Source: tapscape.com

Newly Registered Domains under Scrutiny: What Risks Do They Present?

Threat actors often use newly registered domains (NRDs) for malicious campaigns. And there are several reasons why.

These domains’ owners can be harder to track given that everyone can now register domain names without publicly revealing personally identifiable information (PII). Also, many new typosquatting domain variants can be registered to exploit any particular news events or specific social engineering angles involving brands or even individuals.

And so, this post tackles the various uses of NRDs, how they could be abused by threat actors for their malicious campaigns, and where you can get pertinent data to learn more about them. Before drilling down into the details, though, let’s start with the basics first by defining what NRDs are.

What Are Newly Registered Domains?

NRDs refer to domains that were registered or changed owners within the past few weeks. A WHOIS record search typically lets users identify their age.

Apart from having been recently made part of the Domain Name System (DNS), the NRDs that typically figure in cyber attacks are not meant to be renewed and so would generally expire after a year. That makes them very different from legitimate company domain names whose expiration dates are usually set to a couple of years at least.

3 Reasons Why Companies Should Consider Keeping Certain Newly Registered Domains Out of Their Networks

Source: consoltech.com

Time and again, we’ve seen threat actors use NRDs as vehicles for their specially crafted malware and malicious pages to bypass the security measures organizations put up. Here are various threats that NRDs can proliferate.

Newly Registered Domains in Cryptocurrency Giveaway Scams

Cryptocurrency giveaway scams are probably among the latest additions to the malicious uses of NRDs. An analysis of 31,555 domains and subdomains containing the strings “bitcoin,” “doge,” and “cardano” revealed that a vast majority of them (94%) aren’t attributable to legitimate organizations and should thus be treated as suspicious at the very least. Several of these lead to sites that tout giveaways that turn out to be a sham. Instead of getting rewarded with promised coins, users are instead likely to be extorted for massive amounts in some cases. And a vast number of the sites’ hosts are NRDs (in part due to the newness of some crypto-related terms).

Newly Registered Domains Serve as Hosts to Typosquatting Sites

Many have been asking if monitoring NRDs remains relevant, and the quick-and-dirty answer is a resounding yes. A short investigative study of newly registered Netflix, Facebook, and blockchain domains showed that several of the indicators of compromise (IoCs) cited in security reports are NRDs. In fact, WHOIS record lookups for the identified IoCs showed that the malicious domains were registered only days before cyber attacks using them surfaced.

Target

Number of IoCs

Number of NRDs Including Those Identified as IoCs

Netflix

4

16

Facebook

12

651

Blockchain

4

924

That again can show companies how dangerous accessing suspicious NRDs is.

Newly Registered Domains and Age-Old Spam and Phishing Campaigns

Source: commprise.com

For cybercriminals, the adage “Why fix it if ain’t broke” remains true to this day. Spam and phishing campaigns have been threat staples for years but since they still work, they live on. The .com newly registered domain data feed for 15 July 2024, for instance, contains these malicious domains (meaning they’re reported “malicious” or “suspicious” or tagged as spam hosts on VirusTotal):

  • amazoncarrees[.]com
  • apple-alert-findmy[.]com
  • block-authentication-verify[.]com
  • paypalcc[.]com
  • microsoftswindowsupdate[.]com

These are only five out of 143,825 NRDs on the said date. There could be hundreds more malicious domains in the feed. Those that contain trusted organizations’ names could easily host phishing pages meant to target their users. Or more sinister business email compromise (BEC) attackers can use them to trick the target companies’ employees into funneling corporate funds to bank accounts under their control.

The three threats mentioned above are just three of many others that won’t only cause financial damage but also tarnish the reputation of their victims.

How Can You Avoid the Perils That Newly Registered Domains Pose?

Source: pinterest.com

Monitoring and keeping most if not all NRDs out of your network (except for legitimate ones, of course) could effectively help you avoid the dangers they pose. Solutions for that can come in three variants discussed in more detail below.

Newly Registered Domains Lookup

A newly registered lookup tool is a web service that anyone in an organization can access and use to check if the domain they’re about to access is recently registered. Making that a company best practice or safety precaution at home can reduce your chances of landing on suspicious or malicious websites that could be out to steal your PII or money.

Such a solution can also be useful for the IT administrators of small businesses. They can use the tool to check if the domains that network-connected users wish to access warrant blocking before these can lead to a potential breach.

Newly Registered Domains API

Manually checking every single domain employees wish to access isn’t feasible, especially for larger organizations. In their case, integrating a newly registered domain API into systems may be more manageable. The tool can instantly gauge if a domain is newly registered and prevent anyone in the company from visiting the site hosted on it.

Newly Registered Domains Data Feed

Another quick and relatively painless way to keep NRDs and the threats they may bring out of networks is by subscribing to daily data feeds. The domains on these feeds can be included in corporate blocklists to keep dangerous NRDs from causing potential breaches. And should users wish to exclude reputable NRDs from such blocklists, these can be white-listed so users can still access them.

While the age of a domain is not an exclusive factor when it comes to threat prevention, the examples featured in this post still highlighted the importance of monitoring and blocking access to NRDs where necessary. The sad truth is that while cyber attackers do sometimes use older domains, many suspicious NRDs continue to make their way into the DNS daily and end up serving as malicious website hosts.

About Nina Smith