According to Palo Alto Networks research, thousands of new domain names are created every day by businesses and individuals in order to launch websites. According to a new study from Palo Alto Networks, cybercriminals have been known to register dangerous domains years before they intend to utilize them.
Palo Alto Networks’ Unit 42 began its study of dormant malicious domains after it was discovered that the SolarWinds attackers behind 2019’s attack used them in their assault. In September 2021, Palo Alto Networks debuted a cloud-based detector to identify strategically aged domains and track their activity. 22.3 percent of strategically aged domains are dangerous in some form, with a little portion being straightforwardly malicious (3.8%), a majority being suspicious (19%) and some being unsafe for work environments 2%).
According to the findings of the firm’s researchers, 3.8 percent of strategically old domains are outright malicious, 19% are suspicious, and 2% are hazardous for work settings.)The majority of domains on the internet are quite old, in some cases hundreds or even thousands of years old. This is due to the fact that cybercriminals and other threat actors will allow a domain to age in order to establish a “clean record.” Newly registered domains, on the other hand, are more likely to be malicious, thus security systems are more likely to flag them as suspicious. According To Palo Alto Networks, strategically aged domains are three times more probable than newly created ones to be harmful.
Finding dormant malicious domains
When a sudden increase in traffic is observed, it’s frequently the case that a fraudulently aged domain has been purchased. This is because typical websites’ traffic levels rise gradually over time as more people visit the site via word of mouth or marketing, thus
In the majority of cases, websites with this pattern are not registered for legitimate purposes. They may contain incomplete, cloned, or even fraudulent information and frequently lack WHOIS registrant contact information. DGA subdomain generation is another indicator that a domain was created and intended to be utilized in a later fraud.
DGA, or domain generation algorithm, is a method for generating domain names and IP addresses that will serve as command and control (C2) communication points used to evade detection and block lists. Every day, Palo Alto Networks’ cloud-based detector was able to identify two suspicious domains thanks to DGA.
Palo Alto Networks discovered a Pegasus espionage campaign that began in July 2021 and utilized two C2 domains registered in 2019. Researchers identified phishing attacks using DGA subdomains and wildcard DNS abuse as well.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover
