Newly registered domains (NRDs) are created at the astounding rate of about 200,000 every day and a recent report indicates that 70 percent of these are malicious or suspicious and used for a wide range of nefarious activities.
The NRDs are an interesting breed with some staying active for a very brief period, just hours, while others are quickly spotted behaving as command and control servers or distributing malware, phishing attacks or used for typosquatting. For the most part NRDs are registered under the .com TLD, but those registered under a country code extension tend to be malicious in nature.
Palo Alto Networks found NRDs registered as .to (Tongo) and .di Kiribati) had the highest rate of nasty domains with more than 90 percent in each case being considered malicious or suspicious.
Because there are such a high number of NRDs from specific locations Palo Alto Networks recommends combatting the problem using URL filtering.
“While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility,” the report stated.
Blocking is also effective due to the fact that many NRDs are up and running for such a short period of time, a tactic used by the cybercriminals so security teams simply do not have the time to discover the threat.
Palo Alto Networks said these figures were derived after having studies NRDs for more than nine years and from working with the Internet Corporation for Assigned Names and Numbers (ICANN) and various domain registries and registrars.