On any given day, thousands of domain names are registered on a daily basis on the Internet. Newly Registered domain names (NRD) are used by enterprises and individuals for legitimate purposes and by threat actors for malicious purposes.
What are newly registered domain names?
By definition, a newly registered domain name(NRD) is one which has just been registered. They are also referred as recently registered domain names.
Enterprises register new domain names for products and new businesses and individuals for personal websites, blogs, hobby projects, etc.
Threat actors also register new domain names for malicious activity such as phishing, malware, spam campaigns, etc. Because domain names are cheap, threat actors often register new domain names using stolen credit cards etc.
At Shreshta, we detect and curate two NRD lists.
- NRD-1w – The domain names registered in the past week.
- NRD-1m – The domain names registered in the past month.
How threat actors use NRDs
While a recently registered domain name does not imply it’s malicious, there has been sufficient evidence to point out that the threat actors use a significant percentage of newly registered domain names for malicious purposes.
A report shared by SC Magazine points out that 70% of the NRDs are malicious.
Threat actors register domain names and use them for,
- Phishing Campaigns – Domain names are registered for phishing attacks. Threat actors register look-alike (Typo-squatting) domain names to lure users. Our recent detection and analysis of HDFC Bank phishing campaign is a good example.
- Malware Command & Control (C2) communication – Most malware communicates with a C2 server that uses a domain name, exfiltrating data and waiting for commands.
- Distribution of malware – Threat actors register domain names, impersonate various software and brands and distribute malware instead of legitimate software.
Why monitoring DNS traffic to newly registered domain names is critical.
Newly registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.
A recent deployment of our Protective DNS product in a network of over 50,000+ endpoints makes the case for monitoring DNS traffic to newly registered domain names.
Out of the total DNS traffic, 56% was to domain names that had been registered in the past week!
Community access to NRD feeds
For enterprises, it is extremely critical to detect DNS traffic to NRDs.
Our NRD dataset can be easily ingested by any SIEM or Protective DNS product in the market.
By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs. OEMs can also easily integrate our NRD datasets.
On 1st February 2024, we have released two community NRD feeds which you can get access to for no-cost.
Access to the full NRD feeds
If you are interested in getting access to the full NRD feeds daily, please send us an email to email@example.com