Analysts and researchers have been advising in favor of being wary of newly registered domains (NRDs) for several years already. Back in 2019, it was even suggested that 70% of new domain registrations were suspicious or unsafe to work with.

Of course, the simple fact of registering a new domain does not mean that it is automatically bad. After all, virtually any new business or entrepreneurial activity starts with launching a new website. On the other hand, abusive new domain registrations with the intent of, say, cybersquatting known brands is still a recurring problem.

For example, we have kept identifying hundreds of suspicious newly registered domains in our Newly Registered & Just Expired Domains database even today, several of which are related to current world events such as the spread of COVID-19. Granted, a few hundred domains may not seem like a lot, bearing in mind that hundreds of thousands of new domains are registered daily. But that is still a lot given the potential risk and damage that a single successful phishing attack could cause.

Since NRDs continue to be a threat in 2021, let’s recap what they are, the kinds of attacks they are part of, and how monitoring them can be beneficial to various cybersecurity stakeholders.

What Are Newly Registered Domains?

Newly registered domains are those registered or having changed ownership within the past weeks. Domain age is identifiable via WHOIS lookups or by integrating a newly registered domain (NRD) database into Internet-connected platforms and applications. The latter option allows users to skip manual searches for WHOIS records to check if any domain of interest is newly registered.

Attacks That Use Newly Registered Domains

Cyber attackers make it a point to avoid detection and blocking to succeed. And if their malware or exploits get discovered, they, of course, don’t want to be identified as perpetrators. These are the reasons why they use newly registered domains in their attacks, such as:

1. Spam and Phishing Campaigns

These days, users get tons of COVID-19-related emails supposedly from reputable organizations giving updates, soliciting donations, spreading awareness about government subsidies or aid, or even supposedly following up on business proposals.

What most may not know is that the links embedded in these messages don’t belong to the institutions the senders claim to be from. And more often than not, the domains where the pages reside are newly registered and malicious.

2. Malware Attacks

Malware operators, including ransomware creators, often distribute their malicious wares via newly registered domains, too. This approach allows them to successfully infiltrate even protected target networks because the domains they use have yet to appear in blacklists.

In light of these and other attacks involving recent domain registrations, integrating NRD lists into existing solutions and systems can help lessen the chances of yet unknown threat vectors bypassing security perimeters.

Who Can Benefit from Newly Registered Domains List Integration?

Three types of security enterprise users can benefit from NRD database integration, namely:

1. Security Solution Providers

Security software manufacturers can integrate an NRD database into their offerings so these can at least alert users to newly registered domains that are attempting to communicate with their protected systems. Domains that seem to imitate big brands can also be tracked.

Depending on the plan selected, information about NRDs can also contain complete WHOIS records, which might come in handy to attribute domain ownership. Even if those records are redacted, that’s probably a sign that those domains do not pertain to big established brands as top Fortune companies often tend to leave their WHOIS records public.

2. Internal Security Teams

Dedicated security or security operations centers (SOCs) personnel can work with security solution providers that incorporate newly registered domain filtering into their security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms so they can watch out for signs of malicious activity coming from these potential attack vectors.

3. External Security Providers

Managed security service providers (MSSPs) and other third-party security providers can also add a newly registered domains list to their threat sources to screen on behalf of clients. The database can serve as an additional source of threat intelligence so they can more effectively ward off attempts and attacks directed at their customers’ networks.

Getting Started with Newly Registered & Just Expired Domains Database

1. Go to the Newly Registered & Just Expired Domains Database page by accessing https://newly-registered-domains.whoisxmlapi.com/ on your browser.

2. Reach out to us for more information about the product by clicking “Order database” and filling out the contact form or access data samples by clicking “Download DB samples.”

We offer a variety of data packages covering the below features:

• Lite: Gives you access to daily updates and newly registered domains. Download data samples here: CSV | JSON
• Basic: Enjoy daily updates and access to newly registered domains and just expired domain names. Download data samples here: CSV | JSON
• Professional: Provides access to data provided in Basic, along with their WHOIS data. Download data samples here: CSV | JSON
• Enterprise: Gives you access to newly registered domains, just expired domains, and recently updated domains. WHOIS data is also included, and country-code TLDs (ccTLDs) are covered under the Enterprise package. Download data samples here: CSV | JSON
• Ultimate: Enjoy the data and features under the Enterprise plan, plus access to newly discovered domains (i.e.,domains registered, dropped, or updated more than 28 days ago but didn’t appear in our previous data feeds). Download data samples here: CSV | JSON

3. Newly Registered Domains 2.0 data feed files are available through a directory sorted by date:

4. For a given date, you can select the file format you want to download (JSON or CSV) and the file you are interested in. For the actual NRD data, select the file with “data” in the name (e.g., nrd.2021-11-15.enterprise.daily.data.csv.gz). The “stats” file meanwhile gives you an overview of the # of records available for each TLD on the selected day.

The Newly Registered & Newly Expired Domains Database in Action

To illustrate the functionalities of the Newly Registered Domains Database, we downloaded the NRD data feed on 15 November 2021, containing 277,702 newly added and recently expired domains. Below are some of the capabilities of the data feed, along with sample data.

Detect Malicious NRDs

Among the newly registered domains on the data feed is 365phoneverificationonline[.]com, which is already flagged as malicious only two days after it appeared in the Domain Name System (DNS) space.

Integrating the database into security platforms can help warn users against suspicious domains that could be used in cyber attacks.

Find Attributes to Expand IoCs

The NRD database can also come with complete WHOIS records, giving security teams more data to expand lists of compromise indicators (IoCs). While the registrant details of 365phoneverificationonline[.]com are redacted, the database provided this WHOIS information:

• Registrar: Namecheap
• Nameservers: dns1[.]namecheaphosting[.]com and dns2[.]namecheaphosting[.]com
• Country: Iceland

Filtering the database with these details, we uncovered six more domains that the same person could have registered on the same day. These domains are:

• 365mobileserviceupdate[.]online
• 365loginsec[.]xyz
• 365digital-serviceprotection[.]com
• 365live-onlinehelp[.]com
• 365boilogin[.]xyz
• 365transaction-review[.]com

Two days after their creation dates, two have been flagged as malicious already—365boilogin[.]xyz and 365digital-serviceprotection[.]com—just like 365phoneverificationonline[.]com.

Detect Possible DGAs

With the help of the NRD database, domain names from domain generation algorithms (DGAs) can be detected, screened, and flagged accordingly. Some possible DGAs found in the 15 November NRD database are:

• gqlocfsjvi[.]xxx
• hojiggtmxlvxwol[.]org
• hcijqpnfdlduwl[.]info
• jxbdfjagruwqfgruhfuhsjf[.]us
• lmilummyjbrsmhlrx[.]xxx
• ljjjhurhabjp[.]org
• h8uag1iekruxueafpbuxoo[.]us
• ehlfdxxisbbi[.]org
• iqqefkjiruak[.]biz
• wkpyrdeqyhnc[.]us
• fqktremmfqay[.]xxx
• htnnwvkjpjgjs[.]biz
• odfsghisrojgsdkghseihgisrg[.]us
• oksfhishugishgfoshigfish[.]us
• omdhhwijhzewyh8fpfmgyr[.]sale

In the same way, you can filter the data feed to see possible DGAs that were recently updated or have expired. Thousands of .work domains that begin with the string “2020” and contain random alphanumeric characters were detected in the 15 November data feed. Some of these domains are flagged as malicious.

These dropped domains may have been registered in bulk by the same threat actors and left to expire after gradually utilizing a few of them. This is consistent with the bulk registration trend we found when investigating brand squatters.

Discover Dropped Malicious Domains

Domains that are left to expire may have some interesting stories to tell. Some domains may have been dropped after a business failure, while other registrants may have lost interest. On the other hand, some expired domains may have served their purposes already.

For instance, the domain pay-p-al[.]com was among those dropped on 15 November 2021. It appears to be squatting on paypal[.]com and has been reported as malicious on 8 May 2021. Since the domain is already flagged and most likely blocked, the registrant may have left it to expire. There are dozens of recently expired malicious domains on the 15 November data feed, including:

• 2020fvhnj[.]work
• hmfwap[.]xyz
• tellu[.]club
• hbhyjsxx[.]com
• hynra[.]com
• reprint[.]top
• kioszz76[.]xyz
• bestwomensselectiionof2021[.]xyz
• bgmsw[.]com
• builderinbelfast[.]com
• 5667337[.]com
• qkkftpma[.]com
• gorillasafariuganda[.]com
• rixosupport[.]com
• unicstock[.]com

Discover Recently Updated Domains

The Enterprise and Ultimate package also gives you access to recently updated domains. This data allows you to answer insightful questions, including:

• Are there domains whose WHOIS records have changed to known suspicious or malicious ones, such as nameservers or registrant contact details?
• Are there domains recently transferred to less reputable registrars?
• Have the domains you’re managing undergone unauthorized WHOIS record changes?

While it’d be unfair to treat all newly registered domains as malicious, suspicious instances remain commonly found in our feeds daily. The example above, for instance, illustrates the importance of monitoring newly registered domains to remain on the safe side.