Akamai researchers on Wednesday reported that based on a newly observed domain (NOD) dataset, they have flagged almost 79 million domains as malicious in the first half of 2022.
The researchers say this equals approximately 13 million malicious domains per month, representing 20.1% of all the NODs that successfully resolved.
In a blog post, the Akamai researchers explained that whenever a domain name is queried for the first time in the last 60 days, the researchers consider it an NOD. The NOD dataset lets the researchers zoom in on the “long tail” of DNS queries. This dataset is where to find freshly registered domain names, typos, and domains that are only very rarely queried on a global scale.
NOD data lets Akamai classify a new domain very early in the threat lifecycle. All of its NOD-based detection systems and rules are fully automated. The researchers say that once a new NOD gets identified, the time needed for Akamai to classify it as malicious is measured in minutes — not hours or days. All of this gets done with no human intervention, which lets Akamai mitigate the new DNS threats quickly, according to the researchers.
“To put these numbers into context, every month we intercept 13 million domains that are created with malicious purposes that resolve or go somewhere,” said Stijn Tilborghs, a senior data scientist at Akamai. “Based on the data that we see, and with our current heuristic detection system, this equates to 1 in 5 new domains being created for malicious purposes. From a defense perspective, Akamai was able to flag these domains as malicious because of this NOD-based detection system. This allows carriers and ISP's to block these domains."
Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, said the data shows a trend that has been increasing exponentially over the past few years: domains are created with the intent of spreading or being used in malicious activities. Fulmer said these activities are often leveraged as a part of code telling a machine where to pull a malicious payload from, developed into a phishing site with the intent of stealing credentials, or even used as a contact point for a command-and-control beacon to report back around connectivity.
“These numbers are extremely significant, as looking at the domains in question are random number-letter combinations which amounts to almost a ‘burner’ domain,” Fulmer said. “They are created with the intent of malicious activity, and once they are compromised or classified as malicious, threat actors can just dump them and move to a new domain. For this reason alone, you need to ensure that you have adequate layering in place for your defenses, especially as the rate of false positives was 0.00042% (329 sites out of 79 million).”
Muralidharan Palanisamy, chief solutions officer at AppViewX, said Akamai’s detection is based on NODs, which are essentially new DNS domains that appear on the internet. Palanisamy said with existing domains having some history and reputation, identifying whether or not they are secure requires minimal effort. That being said, Palanisamy said there’s a challenge in figuring out whether the new domains are malicious or not.
“Akamai’s NOD-based automated detection is a novel approach, where they address and mitigate threats in the DNS layer, way before the connection gets established to impact applications,” Palanisamy said. “Because security is multi-faceted, we have to rely on all weapons in our arsenal to identify the bad actors. Another related approach is Google’s Certificate transparency initiative, which was able to identify and address compromised certificates, domains and certificate authorities. However, with regulatory authorities being compromised and state actors setting up their own regulations, bad actors are able to bypass checks. This is where NODs will help in identifying the new domains that pop up by monitoring and tracking them.”
Mike Parkin, senior technical engineer at Vulcan Cyber, he’s not surprised that Akamai found so many throwaway malicious domains. Parkin said threat actors are constantly having to create new ones as the old ones are identified and either eliminated from the DNS system or blocked by security gateways.
“Ultimately, some form of secure and validated DNS system should become the standard, though there are already a number of tools that will at least provide warnings when a user tries to connect to a suspect domain,” Parkin said.