Domain Blooms: New Method of Detecting Trending Bad Domains
Identify New and Trending Themes in Domain Names
Every domain on the Internet has a job to do, and analysis of naming schemes of domains can often tell a researcher a lot about the domain’s intended purpose. Domains registered for malicious purposes often spoof legitimate brands, persons, organizations, or topics of general interest and discussion, aiming to deceive Internet users into visiting those domains, furthering the objectives of the domains’ owners. Looking at the name alone, it is often difficult or impossible to evaluate the domain’s legitimacy or intended purpose.
Because 2020 was such an eventful year, and because of the ways in which domain registration and use patterns have evolved, 2020 provides a lot of data on how topics of widespread interest are reflected in Internet domains. This report uses a new type of analysis called Domain Blooms to inspect two major societal events of that year (COVID-19 and Black Lives Matter) through that lens: we examine patterns of domain creation, including a search for “hotspots” of known or suspected malicious domains. A good understanding of such patterns can help network defenders and security researchers anticipate and create detections appropriate to new domain registrations in the hours and days following significant social or political events.
This paper includes:
- The methodology for the domain bloom research
- A description of the domain bloom algorithm
- Findings from the year’s domain spikes and blooms