This image is from Webroot’s “Threat Report 2017” and the message is obvious. 84% of Phishing sites last less than 24 hours. This information also applies to domains registered to spread new strains of malware and domains used in whaling(targeted Phishing at senior executives).
Why is the first 24 hours a key period for these cyber criminals and why do they generally drop the use of these domains after that period?
It is part of the pattern of evolution of threats and counter measures that exists in the security vs crime ongoing dance. When a criminal registers a domain the zone files for newly registered domains is only released once per day. Many security companies attach a negative reputation score to newly registered domains that ensures traffic from a very new domain is blocked from reaching their customers. The reasoning for this is that the vast majority of new registrations will not be used by a valid business for a period of normally 2 weeks.
However the cyber criminals realized that this left a gap between when a domain is registered and the release of the zone files (the list from which security companies can derive what is a new domain) This is why some of the most effective attacks use domains that have been registered in the first 24 hour period.
One solution that has been used to try and cover this gap is a list of Newly Observed Domains which relies on adding a domain to a blacklist if it is observed in the wild but is not listed in zone files. This is a good start but still leaves the chance that either the domain has not been seen before you receive the malicious traffic or, in the case of a whaling email, you were the only target using this particular domain.
To tackle this problem we have created a lookup service so security analysts can check if a domain has been registered between the release of the last list and the current time and take automated action on the result. The Email Laundry will make this service free to any organizations up to a lookup limit of 10,000/day. We call this lookup Newly Existing Domains or NED for short.
Just contact us via a form on our Cyber Threat Intelligence Feeds page and we’ll help you get set up.