DNS Abuse Forum - March 16

Home / Industry

Newly Registered Domains List Show Recent Registrations Continue to Pose Cybersecurity Risks

Analysts and researchers have advised to be wary of newly registered domains (NRDs) for several years. Back in 2019, it was even suggested that 70% of new domain registrations are malicious. We keep identifying many suspicious newly registered domains in our Newly Registered & Just Expired Domains database even today, many of which are related to current world events such as the spread of COVID-19.

Since newly registered domains continue to be a threat in 2020, let's recap what they are, the kinds of attacks they are part of, and how monitoring them can be beneficial to various cybersecurity stakeholders.

What Are Newly Registered Domains?

Newly registered domains are those registered or having changed ownership within the past weeks. Domain age is identifiable via WHOIS lookups or by integrating a newly registered domain (NRD) database into Internet-connected platforms and applications. The latter option allows users to skip manual searches for WHOIS records to check if any domain of interest is newly registered.

Attacks That Use Newly Registered Domains

Cyber attackers make it a point to avoid detection and blocking to succeed. And if their malware or exploits get discovered, they, of course, don't want to be identified as perpetrators. These are the reasons why they use newly registered domains in their attacks, such as:

1. Spam and Phishing Campaigns

These days, users get tons of COVID-19-related emails supposedly from reputable organizations giving updates, soliciting donations, spreading awareness about government subsidies or aid, or even supposedly following up on business proposals.

What most may not know is that the links embedded in these messages don't belong to the institutions the senders claim to be from. And more often than not, the domains where the pages reside are newly registered and malicious.

2. Malware Attacks

Malware operators, including ransomware creators, often distribute their malicious wares via newly registered domains, too. This approach allows them to successfully infiltrate even protected target networks because the domains they use have yet to appear in blacklists.

In light of these and other attacks involving recent domain registrations, integrating NRD lists into existing solutions and systems can help lessen the chances of yet unknown threat vectors bypassing security perimeters.

Who Can Benefit from Newly Registered Domains List Integration?

Three types of enterprise users can especially benefit from NRD database integration, namely:

1. Security Solution Providers

Security software manufacturers can integrate an NRD database into their offerings so these can at least alert users to newly registered domains that are attempting to communicate with their protected systems.

2. Internal Security Teams

Dedicated security or security operations centers (SOCs) personnel can incorporate newly registered domain filtering into their security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms so they can watch out for signs of malicious activity coming from these potential attack vectors.

3. External Security Providers

Managed security service providers (MSSPs) and other third-party security providers can also add an newly registered domains list to their threat sources to screen on behalf of clients. The database can serve as an additional source of threat intelligence so they can more effectively ward off attempts and attacks directed at their customers' networks.

How Can Newly Registered Domains Database Integration Ward Off Threats?

Organizations that want to improve their cyber resilience can follow the steps indicated in this post to benefit from the Newly Registered & Just Expired Domains Database. With its help, they can keep an eye out for and prevent further damage from threats that use newly registered domains as entry points.

Let's take a look at a concrete example. We downloaded the NRD data feed containing .com domains dated 25 March 2020. We found the domain money4corona[.]com on it, along with 126,157 other recently added .com domains to the Domain Name System (DNS) space.

Users in search of either financial relief from the effects of community quarantines or a means to donate to coronavirus-related movements can end up fooled by the said domain. What they may not know, however, is that it could cause their computers harm as money4corona[.]com has been reported a phishing site on VirusTotal.

There are many more potentially dangerous domains included in the data feed. But this example highlights the importance of monitoring newly registered domains as users won't know for sure if they are trustworthy or not without further scrutiny.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex

Domain Names

Sponsored byVerisign


Sponsored byVerisign

DNS Security

Sponsored byAfilias

Threat Intelligence

Sponsored byWhoisXML API