Malicious domains are domain names that are used for nefarious purposes, such as serving phishing websites, distributing malware, or other types of cybercrime. In fact, our recent research shows that many of our users access about 5,000 queries per day on average, and one in 1,000 is likely to be malicious. That adds up to about 1,825 malicious queries per user per year, on average.
Malicious domains continue to be a growing risk for organizations of all types, and the Domain Name System (DNS) layer remains a major vector for cybercriminals. The good news is that even amid these trends, there are steps security professionals can take to better protect themselves.
How Attackers Use Malicious Domains
DNS is a key attack vector for malicious actors because DNS is both ubiquitous and close to endpoints. However, organizations too often neglect to closely monitor it. The absence of protective DNS is a real problem, as bad actors can leverage malicious domains in several ways. While not an exhaustive list, some of the most common methods include:
- Malware: Malicious domains are often used to distribute malware, including ransomware. The malware distributed through these domains can compromise the security of an organization's entire network, culminating in theft of sensitive data or complete loss of access to critical resources.
- Command-and-Control with a malicious actor: In this case, DNS infrastructure is abused to create a remote covert channel between a compromised host and the attacker's server. That server is the command hub for coordinating and controlling the actions of compromised systems.
- Phishing: In this social engineering attack, a bad actor attempts to trick the user into revealing confidential information, often through websites that imitate legitimate products and services. The attackers often seek login credentials, personally identifying information, or financial information such as credit card numbers through phishing. Often, these malicious domains are distributed through email.
- Malvertising: This tactic injects malicious code into ads that are then distributed via legitimate advertising channels.
- Typosquatting: Bad actors often register domains with intentionally misspelled names of well-known, legitimate sites — for instance, Nikke.com instead of Nike.com. More sophisticated imitations rely on lookalike glyphs from foreign-language alphabets. Once there, unsuspecting individuals are tricked into sharing personal information such as login credentials or credit card information.
Malicious Domains, as Seen in the Wild
Malicious domains pose a serious threat to organizations and individuals. While some people are merely lackadaisical about computer security, others are "power users" who come across many more threats than the average user because they have more exposure across a large swathe of the internet.
Our researchers observed a 1,250% year-over-year increase in malicious domains among domains registered within the previous 24 hours. And, as predicted by almost every industry expert, ChatGPT-created malicious domains are on the rise. ChatGPT's popularity has led scammers to use OpenAI's chatbot name in malicious domains, according to our research. We've seen a sixfold increase in blocked domains related to ChatGPT and OpenAI among our customer base.
What Malicious Domain Protection Means for You
There is no "single pane of glass" solution for protecting against malicious domains. You want a layered approach that can incorporate the multifaceted aspects of malicious actors' behavior. Multiple perspectives are required to obtain the highest degree of protection.
While there are threat feed vendors who will sell you a list of the latest malicious domains and malicious IP addresses, the freshness and quality of those lists vary. If a vendor doesn't have access to a malware sample that generates its own unique domains, then those domains aren't going to show up on their list.
Machine learning solutions can bridge that gap because they generalize beyond just what's in the feeds. Machine learning products look at patterns of behavior that are present in the domain string, or are emergent over time, or appear in the pattern of relationships among domain names and IP addresses. For instance, the patterns of relationship among domains can be highly informative about security risks. So, perhaps you see a set of three domains that tend to all be queried together. If the response for that third domain turns out to be malicious, you could infer then that the first and second domains could be malicious as well. While this might seem like a simple example, in a large network of dozens or thousands of domains and thousands of IP addresses, machine learning technology can block malicious domains at scale.
You'll benefit by choosing a protective DNS solution that leverages new machine learning capabilities to help identify malicious domains. ML makes the difference; it can identify more threats — such as cryptojacking, phishing, ransomware, botnet, and other spam domains — and catch them sooner than humans could.
Defeating Malicious Domains
The 1,250% year-over-year increase in "very new" malicious domains is not a statistic to ignore. Attackers are using AI and other techniques to lure unsuspecting individuals into their information-stealing schemes. Organizations, in turn, must use the capabilities of artificial intelligence and machine learning to detect malicious domains faster than humans alone can. Machine learning finds more patterns of malicious behavior across every threat category, and it does it faster. Protective DNS solutions using machine learning set organizations on the path to greater security.
Will Strafach is head of Security Intelligence & Solutions at DNSFilter.
