A new report, which profles malicious domains by describing patterns in their
registration details: top level domain (TLD), free email provider, Whois privacy provider, and
hosting location has some startling insights.
In this latest edition, it compares the distributions of malicious domains vs neutral
domains across a measure of age (both of the domain and of the name server domain) and
a measure of the entropy of the domain name. It also examines malicious domains across
registrars to find additional clues as to how and when these domains were registered.
Key Finding:
DOMAIN AGE Even among young domains, there are far more neutral than malicious domains. However, when we examine bad domains as a class, many more of them are relatively young. Neutral domains, as a class, show less of a skew toward youth.
NAME SERVER DOMAIN AGE Most domains have a name server associated with them. The domains of the name servers themselves can act as a statistical signal; the signal shows that more malicious domains have comparatively young name server domains.
DOMAIN NAME ENTROPY Domain names with high entropy—that is, those that are gibberish combinations of letters and numbers— are more likely to be malicious than linguistically coherent domains. While this may not be surprising, it is informative to see the specific data.
DOMAIN REGISTRAR Some domain registrars stand out for having high percentages of malicious domains registered through them. And, in one particular case, the registrar also has fairly high absolute numbers of malicious domains in addition to a high percentage.
In the DomainTools Report, it mines DomainTools data in order to discover patterns in domain registrations that may help researchers or security analysts learn more about concentrations of malicious activity.
In the frst two reports, they examined attributes such as top level domain (TLD), Whois privacy providers, and registration behaviors of domain registrants strongly connected to high volume malicious activity.
They believe that malicious actors behave in a predictable manner, and the more we profle that behavior, the better we can defend against them. Those prior reports found high concentrations of malicious domains in various Japanese and Chinese privacy providers, email providers, and bulk domain registration agents.
The data in those reports have helped paint a broad picture, and the data in this latest report adds to our understanding of cybercriminals. For this edition of the report, it examines several new attributes, some of which readers may have considered before.
They include:
- Age of the domain (as of Feb 2016)
- Age of name server domain (as of Feb 2016)
- Entropy of the domain name composition
- Registrar of the domain
As in earlier editions of The DomainTools Report, having nearly all of the existing domains’ registration information at the researchers fingertips has allowed them to pull out some interesting patterns.
Ultimately, they believe it will be possible to predict the likelihood that a new or previously-unseen domain will be malicious, based on its unique composition of attributes.
Like snowfakes or fngerprints, no two domains are exactly alike. At a minimum, each name is unique, but in most cases there are multiple attributes that differ. Some of these differences—individually or in concert with others—may help predict the risk level of the domain
The post The domain tools report – the distribution of malicious domains appeared first on Payments Cards & Mobile.
