- The vast majority of newly registered domains are used for malicious purposes like phishing and spamming.
- The domains are showing their intent from the first moments, and don’t last for more than a week.
- Registrar deletion and domain blacklisting are the most common causes of NRD death.
Two independent reports from the Georgia Tech University and Farsight Security indicate that newly registered domains (NRDs) are perilous, having much higher chances to be used by phishing actors and malware distribution campaigns. Unit42 also reports that their data, which derives from years of tracking newly registered domains paint the same picture, with the approximate percentage of suspicious NRDs being 70%. This makes their close monitoring imperative, as they cannot be considered reliable in any setting. In contrast, Alexa’s top 10000 domains are ten times less likely to be used for malicious purposes.
As reported by Unit42, every day, there’s an average number of 200 thousand of new domains that are registered around the globe. This activity spikes on weekdays and subsides on weekends. Between March and May 2019, about 5.6 million new domains were registered on the “.com” TLD, with “.tk” following with 1.9 million domains, “.cn” with 0.9 million, and “.ga”, “.cf”, “.tw”, and “.ml” with just over half a million. The reason for the popularity of the TLDs that come after “.com” is that they are offered free of any charge, and since malicious actors only get to work with them for a little while, paying nothing is the preferable way to go.
While the risk that comes with NRDs is too great to ignore, it doesn’t mean that aggressive URL filtering and exaggerated scrutiny is a good idea either. About 8.4% of the domains that were registered from January to May 2019 are genuinely benign, concerning the launching of new products, promotion of events or marketing campaigns, personal websites, etc. Unit42 clarifies a time frame that determines if an NRD is malicious or not, and this is 32 days. So, NRDs should be monitored for about a month as suspicious, and if they don’t demonstrate a threatening behavior, they can be considered safe.
If it’s really malicious, then it’s not going to last for much longer. In fact, most malicious domains are “getting to work” almost immediately after their registration, so usually, they rarely last for over a week. The main reasons for their death are blacklisting and deletion action taken by the registrars, with these two happening mostly in the first two days. Malicious actors try to keep their domains up by running their own dedicated nameservers, trying to reduce the risk of delegation. Still, as reported by Farsight, the death of a malicious NRD comes at a median time of only four hours and 16 minutes.