Jump to content

Malicious Domain: Difference between revisions

From ICANNWiki
Jessica (talk | contribs)
No edit summary
Jessica (talk | contribs)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
A '''Malicious Domain''' is intentionally registered to engage in [[DNS Abuse|technical and/or content abuse]].A domain is generally flagged as malicious if it is reported a very short time after registration, contains a brand name or misleading string, or is one of many registered in a batch.<ref>[https://www.icann.org/en/system/files/files/presentation-day2a-comar-korczynski-26may21-en.pdf COMAR Presentation, IDS 2021]</ref>
A '''Malicious Domain''' is intentionally registered to engage in [[DNS Abuse|technical and/or content abuse]].A domain is generally flagged as malicious if it is reported a very short time after registration, contains a brand name or misleading string, or is one of many registered in a batch.<ref>[https://www.icann.org/en/system/files/files/presentation-day2a-comar-korczynski-26may21-en.pdf COMAR Presentation, IDS 2021]</ref> PhishLabs analyzed 100,000 phishing sites from December 2020 to February 2021 and found that over 38% used compromised websites, 37% abused free hosting services, and only 24% used maliciously-registered domain names.<ref>[https://www.phishlabs.com/blog/most-phishing-attacks-use-compromised-domains-and-free-hosting/ Most Phishing Attacks Use Compromised Domains or Free Hosting, PhishLabs]</ref> The shorter the time frame between domain registration and the use of the domain, the more likely the phishing site was maliciously registered. On average, VirusTotal shows 276K malicious URLs per week, roughly half of which are newly observed.<ref>[https://nabeelxy.medium.com/compromised-vs-45bfaff68f66 Nabeel, Building Machine Learning Models to Identify Malicious Hosting Types]</ref>
==Distinguishing between Compromised and Malicious Domains==
It's important to distinguish between [[Compromised Domain|compromised]] and malicious domains because compromised domains are reported to domain owners or hosting providers whereas attack domains are handled by registrars and registries. A malicious domain could be blocked permanently by the registry or registrar while a compromised subdomain could be blocked temporarily at the subdomain level.
[[COMAR]] is a recently developed approach to differentiate between compromised and maliciously registered domains. It complements the domain reputation systems already in use. The approach is based on a thorough analysis of the domain life cycle to determine the relationship between each step and define each of its associated features out of 38 possible ones.<ref>[https://ieeexplore.ieee.org/document/9230367 COMAR: Classification of Compromised versus Maliciously Registered Domains, IEEE September 2020]</ref>
==References==


==References==
[[Category:DNS Abuse]]

Latest revision as of 21:41, 2 March 2022

A Malicious Domain is intentionally registered to engage in technical and/or content abuse.A domain is generally flagged as malicious if it is reported a very short time after registration, contains a brand name or misleading string, or is one of many registered in a batch.[1] PhishLabs analyzed 100,000 phishing sites from December 2020 to February 2021 and found that over 38% used compromised websites, 37% abused free hosting services, and only 24% used maliciously-registered domain names.[2] The shorter the time frame between domain registration and the use of the domain, the more likely the phishing site was maliciously registered. On average, VirusTotal shows 276K malicious URLs per week, roughly half of which are newly observed.[3]

Distinguishing between Compromised and Malicious Domains

It's important to distinguish between compromised and malicious domains because compromised domains are reported to domain owners or hosting providers whereas attack domains are handled by registrars and registries. A malicious domain could be blocked permanently by the registry or registrar while a compromised subdomain could be blocked temporarily at the subdomain level. COMAR is a recently developed approach to differentiate between compromised and maliciously registered domains. It complements the domain reputation systems already in use. The approach is based on a thorough analysis of the domain life cycle to determine the relationship between each step and define each of its associated features out of 38 possible ones.[4]

References