|
Threat actors continue to abuse the DNS by weaponizing domain names. On 13 April 2023, through our recently launched Threat Intelligence Data Feeds (TIDF), we identified more than 1 million suspicious and malicious domains that figured in phishing, malware distribution, spam, and other cyber attacks, such as brute-force and distributed denial-of-service (DDoS) attacks.
WhoisXML API researchers reviewed those suspicious and malicious domains and probed them using our WHOIS, IP, and DNS intelligence to provide additional value to threat and adversary contextualization, investigation, prediction, and disruption efforts. Our study revealed the following:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
The chart below shows the distribution of malicious domains by threat type.
Nearly half of the malicious domains studied were flagged as C&C servers and about 18% figured in phishing campaigns. Interestingly, a screenshot analysis of a sample of these domains still showed live login and signup pages.
About 13% were involved in malware distribution. While such a campaign can be launched in several ways, app downloads like the one shown below could be another tactic.
A few domains (0.6%) meanwhile were linked to suspicious activities, such as hosts possibly involved in sending large volumes of queries. An example is paypaypay[.]org whose screenshot is shown below.
On the other hand, a little over a dozen domains were classified as spammers, while around 21% were indicators of compromise (IoCs) involved in generic malicious campaigns.
The malicious domains were distributed among more than 700 TLDs, with .com accounting for the majority (45.5%). There’s a nonnegligible gap between .com and the rest of the top TLDs—.net with 13.6%, .org with 12.1%, .biz with 6.5%, .info with 4.4%, .xyz with 2.8%, .top with 2.4%, .site with 0.8%, .tickets with 0.7%, and .blackfriday with 0.7%.
The chart below shows the top 20 TLDs used by the malicious domains.
The malicious domains were also analyzed based on Cloudflare’s list of the most-impersonated brands. We sought to determine the percentage of malicious domains on the specific data feed that seemingly attempted to imitate the companies. That is detailed in the table below.
Company Name | Percentage of Domains Found | Company Name | Percentage of Domains Found |
---|---|---|---|
InPost | 13.4% | Rakuten | 1.3% |
8.1% | eBay, Inc. | 1.2% | |
Amazon | 7.6% | ING Group | 0.9% |
Apple | 5.7% | Internal Revenue Service | 0.8% |
WhatsApp (Meta) | 5.6% | Coinbase Global, Inc. | 0.7% |
Meta | 5.0% | AEON | 0.7% |
Office365 (Microsoft) | 4.8% | HSBC Holdings plc | 0.5% |
ATT | 4.4% | Naver | 0.5% |
The Bank of America Corporation | 4.4% | Caixa Econômica Federal | 0.4% |
Deutscher Paketdienst | 3.8% | American Express Company | 0.3% |
PayPal | 3.7% | National Police Agency Japan | 0.3% |
Microsoft | 3.2% | LinkedIn (Microsoft) | 0.2% |
United States Postal Service | 2.7% | FedEx | 0.2% |
Allegro | 2.4% | Banco Bradesco S.A. | 0.2% |
DHL | 2.3% | Correos | 0.2% |
Adobe | 2.3% | Chase Bank | 0.1% |
Steam | 2.3% | Bank Millennium SA | 0.1% |
Instagram (Meta) | 1.9% | Swisscom AG | 0.1% |
Netflix Inc | 1.6% | East Japan Railway Company | 0.1% |
Sumitomo Mitsui Banking Corporation | 1.5% | Swiss Post | 0.1% |
Orange S.A. | 1.4% | KDDI | 0.1% |
Wells Fargo & Company | 1.4% | Alphabet | 0.1% |
JCB Co., Ltd. | 1.3% | Verizon | 0.1% |
Overall, about 3% of the data feed were possible cybersquatting domains targeting these most-impersonated brands.
Next, we sought to determine the organizations with administrative control over the malicious domains. To do that, we used Bulk WHOIS Lookup to retrieve the WHOIS information of a sample of the malicious indicators, comprising 16,382 domains. Bulk IP Lookup was also used to obtain their IP geolocation details.
Among the top registrars were GoDaddy (16.4%), Namecheap (8.1%), Hostinger (6.6%), Mark Monitor (6.3%), REGRU-RU (4.9%), PDR Ltd., (3.9%), NOM-IQ (3.1%), Amazon (1.7%), RU-CENTER-RU (1.5%), and REG.RU, LLC (1.4%). The rest of the malicious domains were divided among 376 other registrars.
Some of the registrars in the top 10 were also the top ISPs. For instance, Amazon led the list with 22.7% of the resolving domains. Hostinger was also in the top 10 ISPs, accounting for 2.3% of the resolutions. The other ISPs on the list were Cloudflare (15.8%), Google (6.2%), Akamai (2.5%), Servers.com (1.8%), Fastly (1.8%), 24 Shells (1.6%%), Trellian Pty. Limited (1.3%), and Microsoft (1.3%).
WHOIS and IP geolocation details obtained from the previous analysis helped us determine the top locations of the sample malicious domains.
The U.S. consistently ranked first in both areas, accounting for 72.4% of the IP resolutions and 56.4% of the domain registrations. Iceland was the second top registrant country, with 8.8%, mostly for domains with redacted WHOIS records. It was followed by Cyprus with 8.1%, China with 2.7%, and the U.K. with 2.4%. The rest of the top 10 are found in the list below.
For IP geolocation, Canada came in second with 4.3%, followed by Germany with 3.5%, the Netherlands with 3.3%, and China with 2.7%. The chart below shows the rest of the top IP geolocation countries.
The insights gleaned from this study were based on suspicious and malicious domains detected on 13 April 2023. Given the dynamic threat landscape, these may change daily. This reality further highlights the need for constant DNS monitoring and analysis for proactive threat detection, prevention, mitigation, and disruption.
Interested in accessing our Threat Intelligence Data Feeds? Request a demo now or download file samples.
Sponsored byVerisign
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC