Visiting a newly registered domain (NRD) is the digital equivalent of picking up a hitchhiker: it might all go smoothly but you could also end up being robbed.
While NRDs can be created for perfectly legitimate reasons, such as hosting a new conference, they are also commonly misused by tricksters spreading malware or attempting to make a quick buck from phishing or other common scams.
A 2018 study by Farsight Security found that on average, 9.3% of NRDs died in their first seven days, with a median lifetime of just four hours and 16 minutes. The study concluded that the vast majority of these short-lived NRDs were used for cybercrime.
General awareness that shiny new domains might pose a threat has led cautious companies to block and/or closely monitor NRDs in enterprise traffic for anywhere from the first few hours after detection up to a week. But with no comprehensive study available on the malicious usages and threats associated with NRDs, a consensus hadn't been reached on whether such actions are sensible precautions or security overkill.
A study published today by Palo Alto Networks’ threat intelligence arm, Unit 42, indicates that the companies blocking NRDs are onto something.
Out of 1,530 top-level domains analysed by Unit 42, more than 70% turned out to be “malicious,” “suspicious” or “not safe for work.” The study found that NRDs are "often times abused by bad actors for nefarious purposes, including but not limited to C2, malware distribution, phishing, typosquatting, PUP/Adware, and spam."
According to Palo Alto Networks, the safe approach is to block access to NRDs for the first 32 days after they have been registered or have undergone a change in ownership.
A recommendation was also made to block complete top-level domains (TLDs) that are predominantly used by bad actors (the threat kind, not the cast of Hollyoaks). The study calculated the top 15 TLDs with the highest malicious rate on recent NRDs and found the worst three offenders were "to," "ki" and "nf."
The study concludes: "We recommend blocking access to NRDs with URL Filtering. While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility."