Each day, hackers create over a thousand malicious domains that will be used to deliver spam, for phishing, host malware, and other cyberattacks, a new report by DomainTools has revealed.
In 2024, over 106 million new domains (website addresses) were observed for the first time. That means approximately 289,000 websites are being created daily.
How many of them are malicious? Only a very small percentage, and that makes rapid identification challenging for security teams.
Hackers created over 1,000 new malicious websites every day, with spikes reaching 2,500, according to a report by DomainTools, a threat intelligence firm specializing in Whois and other DNS profile data.
The analysis reveals “a clear upward trend” in both total numbers of new domains and likely malicious domains.
Malicious domains encompass infrastructure utilized by both nation-state-sponsored Advanced Persistent Threat (APT) groups and cybercrime operations.
“Their uses are diverse and harmful, including hosting websites designed for malware delivery and credential harvesting, serving as Command and Control servers to manage compromised systems, functioning as relay and obfuscation networks to hide malicious activity, operating as part of botnets for large-scale attacks, and facilitating phishing campaigns to deceive users,” the report reads.
In total, 380,000 new domains were flagged as “threat indicator domains,” meaning that they’re likely malicious. The security firm also tracks around five million top-level domains with a high risk of containing malware, phishing lures, delivering spam, or contributing to other attacks.
Certain habits of hackers
The publicly available threats seem to have some repeating patterns. Hackers have preferred registrars, internet service providers, name servers, and SSL issuers, and the combinations often help researchers to identify elevated risk.
The top domain name registry company is Namecheap, which is used for over 10% of malicious domains. This is followed by Namesilo, Realtime, GoDaddy.com, Dynadot, and Gname.com, each with over 5%.
“The disproportionate use of certain providers may indicate preferred platforms for malicious actors or those offering easier account setup,” DomainTools said.
“It could also reflect user preferences, ease of configuration, or even ineffective or easily undermined fraudulent account and abuse mitigations within those platforms, enabling malicious actors to continue operating with impunity.”
Cloudflare infrastructure dominates the lists as hackers' top choice for domain parking, DNS resolution, and content delivery. Amazon follows closely, as threat actors leverage legitimate cloud services. For SSL, the most abused issuers were WE1, R11, and R10.
While registrars remain legally responsible for the service, they face ongoing challenges in mitigating malicious domain registrations, and the complex nature of internet infrastructure obscures clear lines of responsibility.
“The sheer volume of domain registrations makes proactive enforcement an extremely difficult task, rather than a matter of policy deficiency,” the researchers said.
Malicious websites’ names will include specific keywords to appear legitimate. For credential harvesting, hackers most often use login, signin, sso, mfa, 2fa, verify, account, access, portal, webmail, mail, and other keywords.
Common malware delivery domain names include update, verify, download, install, file, document, latest, down, cdn, sync, vpn, flash, run, patch, new, critical, urgent, alert, version, etc.
Similarly, scam, fraud and financial theft domains are named to include phishing, fraud, scam, fake, spoof, clone, duplicate, airdrop, pre-sale, virus, malware, lottery, sweepstakes, crypto, bitcoin, ethereum, investment, profit, guaranteed, cash, money, funds, transfer, wallet, recovery, unlock, bypass, unblock, or token.
Hackers also exploit high-profile events to launch campaigns related to elections, natural disasters, technological disruptions, social movements, and others. Generative AI and elections were some of the most abused topics last year.
Your email address will not be published. Required fields are markedmarked