How to Find Malicious Domains
Cyber criminals use malicious domains for many different purposes and in many different ways. Most often, threat actors will create a brand impersonated website to trick you or your employee into revealing sensitive data that could compromise your business and put your reputation at risk. Such as the example below where different malicious domains impersonating Microsoft were attempting to trick users, most likely corporate employees, into entering their work email credentials, providing threat actors access to the employees email account and initial access to the company network.
With more than 180.000 domains registered globally every single day, finding all the domains with malicious intent on a daily basis is a difficult task to accomplish. Who has time to analyse 180,000 domains every day? Please, feel free to try. Challenge extended.
To help you on your way, here’s some tips on finding malicious domains. Once we’ve gone through that we’ll tell you a secret that will make this problem much easier to handle.
Finding Registered Domains
First of all, where do you even find the 180 thousand new domains?
Every domain is registered under a particular TLD, such as .com or .net. These TLDs are maintained by registry operators, who are responsible for tracking all the registered domains for their TLD. They maintain a master list of all these domains, known as Zone Data, where they list the details necessary to resolve the domain names to Internet Protocol (IP) addresses, including mapping of domain names, associated name server names, and IP addresses for those name servers. Each registry operator keeps its zone data in a text file called the Zone File which is updated once every 24 hours due to changes to the domains, such as new registrations, expirations, and name server record changes.
Example of a zone file mlytics
Gaining Access to Zone Files
Access to these zone files depends on the registry operator. For example, the TLDs, .com and .net are maintained by Verisign. To gain access to the zone files for Verisign’s TLD’s you need to request access via ICANN’s Centralized Zone Data Service (CZDS), where you complete a form and emai it to the registry. It may take a few weeks before your form is approved and your access is granted. Thereafter, you will receive FTP credentials that you can use to download the zone files every day. That was just one registry, time to find the contact details for all the others.
Pff we’re exhausted... You do realise there's an easier way to do this, right?
At Bfore.Ai we already have access to the Zone Files you need from the different registry operators. Additionally, using our PreCrime Technology we are able to sort through the 180.000 newly registered domains and identify which ones have malicious characteristics. Based on this our highly skilled security analysts work to determine their validity and notify our clients, keeping them safe from harm.
If you still want to go it alone, you can read more about analysing domains to determine whether they're malicious or not.
However, if you’re starting to feel like malicious domains are not worth your valuable time and trouble (and we couldn’t agree more), schedule a demo today to learn more about how Bfore.Ai can help your company stop domain brand attacks to defend your reputation.