Cybercriminals often stockpile a large number of domain names for their fraudulent activities. In research circles, this phenomenon is called “domain stockpiling.”
Domain hoarding poses a significant cybersecurity threat because it allows attackers to create vast networks of phishing and scam sites. These sites often disguise themselves as legitimate web resources, misleading users and forcing them to disclose confidential information such as logins, passwords, bank card details and other personal data.
In addition, accumulated domains can be used to distribute malware and launch attacks on critical infrastructure. At the same time, tracking and blocking such domains poses a serious challenge for specialists, given their number and constant updating.
To effectively solve the problem described above, Unit 42 of Palo Alto Networks has developed a new method for early detection of the accumulation of malicious domains using extensive databases and machine learning.
When creating a large number of such domains, attackers use various services and scripts to automate and speed up routine actions. The operation of such automation typically leaves traces in various data sources, such as certificate transparency logs and passive DNS data. It is these traces that can be used to identify suspicious activity, which is what the researchers did.
To detect accumulated domains, Palo Alto Networks specialists developed more than 300 features and processed terabytes of data, including billions of pDNS records and certificates. To train the Random Forest machine learning algorithm, a knowledge base consisting of millions of both malicious and benign domains was used.
The technique took a very long time to be tested, and by July of this year, using their new system, Palo Alto specialists had discovered over a million unique malicious domain names, and tens of thousands more suspicious domains are identified daily.
According to measurements and tests, the new model detected accumulated domains on average 34 days earlier than the data providers on VirusTotal. This period is a real record when it comes to the field of cybersecurity.
The automated domain classification system reliably protects Palo Alto Networks customers, but the company makes sure to block identified domains and share data with other companies, so risks are reduced for everyone in the industry.
Thanks to automation, Unit 42 researchers have already uncovered numerous campaigns related to phishing, malware distribution and other types of cybercrime, including fraudulent sites that imitate legitimate email services in different countries.
The effectiveness of the approach used at Palo Alto Networks highlights the importance of combining multiple large data sets, such as pDNS and certificate logs, to uncover malicious campaigns.
Researchers will continue to improve their methods of detecting and preventing cyber threats to ensure the best possible protection for both their customers and all participants in cyberspace.
Domain hoarding poses a significant cybersecurity threat because it allows attackers to create vast networks of phishing and scam sites. These sites often disguise themselves as legitimate web resources, misleading users and forcing them to disclose confidential information such as logins, passwords, bank card details and other personal data.
In addition, accumulated domains can be used to distribute malware and launch attacks on critical infrastructure. At the same time, tracking and blocking such domains poses a serious challenge for specialists, given their number and constant updating.
To effectively solve the problem described above, Unit 42 of Palo Alto Networks has developed a new method for early detection of the accumulation of malicious domains using extensive databases and machine learning.
When creating a large number of such domains, attackers use various services and scripts to automate and speed up routine actions. The operation of such automation typically leaves traces in various data sources, such as certificate transparency logs and passive DNS data. It is these traces that can be used to identify suspicious activity, which is what the researchers did.
To detect accumulated domains, Palo Alto Networks specialists developed more than 300 features and processed terabytes of data, including billions of pDNS records and certificates. To train the Random Forest machine learning algorithm, a knowledge base consisting of millions of both malicious and benign domains was used.
The technique took a very long time to be tested, and by July of this year, using their new system, Palo Alto specialists had discovered over a million unique malicious domain names, and tens of thousands more suspicious domains are identified daily.
According to measurements and tests, the new model detected accumulated domains on average 34 days earlier than the data providers on VirusTotal. This period is a real record when it comes to the field of cybersecurity.
The automated domain classification system reliably protects Palo Alto Networks customers, but the company makes sure to block identified domains and share data with other companies, so risks are reduced for everyone in the industry.
Thanks to automation, Unit 42 researchers have already uncovered numerous campaigns related to phishing, malware distribution and other types of cybercrime, including fraudulent sites that imitate legitimate email services in different countries.
The effectiveness of the approach used at Palo Alto Networks highlights the importance of combining multiple large data sets, such as pDNS and certificate logs, to uncover malicious campaigns.
Researchers will continue to improve their methods of detecting and preventing cyber threats to ensure the best possible protection for both their customers and all participants in cyberspace.
