IT.COM

domains Akamai flagged 79M domains as malicious in the first half of 2022

Spaceship Spaceship
Watch

Lox

____Top Member
Impact
12,347
Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.

ll.png


read more
 
5
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.

read more
Even the way these domain names sound is malicious! Thanks for the input, and the important insight on these NODs.
 
1
•••
Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.



read more
This is so concerning. Most of the time malicious or untrustworthy domains are those whose names are not well thought and just a jumble of numbers and letters
 
3
•••
This is so concerning. Most of the time malicious or untrustworthy domains are those whose names are not well thought and just a jumble of numbers and letters
I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.
 
0
•••
I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.
While I do agree that a lot of domains that are listed on marketplaces are of junk quality, the Akamai article referenced by @Lox is not about domains listed on marketplaces, it's about monitoring newly observed domains (NODs).
 
Last edited:
2
•••
While I do agree that a lot of domains on marketplaces are of junk quality, the Akamai article referenced by @Lox is not about domains listed on marketplaces, it's about monitoring newly observed domains (NODs).
Point well taken. But I wonder if many of of these end up on the marketplaces. Hopefully, they are screened out before then?
 
1
•••
Point well taken. But I wonder if many of of these end up on the marketplaces. Hopefully, they are screened out before then?
Yes, these weird looking domains have other, evil, purposes.
 
2
•••
I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.
They may often be to do some black hat SEO (game search engines algos, really). They are registered automatically by bots (this explains why they are named like this), and a whole bunch of links and automated content is created on them. The end purpose is to rank some websites in the first page of search results.

The price these domains sometimes are bought for is because there may be some remaining SEO characteristics which make them appealing. Although when they are dropped, they often have been flagged by most search engines. They're not that useful anymore. But many buyers don't realize that. They just see some metrics on certain tools.
 
1
•••
Are the domains actually malicious? Or are they classed as malicious because they are newly registered? I'll read just lazy right now
 
1
•••
Last edited:
3
•••
Thanks for the link. Unfortunately, the answer doesn't seem totally straightforward to me. At the beginning, it seems it is:
by malicious, it means, a domain name that resolves to a destination that's intended to phish, spread or control malware, or cause some other online harm

Except the "intended", which seems to be the key. When you continue reading, they are saying they flag them according to the name, and it seems they already flag them by expecting they will be used maliciously in the future but probably aren't today:
[Note: talking malicious use] you don't want those domains to be easily guessed and blocked by, say, network security filters. So you have an algorithm that generates a deterministic series of domains, registers them, and your malware or phishing operation out in the wild can predict the domains they need to use at a given moment and connect to them

One method used seems to be solely based on the name:
For one approach, it looks at a list of known domain generation algorithms (DGAs)
DGA domains are often used by cybercriminals [..]

I understand they flag the name if they believe it has been generated by an algo they recognize. Because that algo is "often" used by cybercriminals. In the article, it is claimed it's very accurate, but without really explaining how they determine that. It almost sounds like they claim it's accurate, so it's proof it is.

@Sam78 Fair question. Not JUST because it's newly registered. But newly registered + a certain kind of naming, yeah, that seems enough to be flagged.
 
Last edited:
2
•••
Thanks for the link. Unfortunately, the answer doesn't seem totally straightforward to me. At the beginning, it seems it is:


Except the "intended", which seems to be the key. When you continue reading, they are saying they flag them according to the name, and it seems they already flag them by expecting they will be used maliciously in the future but probably aren't today:


One method used seems to be solely based on the name:



I understand they flag the name if they believe it has been generated by an algo they recognize. Because that algo is "often" used by cybercriminals. In the article, it is claimed it's very accurate, but without really explaining how they determine that. It almost sounds like they claim it's accurate, so it's proof it is.

@Sam78 Fair question. Not JUST because it's newly registered. But newly registered + a certain kind of naming, yeah, that seems enough to be flagged.
Thank you. I'm not able to elaborate on exactly when a domain name qualifies for flagging on this forum, but I think the following papers do answer some of your open questions.

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf

http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf

https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/
 
2
•••
Back