The DomainTools Report Spring 2017
In the DomainTools Reports, we explore various “hotspots” of malicious or abusive activity across the Internet. Starting with our first report in the spring of 2015, we have analyzed such varied markers as top level domain (TLD), Whois privacy provider, domain age, patterns of registrant behavior, and more. In each case, we found patterns across our database of over 300 million (315M+ as of this writing) active domains worldwide that helped us pinpoint nefarious activity, at a large scale, in ways that are similar to methodologies used by security analysts and threat hunters at smaller scales to expose threat actor infrastructure.
It’s clear that threat actors (e.g. malware, phishing) and “nuisance actors” (e.g. spam) often follow observable patterns in their habits. Network defenders use this to their advantage to map infrastructure being used against them; a simple example is the nefarious domain registrant who uses the same registration information for multiple domains that are used to mount attacks. Similar patterns play out at Internet scale, and some of these patterns have already proven useful in predicting whether a given set of domains, sharing a particular pattern, are likely to be risky.
While each of the reports up to now has focused on a different set of criteria, it was always our intention to look for trends. So, with a couple of years of data under our belts, for this report we re-ran some of our original analyses to see how the world has changed—or stayed the same—since publication of our first report in the spring of 2015. By identifying trends, we may be able in turn to extrapolate from them to develop high-level predictions about how threat actors may use Internet infrastructure in the future.
How we did it
As in our original report, we examined four domain characteristics, to see what patterns emerged in the amounts and rates of nefarious activity tied to those characteristics: TLD, Whois privacy provider (for those domains registered with privacy), free email provider (for registration contact email addresses), and IP geolocation of the IP addresses associated with the domains. Using well-known industry blocklist providers, we analyzed the counts of blocklisted domains versus neutral domains, for each of the four characteristics. This gave us both absolute numbers of bad domains and ratios of good to bad.
We looked at four particular types of nefarious activity: spam, phishing, botnet, and malware. To be sure, some domains may not fall neatly into one of the categories—for example, a phishing domain might host malware, and may even receive botnet callbacks for command and control. Regardless, this approach allowed us to identify concentrations as well as high absolute populations of nefarious domains along each of the dimensions we studied.
What did we find?
- The top level domains (TLDs) with the highest concentrations of malicious activity are a brand-new slate this year, some with truly alarming concentrations of bad domains (for example, over 60% of the domains in .science have been added to an industry blocklist). Many of this year’s top-ten were not yet open for registration in 2015. Because new TLDs have been coming online at a great rate, we expect to continue to see a lot of churn in the rankings of the TLDs in future reports.
- Among Whois privacy services, there was also considerable change; only three out of the 2017 top-ten were in the tops in 2015. One provider, onamae.com, leads in concentration of malicious activity and also has a relatively high volume, with over 111,000 malicious domains as of this writing. It is worth bearing in mind that the use of Whois privacy, by itself, is not a strong predictor of maliciousness in domains.
- Among free email providers (which are represented in the registrant email fields in domain Whois records), many of this year’s top-ten for concentration of malicious domains were also in the 2015 top rankings. One, however, stands out: mynet.com was unranked in 2015 and rose to 1st place in 2017, with over 60% of the associated domains on industry blocklists.
- The geographical concentrations of badness also changed, with four of this year’s top-ten not having been ranked at all in 2015. The top country for concentration of domains added to industry blocklists was, in 2015 and 2017, Cambodia, where approximately 80% of domains hosted in the country had been blocklisted.
So what does it mean?
The TLD space is in a very clear state of rapid change, but even if our next TLD analysis shows a large change in the top ten, the extremely high blocklist rates in this year’s group (none had a concentration of less than around 15%) makes those TLDs worth watching. Likewise, geography and free email provider showed some very high concentrations of malicious activity, making them valuable forensic or defensive criteria in the examination of domains seen in traffic logs. Only the Whois privacy providers showed relatively low concentrations, with all but the #1 provider showing sub-10% concentrations.
We will continue to monitor both the absolute numbers and the trends of these four domain attributes, as well as others that we have examined in other editions of the DomainTools report (such as domain age, name server domain age, registrant behavior, and more), to help paint an ever more-detailed picture of the logical and physical hotspots of dangerous or nuisance activity on the Internet. In the meantime, we hope that our reports prove helpful to researchers, network defenders, and anyone else with an interest in the ever-changing Internet security landscape.
Finally, a huge shout-out to our VP of R&D, Michael Klatt! Michael did most of the heavy lifting for this and all of the previous reports. Enjoy a short podcast below where Michael describes the methodology behind the report, or join us for our webinar on May 18th at 10 AM PT/1 PM ET:
Thanks for reading, and happy exploring!