A Malicious Domain is intentionally registered to engage in technical and/or content abuse.A domain is generally flagged as malicious if it is reported a very short time after registration, contains a brand name or misleading string, or is one of many registered in a batch. PhishLabs analyzed 100,000 phishing sites from December 2020 to February 2021 and found that over 38% used compromised websites, 37% abused free hosting services, and only 24% used maliciously-registered domain names. The shorter the time frame between domain registration and the use of the domain, the more likely the phishing site was maliciously registered. On average, VirusTotal shows 276K malicious URLs per week, roughly half of which are newly observed.
Distinguishing between Compromised and Malicious Domains
It's important to distinguish between compromised and malicious domains because compromised domains are reported to domain owners or hosting providers whereas attack domains are handled by registrars and registries. A malicious domain could be blocked permanently by the registry or registrar while a compromised subdomain could be blocked temporarily at the subdomain level. COMAR is a recently developed approach to differentiate between compromised and maliciously registered domains. It complements the domain reputation systems already in use. The approach is based on a thorough analysis of the domain life cycle to determine the relationship between each step and define each of its associated features out of 38 possible ones.