connected dots and blue background
Report Winter Supplement 2017-18
DomainTools Reports

The DomainTools Report Supplement: New Patterns in Phishy Domains

In a DomainTools Report from the summer of 2016, we compared the distributions of malicious domains against neutral domains across a set of affixes (prefixes, suffixes, and infixes) appearing
in domain names, in order to see whether certain affixes were overrepresented in nefarious domain names, and thus presented a meaningful signal of risk. Our findings confirmed that certain affixes do portend higher risk, and we published data demonstrating which affixes were most represented in domains on industry blocklists for malware, spam, or phishing.

Because threat actors continually evolve their tactics, the DomainTools reports periodically update earlier findings; for this edition, we went back to the data for a new study of affix patterns. We wanted to identify what had changed, what stayed the same, and what inferences could be drawn from the data. In the interest of continuously evolving and improving our methodology, we also introduced a new method of finding affixes, and this contributed some interesting new data.

This white paper highlights top:

  • Phishing affixes by “phish score”
  • Malware affixes by “malware score”
  • Spam affixes by “spam score”
  • Trends in affixes