Malicious Internet Activity Hot Spots According to DomainTools

The online infrastructure allows us to enjoy many services that we use on a daily basis. One of the ones we use the most is email providers, but we also visit websites that are hosted on different domains. That does not mean that there are some places on the Internet that are used in a harmful way against our computers. Sometimes we can see how threats such as phishing and spam are often linked to specific domains. If we can understand how to detect them then it can help strengthen our threat intelligence. In this article we are going to look at the hot spots of malicious activity on the Internet.

Malicious Internet Activity Hot Spots According to DomainTools

2021 Malicious Activity Report

DNS and domain name-based predictive threat intelligence company DomainTools has used its database of more than 380 million currently registered domains to identify and report on which ones may constitute threats. Their first report dates from 2015 and this year they have tried to return to their origins.

DomainTools with the services it has can offer risk assessment, help profile attackers, guide online fraud investigations, and map cyber activity to the attacker’s infrastructure. Thus, to make the right decision about the level of risk of threats to your organization, you have the Iris research platform.

Malicious sites have been identified in the report, checking domain names against various known industry block lists along with a count of malicious domains hosted. Furthermore, it also uses a measure of “signal intensity” based on populations of known defective domains. You may be interested in knowing what hosting I need for my company.

Malicious activity on domains

The report revealed that certain top-level domains (TLDs) have a bad name among security teams. In this regard, the ones with the worst reputation are the newer generic domains such as .live, .top and .xyz.

On the other hand, the more traditional domains such as .com, .net to which we have to add country domains such as .es, .fr and .uk do not appear in the top 10 lists of suspicious web pages. This report provides signal strength tables for each of these three threat types (phishing, malware, spam). This is an example with the .bar TLD selection:

Here you can see that the top domain level .bar has a malware signal strength of 108.93 . In this case, it was found that it was the highest malware signal of any TLD on the Internet according to the methodology used in DomainTools to make this report. You may be interested in knowing these methods that they can use to sneak malware into you.

Domain geolocations and other findings

Apart from domains, the report also looked at IP geolocations. One piece of information he revealed is that there are a large number of malicious domains hosted in Russia and the United States. However, in relation to the total number of domains registered in these locations they do not have a particularly important representation. On the other hand, places like Hong Kong and the Seychelles have a large number of suspicious domains relative to all they have. Additionally, certain domain registrars and certificate authorities also exhibit higher levels of sites engaged in malicious activity.

A curious fact is that most of the newly created domains every day show no signs of harmful activity. Instead, the report concludes that most of the malicious domains are the newer ones. In summary, thanks to the DomainTools report we have seen which domains are more likely to have malicious activity and also their geolocation.