Profiling malicious domains in The DomainTools Report
At the 2015 RSA Conference in San Francisco, we released the first edition of The DomainTools Report: A Profile of Malicious Domains.
In this report, we investigate the attributes of malicious domains connected to malware, spam, phishing, and botnets. Using an aggregation of industry blocklists and DomainTools’ data, we compared the bad actors’ preferences for TLDs, email domains, privacy providers, and hosting locations. We identified some key trends that should help to profile cybercriminal behavior.
Why did we create this report?
Much of the malicious activity on the Internet is classified and tracked in domain blocklists and reputation scores. But these do little to profile and predict cybercrime to proactively protect against domains that have yet to exhibit illicit behavior. Malicious actors often behave in a predictable manner, and the more thoroughly we profile that behavior, the better we can defend against them. With that purpose in mind, we analyzed domains from several popular blocklists. This report uses DomainTools’ leading Whois and DNS data to define attributes of those malicious domains and begin to create a profile of locations and privacy preferences of cybercriminals.
What did we learn?
Our comprehensive coverage of Whois records enables us to take a broad look at registration attributes of all domains. Overlaying the domain data with data on malicious activity gave us quantitative insights into where the malicious and innocuous domains “live,” logically as well as geographically.
For example, one of the attributes we analyzed was the email domain used to register domains. In particular, we compared free email domains such as gmail.com, yahoo.com, hotmail.com and their variants and international counterparts. The results were very interesting and both expected and unexpected. Gmail.com was used for the most domain registrations, malicious or not. But based on percentage, some Japanese free email providers were the most malicious, primarily due to a large quantity of spam originating from those domains.
For more information and analysis, download a copy of the full report.
We will also be planning a live webinar later this quarter to discuss the report, and to answer your questions about the data and results. In the meantime, if you have any questions, please email us at [email protected].