Background with codes and fingerprint
Summer Supplement 2016
DomainTools Reports

The DomainTools Report Supplement: Malicious Domain Affix Patterns

In early 2016, DomainTools conducted research to unearth important patterns of malicious domains. This research focused on comparing things like neutral and malicious domains based on domain age, relative badness based on the entropy of domains, and analysis of domain registrars and “hot spots” of malicious domains. In the most recent DomainTools supplement, published in the summer of 2016, we looked at patterns in domain names themselves to calculate their “signal strength” as an indication of nefarious activity.

We analyzed a corpus of active domains across the Internet—that is, out of the approximately 300 million domain names that are currently registered, we examined approximately 255 million that are actively resolving in DNS—to explore whether certain patterns in prefixes or suffixes were correlated with higher rates of malicious or suspicious activity.

This white paper highlights:

  • How affixes are used by threat actors
  • Affixes in phishing domains
  • Affixes in malware domains
  • Affixes in spam domains