The number of inactive malicious domains is growing, and 22.3% of outdated domains may be dangerous or contain malware. These conclusions were drawn by experts from Palo Alto Networks, who in September monitored tens of thousands of domains every day.
Analysts say they got the idea for this research after the attack on SolarWinds, when it was revealed that attackers relied on domains registered several years before the actual start of malicious activity.The rationale behind this proactive domain registration is to create a “clean record” that will prevent security systems from undermining the success of a future malicious campaign.
For example, during an attack on SolarWinds, the hackers’ domains were idle for two years, and then, after the attack began, their DNS traffic suddenly increased 165 times.
After carefully observing multiple domains, Palo Alto Networks researchers concluded that approximately 3.8% of them are clearly malicious, 19% are suspicious and 2% are unsafe for the production environment.
Experts say that a sudden surge in traffic is an obvious sign of a malicious domain. Ordinary companies that registered their domains in advance and launched services only months or years later can also be found, but they show a gradual increase in traffic.
In addition, domains not intended for normal use have incomplete, cloned, or questionable content. Also, there is no owner data in WHOIS.
Suspicious domain
Another clear sign of a maliciously crafted old domain is the creation of subdomains using a domain generation algorithm (DGA). Based only on this “sign”, analysts identified two suspicious domains every day, which gave rise to hundreds of thousands of subdomains after activation.
One of the notable cases described in the report was the Pegasus spy campaign, which used two C&C domains that were registered back in 2019 and “woke up” in July 2021. Domains with DGAs played an important role in that campaign, accounting for 23.22% of traffic on activation day, which was 56 times more than normal DNS traffic. A few days later, the traffic reached 42.04%.
The researchers also describe other examples, including phishing campaigns, where DGA subdomains were used as masking layers to direct visitors and crawlers to either legitimate sites or phishing pages.
Experts conclude that legacy domains are commonly used by serious hacker groups with long-term plans. Such attackers often use DGAs to steal data through DNS traffic, as well as proxies, or to imitate brand-name domains (cybersquatting).
Let me remind you that we reported that Meta sues operators of 39,000 phishing sites, as well as that Ukrainian cyberpolice neutralized one of the world’s largest phishing services.