01 Sep Investigative Cybersecurity: The Web’s Most Dangerous Top-Level Domains
How to spot domains that may be weapons of choice by cybercriminals
– Jonathan Zhang, CEO at Whois XML API
Walnut, Calif. – Sep. 1, 2019
Here’s a fact that most cybersecurity specialists can appreciate: Remaining cyber-secure hinges a lot on avoiding interactions with malicious domains, whether known or unknown. And that may be the right way to go about staying safe from all kinds of threats.
But like all things, some domains are more harmful than others. To provide insights into the matter, we recently studied 33,000 deemed malicious domains — looking at the most dangerous TLDs (top level domains) we could find as measured by different components affecting domain reputation. Let me explain how we went about it in more detail.
Our Investigative Tool: Domain Reputation API
To determine the reputation of each of the malicious domains in our sample, we used Domain Reputation API, which assesses a domain’s or IP address’s reputation and risk profile with a simple score based on a varied set of data points.
The tool computes a domain or an IP address’s score based on how many Secure Sockets Layer (SSL), mail server, name server, open ports or services, Start of Authority (SOA) record configuration, and potentially dangerous content warnings and issues were triggered, along with if it was recently registered — factors that could indicate its nature and intent.
Results and Findings
Before digging into the results for various components of the score for TLDs in our sample, it’s worth mentioning that our malicious domains were pooled from various sources, including, for example, the DNS-BH — Malware Domain Blocklist by RiskAnalytics and similar blacklists.
These may include false positives: all feeds providing malicious feeds contain domains which have properties suggesting that they are malicious, but in reality, they aren’t. This can result from unattended configuration errors or even on purpose, e.g., if the domain holds a honeypot against some malicious botnet.
In addition, malicious domains frequently change in time. We took a snapshot to gain fresh insight into the structure of these data.
We have found that some TLDs do not have many domains in our sample. Hence, wherever we analyze percentages of affected domains within a TLD, we restrict this analysis to those TLDs where there were at least 100 domains in the sample.
For all these reasons, the findings in this report should be considered as an indication of caution rather than as absolute truth. Nevertheless, they confirm certain facts known in the literature and reveals other trends which would deserve further investigations.
SSL warnings are issued when irregularities are spotted in an SSL certificate, connections, and configuration. Examples of instances when alerts are triggered include the detection of an invalid SSL certificate or SSL vulnerabilities (e.g., the Heartbleed vulnerability protection is disabled, etc.).
An SSL certificate is deemed invalid if:
- The domain name on it doesn’t match the domain name it’s pointing to.
- If the signature on it was issued by an unknown source or it is self-signed and wasn’t validated by a trusted authority.
- It has expired.
- It comes in an incorrect format for the browser used.
Among the TLDs with 100 or more samples, 26 out of 39 were country-code TLDs (ccTLDs), indicative of where the malicious domains were hosted. In most countries, a plausible reason for this could be found in lax hosting policies. In certain cases, however, like those hosted in Australia or Germany, it is more probably due to an evasion tactic. Hosting domains in a country with stricter regulations can increase their chances of fooling victims into accessing them.
The remaining 13 were generic TLDs. Interestingly, these included newly created gTLDs such as .club, .online, .top, .win, .xyz, .bid, and .tech. One reason for this could be the much lower price tags that most of the newly created gTLDs come with. More information about new gTLDs and abuses are explored here.
Mail Server Warnings
Mail server warnings are issued when Domain Name System (DNS) Mail Exchange (MX) records are improperly configured, along with its mail servers.
Common DNS MX record misconfigurations may stem from:
- Lack of an IP address in the A record.
- Using IP addresses instead of hostnames for the CNAME (Alias) and MX records.
- Forgetting the dot (.) at the end of a domain name in the DNS zone file, which simply means “start query from root servers.”
The same set of TLDs that triggered SSL warnings also gave off alerts related to mail server issues with the addition of .gdh, a ccTLD for Hamptonshire. Some 27 of the 40 TLDs were ccTLDs while the remaining 13 were gTLDs, including the same set of newly created gTLDs seen in the SSL Warnings section.
Name Server Warnings
Name server warnings alerts are typically triggered by misconfigurations. As with mail server records, NS records must contain hostnames instead of IP addresses. Should this be not the case, a domain reputation application programming interface (API) issues a warning to the user accessing the site attached to the improperly configured NS.
The same set of TLDs that triggered mail server warnings also gave off alerts related to NS issues. Some 27 of the 40 TLDs were ccTLDs while the remaining 13 were gTLDs.
Open Ports or Services
Leaving ports open on Internet-connected systems is risky in that all ports are rigged with vulnerabilities that cyber attackers can exploit. While some ports are often used as attack entry points, others are used as escape routes.
Over the years, we have seen the following open ports and services abused in attacks:
- Legacy service Telnet on Transmission Control Protocol (TCP) port 23 was fundamentally unsafe from the start. Telnet sends data completely unmasked in clear text, allowing attackers to listen in, watch for credentials, inject commands via man-in-the-middle (MitM) attacks, and ultimately perform remote code execution (RCE) on the affected system.
- TCP/User Datagram Protocol (UDP) port 53 for DNS offers attackers an exit point. Once hackers have obtained what they are looking for, they can use readily available software that turns data into DNS traffic to evade detection. Once the data is out of the network, they simply send it through their specially configured DNS server for translation back to its original form.
- TCP port 80 for the HyperText Transfer Protocol (HTTP), which supports the traffic that Web browsers receive can be used for SQL injections, cross-site request forgeries, cross-site scripting (XSS), and buffer overruns.
These are just three of the many open ports or services that cyber attackers can take advantage of.
Some 26 of the 37 TLDs (missing .gdh, .gq, and .win from the previous lists) were ccTLDs while the remaining 11 were gTLDs, including the same set of newly created gTLDs (except .win). It’s also interesting to point out that the .tech gTLD topped the list. This could be a tactic to make it look like a technology-related site is accessing the target networks.
SOA Record Configuration Issues
Another contributing factor to a domain’s inclusion in a blacklist could be issues regarding its SOA record. Every SOA record must indicate its primary master and secondary servers via serial numbers. Mismatches can cause network access failure.
The same set of TLDs that triggered mail server and NS warnings also alerted us to SOA record configuration issues. Some 27 of the 40 TLDs were ccTLDs while the remaining 13 were gTLDs.
Potentially Dangerous Content
Domain Reputation API was also used to screen domains for malicious content, including ties to harmful sites and hosts, and malware.
The same set of TLDs that triggered mail server and NS warnings and SOA record configuration issues (except .ghd) also alerted us to potentially dangerous content. Some 26 of the 39 TLDs were ccTLDs while the remaining 13 were gTLDs. It’s not surprising for threat actors to use domains with ccTLD extensions as malware hosts as these help them hide their real locations from researchers or law enforcement agents who are hot on their trail.
Recently Registered Domains
Cyber attackers register domains for one-time use as a tried-and-tested evasion tactic. It is, after all, a bad idea for someone on the run from the authorities to keep ties to one place after it has appeared on the good guys’ radar. Besides, every domain spotted with ties to malicious activity is subsequently blocked and so rendered useless.
The same set of TLDs that triggered all other warnings (except .au, .cl, .de, .es, .eu, .fr, .gdh, and .id) were newly registered. Some 18 of the 32 TLDs were ccTLDs while the remaining 14 were gTLDs.
For a cyber attack to work, its perpetrators need a platform to stage it from — a domain in this case. While it’s easy to obtain one and carry fraudulent acts through forged or hacked sites and email accounts, cybersecurity specialists can protect their network by checking for various components affecting domain reputation:
- SSL warnings
- Mail server warnings
- Name server warnings
- Open ports
- SOA records
- Potentially dangerous content
- Recently registered domains
- … and other aspects
The goal of our analysis has been to empirically show that domains deemed malicious often display one or more of these characteristics. Additionally, as shown in the various tables, some TLDs are worth taking a closer look at, as these may be the weapons of choice of attackers for a variety of reasons — ranging from the cost of registering a particular domain extension to its popularity, as well as hosting policies and regulations.
Another takeaway is that continuous access to comprehensive data is essential to combat cybercrime. Organizations with their own security teams or security operations centers (SOCs) can integrate readily available data APIs into their existing systems and solutions. Managed detection and response (MDR) and other managed security service providers (MSSPs) can obtain additional threat information as well from various security intelligence data feeds. Regardless of how a company ensures its network’s safety and integrity — in-house or outsourced — the greater the amount of threat intelligence used, the fewer risks it is exposed to.
IMPORTANT NOTE: Whois XML API is always on the lookout for ingenious ways by which its products can help companies stay safe online. If you are interested in carrying your own investigations, feel free to contact us. We’ll give away free API credits that you can use for your work.
– Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
Sponsored by Whois XML API
Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.