Many registrars offer bulk domain registration packages at affordable prices, making it easy for basically anyone to launch websites. Unfortunately, legitimate business owners are not the only ones benefiting.
Affordable bulk domain registration packages are also allowing cybercriminals to put up malicious websites at meager costs.
That fact brings to light just how important monitoring recently registered domains is, especially as research suggests that most of these end up used in cyberattacks.
Organizations may thus benefit from integrating a newly registered & just expired domains database into their security solutions to serve as additional sources of domain threat intelligence.
2 Cybersecurity Benefits of Monitoring Recently Registered Domains
Recently registered domains refer to those that were registered or changed ownership within the past few weeks to months.
While web filtering or restricting access to certain sites can be a tedious practice, it does help organizations stay safe from many domains tied to malicious activity.
Identifying new domains that access your website or network can help mitigate potential attacks early on. Sound sources of domain threat intelligence serve as essential resources for enabling better cybersecurity, notably to:
Avoid Domain Names Hosting or Used to Spread Malware
The average cost a company can lose to a malware attack in 2019 was US$2.6 million, though attacks can vary in scale, depending on the type of malware used.
One of the most common disguises attackers rely on to distribute their malicious wares is that of a bank employee. Let’s take the recently registered domain secure2c-chase[.]com as an example.
It was registered on 8 May, and its owner could potentially mimic Chase Bank in attacks.
To test our theory, we ran the domain on the Threat Intelligence Platform (TIP). The report showed that secure2c-chase[.]com has malicious ties. It is part of the VirusTotal and Google Safe Browsing databases.
The TIP report also listed 13 IP addresses and domains associated with secure2c-chase[.]com. Among them, the following also proved suspicious:
- 194[.]180[.]224[.]133
- 162[.]255[.]118[.]62
- 162[.]255[.]118[.]61
- mailservices[.]ru[.]com
- secure0b-chase[.]com
Cybersecurity teams can dive deeper and uncover domain connections to identified malicious entities, as they may need monitoring or even blocking.
The analysis highlights the need to scrutinize recently registered domains that pass through an organization’s network so users can avoid accessing harmful websites that put their data and finances and their company at significant risk.
Watch Out for Scams
It’s pretty standard for cybercriminals to use rewards and discounts as a social engineering trick.
Let’s consider the domain ssl-manageonlinenetflix[.]com from the recently registered domains feed for 27 April. Its owner might be trying to lure in people cooped up at home into a Netflix-centric scam.
A TIP analysis of the domain showed that ssl-manageonlinenetflix[.]com does have malicious ties and was listed on Google Safe Browsing.
The report also listed 19 associated IP addresses and domains. Among them, 217[.]160[.]0[.]250 also proved malicious as it was listed on VirusTotal Analyzer.
Even more domain connections can also be uncovered. We ran 217[.]160[.]0[.]250 on Reverse IP/DNS API and found at least 300 more domains that may be connected.
Running them through malware checks can reveal even more threats, even though there is a good chance that the IP address is part of a shared hosting plan and was abused. For that reason, all the domain names connected to it might now suffer the consequences.
Final Thoughts
Accessing recently registered domains can cause organizations to succumb to the threats described above and more. Other threats can include phishing, spamming, business email compromise (BEC) attacks, and ransomware.
That makes monitoring comprehensive domain threat intelligence sources such as Newly Registered & Just Expired Domains Database a plus to ensure cyber resilience.
Automatically blocking recently registered domains is not the answer, though, as this could lead to potential loss of business opportunities. This calls for greater security context, which solutions like Threat Intelligence Platform (TIP) can provide.
About the Author
Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds. WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).
No comments:
Post a Comment