Newly registered domains (NRDs) are created at the astounding rate of about 200,000 every day and a recent report indicates that 70 percent of these are malicious or suspicious and used for a wide range of nefarious activities.
The NRDs are an interesting breed with some staying active
for a very brief period, just hours, while others are quickly spotted behaving
as command and control servers or distributing malware, phishing attacks or
used for typosquatting. For the most part NRDs are registered under the .com
TLD, but those registered under a country code extension tend to be malicious
in nature.
Palo Alto Networks found NRDs registered as .to (Tongo) and
.di Kiribati) had the highest rate of nasty domains with more than 90 percent
in each case being considered malicious or suspicious.
Because there are such a high number of NRDs from specific
locations Palo Alto Networks recommends combatting the problem using URL
filtering.
“While this may be deemed a bit aggressive by some due to
potential false-positives, the risk from threats via NRDs is much greater. At
the bare minimum, if access to NRDs are allowed, then alerts should be set up
for additional visibility,” the report stated.
Blocking is also effective due to the fact that many NRDs
are up and running for such a short period of time, a tactic used by the cybercriminals
so security teams simply do not have the time to discover the threat.
Palo Alto Networks said these figures were derived after
having studies NRDs for more than nine years and from working with the Internet
Corporation for Assigned Names and Numbers (ICANN) and various domain
registries and registrars.
Gloss