22% of outdated domains are dangerous or contain malware

outdated domains are dangerous
Written by Emma Davis

The number of inactive malicious domains is growing, and 22.3% of outdated domains may be dangerous or contain malware. These conclusions were drawn by experts from Palo Alto Networks, who in September monitored tens of thousands of domains every day.

Analysts say they got the idea for this research after the attack on SolarWinds, when it was revealed that attackers relied on domains registered several years before the actual start of malicious activity.

The rationale behind this proactive domain registration is to create a “clean record” that will prevent security systems from undermining the success of a future malicious campaign.

The point is, newly registered domains are usually more likely to be malicious, so security solutions treat them as suspicious.experts from Palo Alto Networks report.

For example, during an attack on SolarWinds, the hackers’ domains were idle for two years, and then, after the attack began, their DNS traffic suddenly increased 165 times.

After carefully observing multiple domains, Palo Alto Networks researchers concluded that approximately 3.8% of them are clearly malicious, 19% are suspicious and 2% are unsafe for the production environment.

Palo Alto Networks Report

Experts say that a sudden surge in traffic is an obvious sign of a malicious domain. Ordinary companies that registered their domains in advance and launched services only months or years later can also be found, but they show a gradual increase in traffic.

In addition, domains not intended for normal use have incomplete, cloned, or questionable content. Also, there is no owner data in WHOIS.

Suspicious domain
Suspicious domain

Another clear sign of a maliciously crafted old domain is the creation of subdomains using a domain generation algorithm (DGA). Based only on this “sign”, analysts identified two suspicious domains every day, which gave rise to hundreds of thousands of subdomains after activation.

One of the notable cases described in the report was the Pegasus spy campaign, which used two C&C domains that were registered back in 2019 and “woke up” in July 2021. Domains with DGAs played an important role in that campaign, accounting for 23.22% of traffic on activation day, which was 56 times more than normal DNS traffic. A few days later, the traffic reached 42.04%.

DNS Traffic

The researchers also describe other examples, including phishing campaigns, where DGA subdomains were used as masking layers to direct visitors and crawlers to either legitimate sites or phishing pages.

Experts conclude that legacy domains are commonly used by serious hacker groups with long-term plans. Such attackers often use DGAs to steal data through DNS traffic, as well as proxies, or to imitate brand-name domains (cybersquatting).

Let me remind you that we reported that Meta sues operators of 39,000 phishing sites, as well as that Ukrainian cyberpolice neutralized one of the world’s largest phishing services.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.