Newly registered domains (NRD) can be created for perfectly legitimate reasons such as hosting a conference, or for business purposes, but they can be equally misused by threat actors to launch their malicious campaigns.
What is the matter?
A comprehensive case study conducted by Palo Alto Network’s Unit 42 researchers has revealed that more than 70% of NRDs are malicious or suspicious or not safe for work. This is 70 times higher than that observed in Alexa's top 10,000 domains.
The interesting aspect of these benign NRDs is that some of them are alive only for a few hours or a couple of days. These short-lived newly registered domains are deactivated or removed even before any security vendor can detect them.
Which are the widely used TLDs?
During the analysis from March to May 2019, researchers observed that .com is still the most popular TLD even though it was introduced 34 years ago. It accounted for 33% of all recent NRDs. The second most commonly used TLDs include .tk, .cn, and .uk.
However, when it comes to malicious NRDs, researchers noted that many country-code top-level domains were responsible (ccTLDs) for the increase in the percentage. The highest ratio of malicious NRDs among different TLDs was scored by .to domain, with somewhere between 80-100% of .to domains proving to be malicious. This indicates that the .to TLD includes inexpensive or free registration, a less strict registration policy, and obscuring WHOIS registrant data from public view.
Malicious use of NRDs
Cybercriminals can use NRDs for a variety of malicious purposes including:
The bottom line
Overall, newly registered domains are a double-edged sword. While nefarious actors can leverage them for malicious activities, businesses, on the other hand, can use them for launching a new product, creating a new brand or campaign, or building a new personal site.
It is recommended for users to protect themselves against malicious indicators via URL Filtering, DNS Security, and Threat Prevention techniques wherever they are applicable.