensive view of the challenges and cutting-edge strategies in managing the cybersecurity risks associated with newly registered domains. This information not only informs but also empowers cybersecurity professionals to better protect their organizations.

GoranDuskic

Goran Duskic has been the Founder and CEO of WhoAPI Inc. since 2011, a company that specializes in developing APIs, including the well-known Whois API. He started his career in internet entrepreneurship in 2006 and has co-founded several online businesses, including a web hosting company that he later sold. Goran's work primarily involves creating practical API solutions to meet technological needs.