Tens of thousands of newly registered domains (NRDs) make their way into the Domain Name System (DNS) daily. But what’s more worrying is the fact that a majority of these can pose threats to users, individuals, and companies alike. Typosquatting and phishing campaigns are just a few of the popular cyber attacks that often employ NRDs, which can disrupt operational activities, lead to sensitive data loss, and result in financial and reputational damages for businesses. But what are NRDs, though?
What Are Newly Registered Domains?
NRDs refer to domains that were either recently registered or updated (within the past few weeks). They serve as hosts for new websites of just established companies or homes for already-existing organizations’ new products or services.
Over time, however, we’ve also seen NRDs play a part in malware attacks, typosquatting campaigns, and COVID-19-themed threats. For example, a May 2021 study of a sample of coronavirus-themed NRDs showed that 65% of them were malicious.
Newly Registered Domains That You Should Avoid
Various types of NRDs exist, and some of them need to be avoided by businesses at all costs, as accessing them could lead to malware infection or a compromise. Four kinds of NRDs, in particular, are included in this list.
Machine-Generated Newly Registered Domains
Threat actors need a slew of domains to host malicious pages on. That helps them ensure their campaigns go on even if some of their websites get taken down. One way they do that is by using domain generation algorithms (DGAs), which can manufacture several domains that act as rendezvous points for common-and-control (C&C) servers in malware attacks regularly. DGA-manufactured domains typically comprise random alphanumeric characters and so don’t form meaningful words. Such NRDs are often used by malicious creations like Kraken, the first malware that did so as far back as 2008.
Typosquatting Newly Registered Domains
Riding on the popularity of established brands is also a popular threat actor tactic. And so, they register domains that look like those of legitimate companies (known as “typosquatting domains”) to get as many users as possible into clicking them. These look-alike or typosquatting domains, however, usually host fake pages that drop malware onto visitors’ systems.
Punycode Newly Registered Domains
Punycode is a way for non-English speakers to use internationalized domain names (IDNs). An IDN lets them use their local language and alphabet in their domain names. But the DNS uses a limited character set (A–Z and 0–9), the English alphabet in this case. So punycode translates every non-English character into English for the DNS to recognize. Punycode domains begin with “xn--.”
These types of NRDs are often used in phishing attacks as they allow threat actors to evade detection, especially when targeting non-speakers of the language they used to craft their domains.
Current Event-Inspired Newly Registered Domains
Cybercriminals also often ride on current events for their malicious schemes. We saw that in the COVID-19-themed attacks cited above. Many such domains are malicious and only use popular events to entice users to click them. As a result, their computers could be infected with malware, or their personally identifiable information (PII) might be stolen.
2 Ways Businesses Can Benefit from Newly Registered Domains Monitoring
Accessing malicious NRDs can be avoided through constant monitoring and consequent blocking, where relevant, aided by a list of NRDs. This practice can help businesses beef up their cybersecurity and improve their marketing efficiency. Here’s how.
Enhancing Cyber Resilience
Monitoring NRDs should become a normal practice for businesses since the volume of threats that use NRDs as attack vectors continues to increase. Organizations are likely to benefit from feeding NRD data feeds into their threat blocking systems and solutions, as that reduces the time and effort they would spend on scouring the Web for disparate lists of indicators of compromise (IoCs) and other artifacts for inclusion in their blocklists.
Consider this. On any given day, malicious NRDs could make their way into the DNS. A list of NRDs for 27 July 2021, for instance, revealed several NRDs were malicious, including:
- 10qtmqx73[.]com (a machine-generated domain)
- paypalcc[.]com (a typosquatting domain)
- xn--07apple-y48l[.]com (a Punycode domain)
- beforecovid19[.]com (a current-event-inspired domain)
Without an NRD data feed, identifying these domains and blocking access to and from them would be difficult.
Coming Up with Better Market Tactics
Monitoring NRDs using an updated data feed can also help marketing teams make market analyses and research more relevant, allowing them to keep an eye on their competitors or new entrants to their industries. From a list of NRDs for 27 July 2021, for instance, we found 248 domain names that contain the string “consulting.” This information could be useful for companies offering consulting services.
The data feed also contains 639 domains containing “law,” which could be indicative of new legal services market entrants that an organization should add to its list of competitors.
NRDs may be created with different purposes, and not all of these domains are necessarily malicious. However, monitoring them might be a useful practice that can help amp up your cybersecurity and marketing efficiency, and as a result, protect your business’s reputation and finances.