domains Akamai flagged 79M domains as malicious in the first half of 2022

[Lox]

Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.

read more

 

[LoveCatchyDomains]

Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.

read more

Even the way these domain names sound is malicious! Thanks for the input, and the important insight on these NODs.

 

[Cosmotown]

Akamai researchers have flagged almost 79 million domains as malicious in the first half of 2022, based on a newly observed domain dataset. This equals approximately 13 million malicious domains per month, and represents 20.1% of all the NODs that successfully resolved.

To get an idea of what the NOD dataset actually looks like, Figure 1 shows a random sample from March 3, 2022.



read more

This is so concerning. Most of the time malicious or untrustworthy domains are those whose names are not well thought and just a jumble of numbers and letters

 

[LoveCatchyDomains]

This is so concerning. Most of the time malicious or untrustworthy domains are those whose names are not well thought and just a jumble of numbers and letters

I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.

 

[Future Sensors]

I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.

While I do agree that a lot of domains that are listed on marketplaces are of junk quality, the Akamai article referenced by @Lox is not about domains listed on marketplaces, it's about monitoring newly observed domains (NODs).

 

[LoveCatchyDomains]

While I do agree that a lot of domains on marketplaces are of junk quality, the Akamai article referenced by @Lox is not about domains listed on marketplaces, it's about monitoring newly observed domains (NODs).

Point well taken. But I wonder if many of of these end up on the marketplaces. Hopefully, they are screened out before then?

 

[Future Sensors]

Point well taken. But I wonder if many of of these end up on the marketplaces. Hopefully, they are screened out before then?

Yes, these weird looking domains have other, evil, purposes.

 

[DomainsGENERAL.com]

I never understood why there were so many of these "mumbo jumbo" domains up for sale on the marketplaces, sometimes for ridiculous prices. Apparently, they have a usefulness that is not admirable.

They may often be to do some black hat SEO (game search engines algos, really). They are registered automatically by bots (this explains why they are named like this), and a whole bunch of links and automated content is created on them. The end purpose is to rank some websites in the first page of search results.

The price these domains sometimes are bought for is because there may be some remaining SEO characteristics which make them appealing. Although when they are dropped, they often have been flagged by most search engines. They're not that useful anymore. But many buyers don't realize that. They just see some metrics on certain tools.

 

[Sam78]

Are the domains actually malicious? Or are they classed as malicious because they are newly registered? I'll read just lazy right now

 

[Future Sensors]

Are the domains actually malicious? Or are they classed as malicious because they are newly registered? I'll read just lazy right now

You can't avoid doing some reading before you ask a question.

For your convenience, here's another article that describes it all.

https://www.theregister.com/2022/09/28/akamai_malicious_domains/

 

[DomainsGENERAL.com]

https://www.theregister.com/2022/09/28/akamai_malicious_domains/

Thanks for the link. Unfortunately, the answer doesn't seem totally straightforward to me. At the beginning, it seems it is:

by malicious, it means, a domain name that resolves to a destination that's intended to phish, spread or control malware, or cause some other online harm

Except the "intended", which seems to be the key. When you continue reading, they are saying they flag them according to the name, and it seems they already flag them by expecting they will be used maliciously in the future but probably aren't today:

[Note: talking malicious use] you don't want those domains to be easily guessed and blocked by, say, network security filters. So you have an algorithm that generates a deterministic series of domains, registers them, and your malware or phishing operation out in the wild can predict the domains they need to use at a given moment and connect to them

One method used seems to be solely based on the name:

For one approach, it looks at a list of known domain generation algorithms (DGAs)

DGA domains are often used by cybercriminals [..]

I understand they flag the name if they believe it has been generated by an algo they recognize. Because that algo is "often" used by cybercriminals. In the article, it is claimed it's very accurate, but without really explaining how they determine that. It almost sounds like they claim it's accurate, so it's proof it is.

@Sam78 Fair question. Not JUST because it's newly registered. But newly registered + a certain kind of naming, yeah, that seems enough to be flagged.

 

[Future Sensors]

Thanks for the link. Unfortunately, the answer doesn't seem totally straightforward to me. At the beginning, it seems it is:


Except the "intended", which seems to be the key. When you continue reading, they are saying they flag them according to the name, and it seems they already flag them by expecting they will be used maliciously in the future but probably aren't today:


One method used seems to be solely based on the name:



I understand they flag the name if they believe it has been generated by an algo they recognize. Because that algo is "often" used by cybercriminals. In the article, it is claimed it's very accurate, but without really explaining how they determine that. It almost sounds like they claim it's accurate, so it's proof it is.

@Sam78 Fair question. Not JUST because it's newly registered. But newly registered + a certain kind of naming, yeah, that seems enough to be flagged.

Thank you. I'm not able to elaborate on exactly when a domain name qualifies for flagging on this forum, but I think the following papers do answer some of your open questions.

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_plohmann.pdf

http://faculty.washington.edu/mdecock/papers/mpereira2018a.pdf

https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/

 

[Paul]

I understand they flag the name if they believe it has been generated by an algo they recognize. Because that algo is "often" used by cybercriminals. In the article, it is claimed it's very accurate, but without really explaining how they determine that. It almost sounds like they claim it's accurate, so it's proof it is.

Malware that operates this way will generate obscure domain names in a deterministic manner--domains that nobody in their right mind would ever register; they seem like a mishmash of random letters and numbers.

When security researchers examine the malware, they reverse engineer the algorithm that the malware uses. Each piece of malware will use a different algorithm. The algorithm determines which domain name that malware will contact on a given date and time. By plugging future dates and times into the algorithm, the researchers can determine which domains the malware will attempt to use.

Calling it "very accurate" is an understatement: it's 100% accurate. These aren't complex, ambiguous algorithms; they're just simple mathematical processes that generate predictable strings of letters and numbers given the current date as input. If you're registering one of these domains, you're either a security researcher or the author of the malware. Or you let a cat walk on your keyboard and handregged the resulting text.

 

[Future Sensors]

Malware that operates this way will generate obscure domain names in a deterministic manner--domains that nobody in their right mind would ever register; they seem like a mishmash of random letters and numbers.

When security researchers examine the malware, they reverse engineer the algorithm that the malware uses. Each piece of malware will use a different algorithm. The algorithm determines which domain name that malware will contact on a given date and time. By plugging future dates and times into the algorithm, the researchers can determine which domains the malware will attempt to use.

Calling it "very accurate" is an understatement: it's 100% accurate. These aren't complex, ambiguous algorithms; they're just simple mathematical processes that generate predictable strings of letters and numbers given the current date as input. If you're registering one of these domains, you're either a security researcher or the author of the malware. Or you let a cat walk on your keyboard and handregged the resulting text.

I'd like to add that not all these algo domains are created based on date. Some use external inputs (like trending Twitter hashtags, news headlines, or blockchain data). Those are harder to predict perfectly. Some malware families use simple math-based DGAs that are easy to reverse engineer, and others use more complex or obfuscated logic. And there are some attackers that register domains that look normal to avoid detection.

Matsnu used a dictionary-based algorithm, combining words from a predefined list to form domains. The generated domains blend in with legitimate domains. See https://link.springer.com/chapter/10.1007/978-3-030-65411-5_7

 

[Future Sensors]

(etc)

 

[Future Sensors]

 

[Future Sensors]

In general, bulk domain registrations are a major indicator of abuse. Farsight's Newly Observed Domains (NOD) feed, now integrated with DomainTools, monitors them because attackers frequently register large batches to support phishing, spam, and botnet infrastructure. Blocking or sinkholing these domains can neutralize threats before they activate. Still, it's worth noting that domain investors also engage in bulk registrations, but for legitimate business reasons rather than malicious intent (I hope).