Jonathan Zhang

CEO of &, infosec thought leader and adviser

Domain Monitoring: Combatting Threats Brought by New gTLDs

Surprising but true. When the Internet Corporation for Assigned Names and Numbers (ICANN) announced the release of new gTLDs, cyber attackers seemed to have taken the opportunity to ride along and use these to more effectively evade detection. It didn’t take long before some of the new gTLDs, unfortunately, obtained a shady reputation.
While the new gTLDs comprise a relatively small portion of the total gTLD space, they accounted for almost half of all domains that have ties to security incidents. This is one of the highlights of the June 2019 Domain Abuse Activity Report.

An Alarming Trend

In June 2019, of the 967,155 domains identified with ties to security incidents, 487,677 used older or legacy gTLDs. The remaining 479,478 sported the less commonly used or newly created gTLDs.
In the May 2019 report, of 1,479,535 total domains tagged as security threats, 809,354 used legacy gTLDs while 670,181 used new gTLDs. As the security threats stemming from domains with legacy gTLDs went down by 4.28%, those from domains with new gTLDs rose by the same amount. This is an indication of the rise in new gTLD use for malicious activities.
Among the 479,478 domains tied to reported security incidents, 362 of the newly created gTLDs were implicated.

Identify Threat Sources with Domain Monitoring Tools

The statistics mentioned above can be troubling to any business, particularly those handling not just corporate but also customer data. Identifying malicious domains to counter risks is critical before threats can cause irreparable damage.
Organizations need a comprehensive source of accurate domain intelligence to stop threats. Enterprise-grade WHOIS data feeds can help them identify who is behind a domain and figure out what possible motivations they have for trying to gain access to a network.
It’s a known fact that phishers and all kinds of cyber attackers install a failsafe in case their primary entry point into a target network is detected and consequently blocked. Potential victims, therefore, need to make sure that they identify all related threat sources.
They need access to domain monitoring and search tools that would help them determine connections between potential attack vectors—a common registrant, company, email address. Only in this manner will they be truly able to avoid compromise.
As evidenced by emerging trends, an expansive threat intelligence source can aid organizations in enhancing their security against threats enabled by the availability of new gTLDs.
Though blocking all domains from accessing your network is a bad idea (you could be penalizing nonmalicious users as well), you can still beef up your company’s security posture by enhancing your new gTLD monitoring capability.
Care should still be taken to verify every single domain’s intent. Conducting extensive research on a site is necessary but could be a tedious process.
Opting for domain monitoring tools that provide the right amount of information on a timely basis without the hassle of purchasing new hardware to run them may be key.
In that regard, integrating readily available enterprise APIs that can serve as rich data sources into existing security solutions for verification purposes can lessen the amount of time, and effort security teams will spend on making manual comparisons. This also helps avoid human errors that stem from making hasty assumptions on the nature of a domain.
Safe Web navigation doesn’t translate to avoiding all domains that use the new gTLDs. What it entails is making sure that all the sites and pages employees access are not malicious. Jumping to conclusions can have dire consequences as well, such as losing a potential customer who just happened to use a new gTLD whose reputation was unfortunately affected by the work of cyber attackers.



More by Jonathan Zhang

Topics of interest