Seven out of ten newly registered domains (NRDs) are either malicious, suspicious, or not safe for work, state Palo Alto Networks scientists, and advise companies to obstruct access to them with URL filtering.
While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility.
What Is an NRD?
The scientists consider a domain to be ‘newly registered’ if it’s been registered or had a modification in ownership within the last 32 days.
Recently registered domains can, obviously, be benign, however the reality that over 70% of them are destructive or otherwise possibly hazardous to companies and their members need to certainly stimulate admins to think about blocking access to them at the network level.
Here’s another factor for this move: most NRDs utilized for destructive functions are ‘alive’ for a brief while — a few hours or days — and security suppliers may not identify them and react in time to block them.
Other Interesting Facts
Potentially damaging or harmful NRDs are set-up to act as Command & Control channels; distribute malware, possibly unwanted programs and adware; host phishing pages and scam pages; send out e-mail spam. ‘Not safe for work’ domains host material that might be objectionable in a business setting (adult material, gaming, and so on).
Threat actors utilize various techniques for their malicious domains to fly under the radar of automatic detection tools. A phishing domain may be using a CAPTCHA so that crawlers don’t access the actual phishing page.
The production of destructive NRDs can be automated. Domains that serve as a Command & Control channel or for information exfiltration are frequently generated/registered on-demand, by utilizing domain generation algorithms. Phishing pages, on the other hand, are frequently set-up on typosquatted domains (i.e. mocrosoft.cf) and the phishers are relying on users’ tendency to mistype actual (popular) URLs they wish to visit.
Palo Alto Networks says that their system identifies, on average, about 200,000 NRDs every day.
While malicious NRDs ending in .com, .tk, .cn and .uk are the most numerous, country code top-level domains for Tonga, Armenia and the Republic of Palau have the greatest malicious NRD rate:
We would even go as far as to recommend blocking complete TLDs that are mainly utilized by bad actors. Of course, each organization must understand what their tolerance is for potential false-positives when blocking whole TLDs.