Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management
DomainTools Investigations

The Domains Start Coming and They Don’t Stop Coming

Written by: 
DomainTools Investigations
Published on: 
Apr 24, 2025
On This Page
TOC Element
Share:

What To Do With An Influx of Newly Created Domains

This would not be a proper summary of a cybersecurity report if we did not include the phrase, “in the ever-evolving cybersecurity landscape…”

We know, we know, but please, bear with us, we’re doing something.

A man sitting in a car at a drive-thru looks surprised and mouths something, gesturing with his hand. A "Drive Thru" sign with a burger and arrow is visible outside the car window.
via Giphy

We could not be any more aware that the cyber landscape is evolving, but it turns out, however, that there are a few constants that rarely change: Domains and DNS are on top of that list. The purpose of this report is to illuminate Domain patterns and DNS infrastructure created by cybercriminals in order to collectively improve the community’s defenses.

In 2024, DomainTools observed over 106 million new domains, averaging approximately 289,000 daily. That’s a massive influx that could leave even the most seasoned cybersecurity teams feeling daunted.

But, in the spirit of teamwork and togetherness, DomainTools Investigations wants to equip you. We want you to feel proactive instead of reactive. We want you to feel like Kevin in Home Alone making that plan of attack against the robbers plotting to break into his home. After all, your org is your house; you have to defend it!

The full report you should absolutely download provides actionable insights by examining a large sampling of worldwide publicly reported malicious domains and the global scale of all newly observed domains in 2024. What analytics techniques are included?

Domain Attribute AnalysisRegistration and resolution details to identify patterns and correlations between these
attributes and malicious activity and reveal common hosting and registration practices used by threat actors
Website Title AnalysisIdentify content themes and keywords indicative of malicious intent, such as those related to phishing, scams, or malware distribution.
Risk Scoring AssessmentsQuantify the likelihood of a newly registered domain being malicious; enabling prioritization of domains for further investigation and threat mitigation.
DGA Detection (Entropy, Length, Standard
Deviations)		Uncover domains generated by automated systems used by malware to evade detection, revealing communication channels used by botnets and other threats.
Keyword Likeness AssessmentIdentify domains related to specific malicious
activities (malware delivery, credential harvesting, scams) and emerging threat trends.
New Top-Level Domain (TLD) AnalysisIdentify emerging threat vectors and understand how threat actors utilize new TLDs in their campaigns.
IDN Homoglyphs / Topic Likeness Distance AnalysisIdentify domains used for typosquatting, phishing, and other deceptive tactics that exploit public interest in current events.

Why does it matter? We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.

A NOD to the Findings

Without giving too much away, here is a brief summary of some of the findings from the report.

The Sheer Volume of Newly Observed Domains

It can’t be said enough, just the massive number of newly created domains in 2024 posed challenges for security teams – take a look at it in chart form:

Line graph titled "Domain Creation Timeline (2024)" from the DomainTools Investigations year-in-review report shows daily fluctuations in domain creation, ranging from 100,000 to over 600,000, with several sharp peaks and dips throughout the year.

DomainTools Risk Scoring Enhancements

What does this mean? The “equal category consists of domains that scored “equally badly” on four subscores (including Malware vs. Phishing and “Spam vs. Proximity”) shown in the diagram below:

Stacked bar chart showing daily counts of dominant risk types for domains from July 2022 to July 2023, drawn from DomainTools Investigations domain intelligence year-in-review report. "Spam" is the most common risk type across most dates.

What About Commonalities in Malicious Domain Attributes?

Our analysis revealed recurring patterns in preferred registrars, Internet Service Providers (ISPs), nameservers, and SSL issuers used by malicious domains, which aided in proximity risk associations and identifying high-risk providers.

Can We See Keyword Analysis for Threat Detection?

Yes! We saw patterns of domain names used for scams, fraud and financial theft in 2024 which included keywords such as:

  • Phishing
  • Fraud
  • Scam
  • Bitcoin
  • Fake
  • And more

As a matter of fact, DomainTools Investigations reported on a notable surge of domains containing the keyword ‘AirDrop,’demonstrating the direct link between domain registration patterns and potential fraudulent activities.

High Publicity Event Exploitation

If you follow the DomainTools @SecuritySnacks account on X and Mastodon, you’re likely familiar when the team posts about domain registration surrounding big events. Threat actors are opportunists and like to act quickly when a popular event resonates with the public. What did we look for in 2024? While it’s not an exhaustive list, we saw lookalike domains created around event categories including:

  • Political and Elections
  • Technological Advancements (hello, AI)
  • Natural Disasters
  • Social Movements
  • Popular Culture
  • Global Conflicts

How Domain Intelligence Fights Cybercrime

To effectively fight cybercrime, we have to take a leaf from Sun Tzu’s book and “know thy enemy.” We need to understand the enemy and their infrastructure. We have to look at known malicious domains to see the patterns emerging.

This report is not just about identifying bad actors in 2024. We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.

For full details on the analysis, download the report here:

Download the 2025 DTI Year-In-Review Report

No items found.
DomainTools Investigations
DomainTools Investigations

Heading

Login
Contact
Support
Request a Demo