Over 22% of dormant domains are suspicious, malicious, or not safe for work, according to a recent Palo Alto Networks study
Hundreds of thousands of new domains are created on a daily basis, with companies and individuals doing everything they can to stand out from the crowd. But what about old domains, that never get any traffic, tucked away at some corner of the web?
Well, don’t assume that they are simply unpopular website. In fact, they might be quite important, but not in a way most of us would appreciate.
Over 22% of dormant domains are suspicious, (19%) malicious (3.8%), or not safe for work (2%). This, according to recent Palo Alto Networks research, conducted by its Unit 42 threat intelligence team.
When investigating the SolarWinds campaign, the Unit 42 team noticed that “the attackers registered the command and control (C2) domain years before they launched intense penetration activities,” behavior typical for APT (Advanced Persistent Threat) actors who keep their trojans dormant in the victim’s system for a while before launching the actual attack.
“Domains registered in advance sometimes take longer to detect when they begin malicious activity because they’ve developed a benign reputation over time,” write the researchers, noting that the threat actors usually register several domains well ahead of time, for fallback purposes.
How are those malicious dormant domains discovered? According the Unit 42, when they are enacted, they will present “abnormally sudden traffic increments”, something that should raise a red flag.
“When a domain starts hosting a legitimate launched service, its traffic usually grows gradually. On the contrary, it's abnormal for a domain to stay in the dormant status for a long time and then suddenly get a large burst of traffic,” say the researchers.