Threats like phishing and spam are often linked to specific domains, understanding how to spot these can help to strengthen threat intelligence.
Domain name and DNS-based predictive threat intelligence company DomainTools has used its database of more than 380 million currently-registered domains to identify which are likely to constitute threats.
It identifies known-bad sites by checking the domain names against several well-known industry blocklists along with a count of malicious domains hosted. It also uses a ‘signal strength’ measure based on the populations of known-bad domains sharing a characteristic.
Among the findings are that certain top level domains (TLDs) have a poor reputation among the security community. These are largely the newer generic domains like .live, .top, and .xyz, more established TLDs like .com and .net, along with established country domains like .co.uk and .fr, are not found in top 10 lists of suspicious sites.
As well as domains the report looks at IP geolocations. Although there are high numbers of malicious domains hosted in Russia and the United States, relative to the total numbers of domains registered in these locations they’re not especially strongly represented. On the other hand locations like Hong Kong and the Seychelles have high numbers of suspicious domains relative to their totals.
Likewise, certain domain registrars and certificate authorities also exhibit higher levels of sites engaging in malicious activity.
Putting all of this together, DomainTools researchers were able to identify ‘hotspots’ of malicious activity across the internet. This is designed to help point investigators and researchers toward forensic data points that will be useful in spotting and combating threats.
The full report is available from the DomainTools site.