Happy Spring! We’re pleased to share the latest edition of the DomainTools Report. We have compiled information regarding domain registration, hosting, and content-related data since 2015 in an effort to surface patterns and trends that may be beneficial to researchers, security practitioners, and others who are interested in the suspicious or malicious use of online infrastructure.
In the past several editions, we focused on concentration of malicious activity by six categories, which we resume in this current edition, including:
- Top Level Domain (TLD); for example, .com or .net
- IP Autonomous System Number (ASN); these represent an aspect of the domain’s hosting
- Nameserver ASN; these represent the hosting of the nameserver associated with a domain
- IP Geolocation: the country code associated with the location of the domain’s IP address
- Registrar: the entity through which the domain was registered
- SSL Certificate Authority (CA): the CA for certificate(s) associated with domains
We focus on these features as they’re often used by defenders and security researchers as part of a process of building out a better understanding of a domain. Seasoned practitioners often develop intuitions about the implications of a given feature, based on their experience, expertise, and judgment in the analysis of adversary assets.
In many cases, the data seen at scale tend to support those intuitions. Certain TLDs, for example, have reputations among security analysts as being dangerous “neighborhoods” of the Internet, and as this and previous DomainTools Reports show, there are indeed some TLDs that have high concentrations of malicious domains. Other criteria are more ambiguous, such as the aforementioned SSL CAs.
DomainTools Spring 2024 Report Methodology
Candidate Domains
There were two components used to determine which of the candidate domains represented threats.
- We identified domains that were known-bad by checking the domain names against several well-known industry blocklists which give indications of malware, phishing, or spam activity
- We focused on those domains that were active (as of the report data snapshot), and therefore capable of packing a punch. Thus, we excluded domains that appear to be dormant, which was accomplished by cross-checking the domains against our passive DNS sources
Signal Strength
A high signal strength value means that the concentration of malicious domains associated with that characteristic is high. When we know that a large proportion of the domains in a given population (an IP address, a name server, a registrar, etc) is malicious, this raises our confidence that any unknown domain from that population is relatively likely to be involved in the threat in question. Basically, if a feature has more than “its fair share” of malicious domains, compared to the overall average, its signal strength is elevated.
For this report, we took a snapshot of the domains in existence and active as of mid March 2024.
Notable Changes
We’re going to give you a small teaser of some of the interesting data from this edition of the report, but of course we invite you to take a deep dive and read the full report itself.
By evaluating domain characteristics including Top Level Domains, SSL Certificate Authority, and IP Geolocation, DomainTools uncovered multiple patterns of malicious infrastructure across the Internet. For example, our analysis of IP geolocation has unearthed key findings, including:
- Belize emerging as a new phishing and spam powerhouse in 2024, with in excess of 38,000 phishing-associated domains, and 6000 spam-associated domains
- Brazil moving up the ranks in relation to malware, with associated domains rising from 3,780 to over 17,000 in the span of a year
- Ongoing concern over Russian-based online threats, for the first time in the report’s history, an ASN with zero neutral domains, implying all traffic from Russian IP ASN (ASN 198953, Proton 66 OOO of Russia) should be immediately blocked
Conclusion
This is the third iteration of the DomainTools Report to include this specific collection of features in the data snapshot. We intend to glean trending information about the evolving nature of concentrations of malicious activity across the Internet. We may continue to make small adjustments to our thresholding methodology in order to give what we judge to be the most useful insights.
We hope this and future editions benefit others like ourselves who are passionate about making the Internet a safer place and work to give bad actors more bad days. Drop us a line and let us know what you think.
