There are more malicious domains online than ever before

Hacker Typing
(Image credit: Shutterstock)

Thousands of new domains are registered everyday so that businesses and individuals can build websites but new research from Palo Alto Networks has revealed that cybercriminals often register malicious domains years before they intend to actually use them.

The cybersecurity firm's Unit 42 first began its research into dormant malicious domains after it was revealed that the threat actors behind 2019's SolarWinds hack used them in their attack. To identify strategically aged domains and monitor their activity, Palo Alto Networks launched a cloud-based detector in September of 2021.

According to the findings of the firm's researchers, 22.3 percent of strategically aged domains pose some form of danger with a small portion being straight-out malicious (3.8%), a majority being suspicious (19%) and some being unsafe for work environments (2%).

The reason cybercriminals and other threat actors let a domain is age is to create a “clean record” so that their domain will be less likely to be blocked. Newly registered domains (NRDs) on the other hand are more likely to be malicious and for this reason, security systems often flag them as suspicious. However, according to Palo Alto Networks, strategically aged domains are three times more likely to be malicious than NRDs.

Detecting malicious domains lying dormant

When a sudden spike in traffic is detected, it's often the case that a strategically aged domain is actually malicious. This is because normal websites typically see their traffic grow gradually from when they're created as more people visit a site after learning about it through word of mouth or advertising.

At the same time, domains that aren't intended for legitimate purposes often have incomplete, cloned or questionable content and usually lack WHOIS registrant details as well. Another sign that a domain was registered and intended to be used at a later time in malicious campaigns is DGA subdomain generation.

For those unfamiliar, DGA or domain generation algorithm is a method used to generate domain names and IP addresses that will serve as command and control (C2) communication points used to evade detection and block lists. Just by examining sites using DGA, Palo Alto Networks' cloud-based detector was able to identify two suspicious domains each day.

During its investigation, the cybersecurity firm discovered a Pegasus spying campaign that used two C2 domains registered in 2019 that finally became active two years later in July of 2021. Palo Alto Networks' researchers also found phishing campaigns that used DGA subdomains as well as wildcard DNS abuse.

We've also highlighted the best web hosting, best endpoint protection software and best malware removal software

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Ransomware
Researchers hijack thousands of backdoors thanks to expired domains
Criminals are abusing top-level government domains across multiple countries
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
Trojan
Hackers hide malware into website images to go unnoticed
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode